IPFire 2.29 - Core Update 195 Testing: WireGuard and More

ag · 16 May 2025 09:48

Hello IPFire community,

We’ve just rolled out IPFire 2.29 - Core Update 195 for testing!

This update brings a range of new features and improvements, and we need your help to ensure everything works smoothly before the official release.

One of the highlights is the addition of WireGuard VPN support a modern, lightweight VPN protocol known for its simplicity and performance.

Here’s what you can explore with WireGuard in this update:

Full integration into the IPFire WUI.
Support for net-to-net and host-to-net (Roadwarrior) connections.
Multiple peer configurations with individual settings.
QR code display and config file export for quick mobile setup.
A WireGuard config importer.
Full support for Intrusion Prevention System and Connection Tracking.

WireGuard can run alongside existing VPN services, offering a separate option for secure connections. Check out the WireGuard documentation for setup details:

This update also includes other enhancements, like updated packages (e.g., OpenSSH 10.0.p1, OpenSSL 3.5.0) and usability improvements to Pakfire. You can read the full list of improvements on the blog

How to Help with Testing
This is a testing phase, not the final release, your feedback is crucial! Please:

Test WireGuard and other new features in your environment.
Report any bugs, performance issues, or suggestions.
Share your experiences to help us refine this update.

We’re looking forward to hearing your thoughts!

A Quick Reminder
IPFire is free to use, but it’s not free to develop and maintain. Your donations keep this project alive and help us add new features like this. If you’re able, please consider supporting us at www.ipfire.org - Donate Every contribution makes a difference!

Cheers,
A G

roberto · 16 May 2025 11:21

Wooow. Works for me Ok in FriendlyElec NanoPi R4S. Thanks!!!.

Good works guys!!!.

Saludos.

bonnietwin · 16 May 2025 11:25

I have found that the backup only saves the settings file and not the peers file so only the global settings get restored.

Patch has been submitted to fix that.

rodneyp · 16 May 2025 11:26

Also went smoothly for me. I upgraded, from CU 194 Testing, via WUI, without problems. This testing installation is on x86_64 hardware. I use few addons.

bloater99 · 16 May 2025 12:04

Very nice! Any indications yet on whether throughput is improved over OpenVPN?

ag · 16 May 2025 12:38

Technically, the throughput should be better than OpenVPN. We tested throughput from IPFire’s data centre to my ISP, but I think some external QoS was limiting us somewhere at around 500 Mbps.

Also, enabling IPS on WireGuard can slow down throughput if the hardware’s CPU isn’t up to scratch.

Thanks,
A G

ag · 16 May 2025 19:35

Reported online help link missing from the WireGuard WUI page.

tphz · 17 May 2025 14:19

Do I think correctly that the Wireguard Client Pool should be different from the OpenVPN subnet address range , OpenVPN Static IP address pools , IPsec Host-to-Net Virtual Private Network (RoadWarrior)?

Regards

ms · 17 May 2025 14:33

Yes they all would have to be distinct subnets. They cannot overlap.

tphz · 17 May 2025 15:24

Thank you for your confirmation.
Would such a Note, at the end of the Wireguard Wiki page, be correct?

jon · 17 May 2025 18:08

change “should be different” to “must be different”.

tphz · 17 May 2025 18:13

Yes, of course.
Already corrected.

tphz · 18 May 2025 08:25

Yesterday I ran simple tests between
IPFire 2.29 (x86_64) - Core-Update 195 Development Build: master/4e8f4314

and

Wireguard v0.5.3 client on Windows 10 Pro 19045.5854

import settings from .conf file without any problems
I was able to connect to remote resources

Wireguard client v1.0.20250516 on Android 15

import settings from .conf file without any problems
import settings from QR code without any problems
I could connect to remote resources

Regards

dann_lo · 18 May 2025 12:11

The update went well, but I have noticed the IPS logs are not working.

The system is running just not logging. It did work in 194.

ag · 18 May 2025 13:26

On your IPS page (cgi-bin/ids.cgi), which interfaces have you enabled?

I’ve noticed that in the /var/ipfire/suricata/suricata-homenet.yaml file, when both WireGuard and IPS scanning for WG are enabled, the subnet of the WG interface doesn’t appear in the file. I’m not entirely sure if this is expected though.

Thanks,
A G

dann_lo · 18 May 2025 15:28

Only have Red and green enabled.

ag · 20 May 2025 21:52

This bug has been reported and a patch has been submitted. Hopefully in the next few days we’ll have an updated testing build with the the identified bugs fixed.

Thanks,
A G

dann_lo · 21 May 2025 00:17

Thanks for the help. Will look out for the update and let you know.

larsen · 21 May 2025 08:19

IMHO it would make more sense to have IPfire prevent configuring overlapping ranges in the first place (don’t know if this happens, but sounds like it does not).

tphz · 22 May 2025 08:19

Of course, yes. However, it requires additional work by developers to implement the additional code .
IMHO without this additional feature IPFire2 will work, and the time for additional work is better spent on the development of version 3 of IPFire.

Regards