Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Is WG Production-Ready?

    Scheduled Pinned Locked Moved WireGuard
    5 Posts 2 Posters 962 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      NVDude
      last edited by NVDude

      I'm setting up a 7100-1U. Up to now I've been setting up OpenVPN on Netgate appliances for remote access VPN but I'm interested in WG, about which I know very little. In this setup there's a potential use case for maximum throughput (graphics-intensive Windows RDP); I understand WG performs significantly better than OpenVPN.
      This 7100 is currently running 21.05.2-RELEASE which is reported as the latest version.
      I understand WG is currently "experimental" on pfSense+ and I'd need to install an optional package for it to appear as an available VPN in the GUI.
      That said, can anyone comment on whether WG on pfSense+ is actually ready for production use? I have some concerns:

      • In the docs https://docs.netgate.com/pfsense/en/latest/recipes/wireguard-ra.html there's a warning about upgrades requiring removal of WG tunnels. Does this mean, for example, that upgrading pfSense to (say) 22.xx.xx requires blowing the WG configuration away, and then reconfiguring everything afterwards?

      • If there's a WG version update on the 7100, does that mean that all remote access clients/peers will need to upgrade their software as well (e.g. new encryption ciphers)?

      • OpenVPN has a convenient client export utility. Is there anything similar for WG? It looks like there's less to configure with WG clients/peers but nonetheless there seems to be the age-old key exchange issue. Also I'm not sure how easy it is to get unsophisticated remote users set up with appropriate client software and configuration

      • Is it straightforward to disable or delete remote clients/peers from accessing the VPN through the 7100?

      • Anything else I should be aware of for production use?

      Fundamentally, remote access VPN needs to be relatively easy to configure for clients/peers, and once set up, "just work" for a long time.
      My apologies if this has already been asked. I've gone through the "WireGuard lives!" thread and some other likely-looking threads but didn't find anything that addresses these potential issues.

      cmcdonaldC 1 Reply Last reply Reply Quote 0
      • cmcdonaldC
        cmcdonald Netgate Developer @NVDude
        last edited by

        @nvdude said in Is WG Production-Ready?:

        • In the docs https://docs.netgate.com/pfsense/en/latest/recipes/wireguard-ra.html there's a warning about upgrades requiring removal of WG tunnels. Does this mean, for example, that upgrading pfSense to (say) 22.xx.xx requires blowing the WG configuration away, and then reconfiguring everything afterwards?

        Yes. There is no upgrade code to transpose and port WireGuard configuration (that is, any config based on the original built-in WireGuard implementation in 21.02/2.5.2). Just nuke the old config and start over.

        • If there's a WG version update on the 7100, does that mean that all remote access clients/peers will need to upgrade their software as well (e.g. new encryption ciphers)?

        Only if something significant changes involving the crypto, yes. In that case, it would be bigger news than just something impacting pfSense exclusively. Nothing significant like this has happened yet...

        • OpenVPN has a convenient client export utility. Is there anything similar for WG? It looks like there's less to configure with WG clients/peers but nonetheless there seems to be the age-old key exchange issue. Also I'm not sure how easy it is to get unsophisticated remote users set up with appropriate client software and configuration

        There is work ongoing for several import/export features, including .conf import/export and QR code export. This is being worked on.

        • Is it straightforward to disable or delete remote clients/peers from accessing the VPN through the 7100?

        As easy as clicking the toggle icon next to the peer. You can also disassociate a peer from a tunnel by marking it as "unassigned". You can also move peers between tunnels with ease.

        • Anything else I should be aware of for production use?

        Fundamentally, remote access VPN needs to be relatively easy to configure for clients/peers, and once set up, "just work" for a long time.

        I think you'll be quite impressed. I know of several sites using WireGuard in production, and I drive most of my daily traffic through WireGuard via pfSense.

        Need help fast? https://www.netgate.com/support

        N 1 Reply Last reply Reply Quote 0
        • N
          NVDude @cmcdonald
          last edited by NVDude

          @cmcdonald Thanks for the reply - that answers most of my concerns. One thing I'm still not 100% clear with:

          • In the docs https://docs.netgate.com/pfsense/en/latest/recipes/wireguard-ra.html there's a warning about upgrades requiring removal of WG tunnels. Does this mean, for example, that upgrading pfSense to (say) 22.xx.xx requires blowing the WG configuration away, and then reconfiguring everything afterwards?

          Yes. There is no upgrade code to transpose and port WireGuard configuration (that is, any config based on the original built-in WireGuard implementation in 21.02/2.5.2). Just nuke the old config and start over.

          Is this issue specific only to the built-in WG in 21.02?

          I'm working with a brand-new 7100 with 21.05.2 (i.e. newer than 21.02) and no WG currently (or previously) configured. I can install the WG package and set up WG on 21.05.2. If I later upgrade pfSense+ to (say) 22.xx.xx, will I still need to remove WG tunnels? Ideally I'd like to be able to do the pfSense+ upgrade and not have to make any changes or reconfiguration to WG.

          cmcdonaldC 1 Reply Last reply Reply Quote 0
          • cmcdonaldC
            cmcdonald Netgate Developer @NVDude
            last edited by

            @nvdude once you’re running WireGuard as a package there is an upgrade path moving forward :)

            Need help fast? https://www.netgate.com/support

            N 1 Reply Last reply Reply Quote 0
            • N
              NVDude @cmcdonald
              last edited by

              @cmcdonald Thanks - I'll give it a test!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.