Hello,
I’ve moved over from pfSense which I used at home and had OpenVPN setup for my mobile devices, is this the go to VPN software on OPNsense or WireGuard?
Thanks
OpenVPN has much more robust support for authentication, user accounts, and pushing configuration to the client from the server. This is very useful for VPNs where end users are connecting in to your network, since you just need to provide minimal information to the end user, they can log in using a username and password (which OpenVPN can authenticate to a back end server), and the network settings (IP, gateways,…) are pushed to the client automatically.
Wireguard provides essentially nothing. Both sides mutually agree to talk to each other using their respective keys, but no configuration metadata is exchanged over the tunnel. Each side has to manually assign themselves an IP on the tunnel, and the server side has to either allow anything or manually pair each peer with what their IP(s) are allowed to be. No external authentication services, no nearly auto-configuration of the client, etc, and if the tunnel has a gateway to another network, that needs to go in the config file too. Wireguard likes to talk the big talk of having so much less code than OpenVPN, but they also have far less features to go with it.
Sometimes manual configuration of both sides is worth the (pretty drastic) performance increase, especially for site to site VPNs where you control both ends of the link. When you are relying on clients which you aren’t configuring yourself, it’s much harder to recommend.
A lot of it depends on your needs. For people who have larger scale deployments WireGuard for roadwarriors isn’t really an option because micromanaging every peer isn’t feasible. As such I will stay with OpenVPN for roadwarriors.
However, these days I vastly prefer WireGuard over both OpenVPN and IPSec for site to site connections.
I went through ipsec, wireguard, and openvpn, mostly out of curiosity. I’d say if you aren’t looking to tear your hair out and just want something to work, go with openvpn.
I use wirequard with opnsense. I find it easy to setup and manage, with the upcoming opnsense/freebsd wireguard kernel updates, wireguard will get even faster. The service I use is ovpn.com, they are relatively small and the service is amazingly fast.
Openvpn is the easiest to setup for both site to site and roadwarrior vpns
I had to switch to wireguard for performance reasons but openvpn was easier to manage.
Very useful information, thanks.
I haven’t used/setup a VPN yet (other than the work one using the work provided laptop), but how would Wireguard hold up to a single “road warrior” that occasionally logs in to a home network to check a camera feed or copy some MP3’s or a movie or two?
WireGuard would definitely be preferable in that scenario, especially when you take the significant performance increase into account (specifically for low power devices typically used by home users).
It’s really just that the way WireGuard is set up doesn’t lend itself to using it on larger scale. It’s less of a server-client model like OpenVPN and more of a mutual authentication. This means that OpenVPN can be easier centrally managed.