Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Wireguard on pfSense vs. internal self-spun

    WireGuard
    3
    6
    96
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      aljames
      last edited by aljames

      I have been going back and forth whether to move my Wireguard to my pfSense vs. keeping it in a VM on it's own subnet. I'd like to better understand pros & cons and get some opinions. I am not working with any VPS's or reverse proxy since this is not a public service.

      My hangup is forwarding a port for the internal WG instance. The reason I consider it a hangup is some of my users are on mobile devices that could connect from anywhere and there is no way to limit sources for this reason. So, my internal WG works fine if I port forward all sources on my pfSense & redirect to my WG server & port. My server's nftables rules will drop all traffic except tunnel traffic and pass it along to an internal service. That service in turn requires a login and uses nftables to drop all traffic except tunnel sourced traffic. I feel it is probably tight enough as it is... but still a hangup in my brain.

      Contrary though, is WG on PFS any less equivalent to port forwarding? No port forwards needed, but it seems we are effectively doing so with firewall rules on the WAN side that allows all traffic in. Are these effectively the same in terms of network exposure? You might say, No, because WG on PFS is only passing tunnel traffic on the WAN, but how is that possible without a forward of some type. Is it more similar to the tunnel entrance being in a DMZ to authenticate before entering the network..

      N 1 Reply Last reply Reply Quote 0
      • N
        netblues @aljames
        last edited by

        @aljames Port forwarding is a form of nat. Every packet gets translated to a new target ip.
        Firewalling is just allowing the packet to pass.
        You also need firewall access before doing nat.

        A 1 Reply Last reply Reply Quote 0
        • A
          aljames @netblues
          last edited by

          @netblues NAT/port forward setting is not used when configuring the WG package on pfSense, only a firewall rule on the WAN is set. Is this somehow more secure than port forwarding to open up access to an internal WG server?

          Bob.DigB N 2 Replies Last reply Reply Quote 0
          • Bob.DigB
            Bob.Dig LAYER 8 @aljames
            last edited by

            @aljames An open port is an open port and both solutions will need one. There is no difference security wise. You will need NAT for your own server but that is not a concern in itself.

            1 Reply Last reply Reply Quote 0
            • N
              netblues @aljames
              last edited by

              @aljames From a security point of view it is the same.
              From a performance point of view there is a (usually negligible) penalty doing nat vs native

              1 Reply Last reply Reply Quote 0
              • A
                aljames
                last edited by

                Thanks for the help. I am considering/debating whether to move the tunnel to the edge using the WG package on PFS.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.