Is WG Production-Ready?

NVDude

I'm setting up a 7100-1U. Up to now I've been setting up OpenVPN on Netgate appliances for remote access VPN but I'm interested in WG, about which I know very little. In this setup there's a potential use case for maximum throughput (graphics-intensive Windows RDP); I understand WG performs significantly better than OpenVPN.
This 7100 is currently running 21.05.2-RELEASE which is reported as the latest version.
I understand WG is currently "experimental" on pfSense+ and I'd need to install an optional package for it to appear as an available VPN in the GUI.
That said, can anyone comment on whether WG on pfSense+ is actually ready for production use? I have some concerns:

• In the docs https://docs.netgate.com/pfsense/en/latest/recipes/wireguard-ra.html there's a warning about upgrades requiring removal of WG tunnels. Does this mean, for example, that upgrading pfSense to (say) 22.xx.xx requires blowing the WG configuration away, and then reconfiguring everything afterwards?

• If there's a WG version update on the 7100, does that mean that all remote access clients/peers will need to upgrade their software as well (e.g. new encryption ciphers)?

• OpenVPN has a convenient client export utility. Is there anything similar for WG? It looks like there's less to configure with WG clients/peers but nonetheless there seems to be the age-old key exchange issue. Also I'm not sure how easy it is to get unsophisticated remote users set up with appropriate client software and configuration

• Is it straightforward to disable or delete remote clients/peers from accessing the VPN through the 7100?

• Anything else I should be aware of for production use?

Fundamentally, remote access VPN needs to be relatively easy to configure for clients/peers, and once set up, "just work" for a long time.
My apologies if this has already been asked. I've gone through the "WireGuard lives!" thread and some other likely-looking threads but didn't find anything that addresses these potential issues.

cmcdonald

@nvdude said in Is WG Production-Ready?:

• In the docs https://docs.netgate.com/pfsense/en/latest/recipes/wireguard-ra.html there's a warning about upgrades requiring removal of WG tunnels. Does this mean, for example, that upgrading pfSense to (say) 22.xx.xx requires blowing the WG configuration away, and then reconfiguring everything afterwards?

Yes. There is no upgrade code to transpose and port WireGuard configuration (that is, any config based on the original built-in WireGuard implementation in 21.02/2.5.2). Just nuke the old config and start over.

• If there's a WG version update on the 7100, does that mean that all remote access clients/peers will need to upgrade their software as well (e.g. new encryption ciphers)?

Only if something significant changes involving the crypto, yes. In that case, it would be bigger news than just something impacting pfSense exclusively. Nothing significant like this has happened yet...

• OpenVPN has a convenient client export utility. Is there anything similar for WG? It looks like there's less to configure with WG clients/peers but nonetheless there seems to be the age-old key exchange issue. Also I'm not sure how easy it is to get unsophisticated remote users set up with appropriate client software and configuration

There is work ongoing for several import/export features, including .conf import/export and QR code export. This is being worked on.

• Is it straightforward to disable or delete remote clients/peers from accessing the VPN through the 7100?

As easy as clicking the toggle icon next to the peer. You can also disassociate a peer from a tunnel by marking it as "unassigned". You can also move peers between tunnels with ease.

• Anything else I should be aware of for production use?

Fundamentally, remote access VPN needs to be relatively easy to configure for clients/peers, and once set up, "just work" for a long time.

I think you'll be quite impressed. I know of several sites using WireGuard in production, and I drive most of my daily traffic through WireGuard via pfSense.

NVDude

@cmcdonald Thanks for the reply - that answers most of my concerns. One thing I'm still not 100% clear with:

• In the docs https://docs.netgate.com/pfsense/en/latest/recipes/wireguard-ra.html there's a warning about upgrades requiring removal of WG tunnels. Does this mean, for example, that upgrading pfSense to (say) 22.xx.xx requires blowing the WG configuration away, and then reconfiguring everything afterwards?

Yes. There is no upgrade code to transpose and port WireGuard configuration (that is, any config based on the original built-in WireGuard implementation in 21.02/2.5.2). Just nuke the old config and start over.

Is this issue specific only to the built-in WG in 21.02?

I'm working with a brand-new 7100 with 21.05.2 (i.e. newer than 21.02) and no WG currently (or previously) configured. I can install the WG package and set up WG on 21.05.2. If I later upgrade pfSense+ to (say) 22.xx.xx, will I still need to remove WG tunnels? Ideally I'd like to be able to do the pfSense+ upgrade and not have to make any changes or reconfiguration to WG.

cmcdonald

@nvdude once you’re running WireGuard as a package there is an upgrade path moving forward :)

NVDude

@cmcdonald Thanks - I'll give it a test!