At work we have Wireguard running OpenBSD for home office users (over 300 users). At the moment only one Wireguard tunnel for LanToLan. The rest of the LanToLan tunnels are still running Libreswan IPSEC on Linux, they will be migrated to Wireguard in time. Both OpenVPN and the Linux implementation of IPSEC called Libreswan seem complex to me, they have obscure crash issues. I don't know the IPSEC implementation on OpenBSD.
Our Wireguard instance on OpenBSD is running in HA with CARP and pfsync, it works perfectly.
Wireguard is simple which I really appreciate. Greetings. On 11/21/24 7:16 PM, Devin Reade wrote:
I'm starting to plan out some infra upgrades for a single organization and am looking at site-site VPN options. I would appreciate some general recommendations on technologies. I've worked with ipsec and openvpn in the distant past, and have done a bit of reading on but never used wireguard. There are three sites involved. The primaries, SiteA and SiteB will definitely be using OpenBSD routers/firewalls. SiteC might use OpenBSD, but OpnSense or others remain options. The SiteA upstream uses a static IPs. The SiteC upstream uses a dynamic (but generally stable) IP. It's not clear yet if SiteB will use a static or dynamic upstream. Anything dynamic will use RFC2136-based FQDNs on the upstream. The tunnels of interest are between SiteA and SiteB (at least one end static), and between SiteB and SiteC (maybe both dynamic). There is no need for a tunnel between SiteA and SiteC. While the "road warrior" case may be raised in the future, it is currently out of scope. So my main question is whether there are compelling reasons to be considering wireguard (or other options) over ipsec? I'm guessing that assuming stability is good for both that the respective approaches to dynamic IP changes may be a deciding factor. Although I see a few threads here on wireguard-maybe-going-numb under some circumstances, it looks like both stacks are stable. I remember that for the dynamic-dynamic case that years back there were potential vulnerabilities when using aggressive-mode ipsec; although I'm still refreshing my memory and coming up to speed it seems that this may be mitigated through using public keys in iked? A quick perusal seems to indicate that ipsec, at least, plays well with carp and friends. Thanks in advance.
