Wireguard on pfSense vs. internal self-spun
-
I have been going back and forth whether to move my Wireguard to my pfSense vs. keeping it in a VM on it's own subnet. I'd like to better understand pros & cons and get some opinions. I am not working with any VPS's or reverse proxy since this is not a public service.
My hangup is forwarding a port for the internal WG instance. The reason I consider it a hangup is some of my users are on mobile devices that could connect from anywhere and there is no way to limit sources for this reason. So, my internal WG works fine if I port forward all sources on my pfSense & redirect to my WG server & port. My server's nftables rules will drop all traffic except tunnel traffic and pass it along to an internal service. That service in turn requires a login and uses nftables to drop all traffic except tunnel sourced traffic. I feel it is probably tight enough as it is... but still a hangup in my brain.
Contrary though, is WG on PFS any less equivalent to port forwarding? No port forwards needed, but it seems we are effectively doing so with firewall rules on the WAN side that allows all traffic in. Are these effectively the same in terms of network exposure? You might say, No, because WG on PFS is only passing tunnel traffic on the WAN, but how is that possible without a forward of some type. Is it more similar to the tunnel entrance being in a DMZ to authenticate before entering the network..
-
@aljames Port forwarding is a form of nat. Every packet gets translated to a new target ip.
Firewalling is just allowing the packet to pass.
You also need firewall access before doing nat. -
@netblues NAT/port forward setting is not used when configuring the WG package on pfSense, only a firewall rule on the WAN is set. Is this somehow more secure than port forwarding to open up access to an internal WG server?
-
@aljames An open port is an open port and both solutions will need one. There is no difference security wise. You will need NAT for your own server but that is not a concern in itself.
-
@aljames From a security point of view it is the same.
From a performance point of view there is a (usually negligible) penalty doing nat vs native -
Thanks for the help. I am considering/debating whether to move the tunnel to the edge using the WG package on PFS.