Installing WireGuard VPN
-
Wireguard @pfSense would be pure awesomeness.
-Rico
-
-
there is no telling if WG will be as fast as IPSec. Certainly the implementation over tun/tap is not, and can not be
-
config for IPSec with pfsense is already easy
-
OpenVPN got big because you can do things like policy routing with it, performance sucks compared to IPSec.
-
-
@lopezio said in Installing WireGuard VPN:
@jwt Hi, with all that said and all cool, 3 things remain IMO:
- For one, if WireGuard is nearly as fast as IPSEC, but without the configuration and implementation mess IPSEC brings (which is one of the most important reasons - if not the reason - why OpenVPN became so popular in the first place - the main reason being, that ESP or ESP over UDP can be a pain to setup, especially for mobile / NAT clients, as we all know), it's very well worth considering as soon as possible. Until now we had to trade ease of use and flexibility with performance - it looks like this tradeoff might finally be ended by/with WireGuard.
- WireGuard is now reaching more beta than alpha state, with clients available with more and more platforms (including mobile).
Implementing a package as early as possible (with according caution warnings and disclaimers until it reaches maturity) for PfSense does make sense (double-sense :D), because it would enable very valuable feedback and experience reports from early adopters, both for WireGuard and, more importantly, for its usage within PfSense itself. - As WireGuard attracts more and more attention in the sector, having it in PfSense means that this can be leveraged in PfSense marketing too.
Best Regards, and thanks for the huge work so far.
LP
- WireGuard is UDP
- WireGuard is quite messy to set up
- There's no authentication backend, so for client / server VPN it's no fun.
Try it out yourself and you'll stick to OpenVPN :) Imagine, it's only public/private key .. how do you transfer them? How do you change them (both sides)? Did you try to add a base64 key into your mobile? You need QR implementation etc.
-
Public key means you can transfer your public key in the clear. Super easy transfer of keys.
-
@mephisto said in Installing WireGuard VPN:
veeam started using it https://www.veeam.com/blog/veeam-pn-v2-wireguard.html
Yeah Veeam guys play around on many grounds but not seldomly fail to play stable. It's nice to adapt new tech but you should be able to bring it stable. Also they are playing with it on Linux. As already pointed out: Linux version is a whole other playing field with their implementation status in Kernel etc.
BTW we played with "early implementations" of wireguard on FreeBSD and even took a HW like the SG-5100 (similar hardware) and installed OPNsense and their take on Wireguard. Installation/Configuration was messy (but everyone always blabs about the super-easy configuration ) and didn't work at first. At last we could stabilize it to make some tests and an IPerf test ran below even OpenVPN speeds. As stated: nice to play around but not merely stable/mature enough for it to be enterprise ready. And that's the biggest problem I see with "early adapting Wireguard": if it goes into main-pfSense core now with the buzz and hype everyone pushes around, people/companies are likely to try it without realizing, that the code/implementation on FreeBSD at least are still in an (early) alpha state and not stable/secure like IPSec and OpenVPN. Even the wireguard website tells that to everyone. Hiding that fact and just throwing it into e.g. the 2.5 release would show up to those users/companies as the software is ready to use. And for me (after our tests) it's clearly not. Especially if most of them would try to use it as RoadWarrior setup instead of using tunnels or meshes. For example we had one case, that the wirguard dial in wouldn't work anymore after an update on a client as the startup script and API call changed and some script wasn't adapted. So we had to fix it (or wait a day 'til the fixed version).
TL;DR
Would love to see it in pfSense (core at some time) but only if mature enought to actually work securely and (reasonably) fast. -
yeap that is a very good point, I was comparing it to linux and freebsd implementation of it is far behind. Well I guess we can just hope some people can devote their time to help polishing the code so it can eventually becomes more stable on freebsd. Thanks for the clarification :)
-
This post is deleted! -
Why does that sound like a copy/paste marketing spam message? That kind of messaging isn't going to convince anyone.
The security review part was only one reason (not "excuse" -- a valid concern, and a valid reason), there are many others throughout the thread.
We are keeping an eye on it, but while most of that may be fine on Linux, last I saw, FreeBSD support was still not up to par.
-
That is pure spam dude ;) Do you want me to report it and delete it ;)
Well now another user has tagged it as spam jim - your call :) hehehehe
-
Locking this topic.
If and when the situation with Wireguard improves on FreeBSD, it can be revisited. Adding it before it's ready will lead to even more complaints and problems. Its status on Linux or other projects is irrelevant.
FYI- Insulting people, the project, or companies in general (especially via the reporting mechanism and not publicly) is not a tactic that will convince anyone that you are correct. In fact, it tends to have the opposite effect.
-
Remember when I said that there is a plan, but Iām not ready to reveal it yet?
Sometimes what you want takes longer than you hope, but Iām happy to report that the process of bringing a kernel-resident implementation of Wireguard to FreeBSD has begun to land changes in FreeBSD.
https://svnweb.freebsd.org/base?view=revision&revision=357986
https://svnweb.freebsd.org/base?view=revision&revision=357987
-
This is now finished. At lease phase one is finished.
https://www.netgate.com/blog/wireguard-for-pfsense-software.html