At work we have Wireguard running OpenBSD for home office users (over
300 users). At the moment only one Wireguard tunnel for LanToLan. The
rest of the LanToLan tunnels are still running Libreswan IPSEC on Linux,
they will be migrated to Wireguard in time. Both OpenVPN and the Linux
implementation of IPSEC called Libreswan seem complex to me, they have
obscure crash issues. I don't know the IPSEC implementation on OpenBSD.
Our Wireguard instance on OpenBSD is running in HA with CARP and pfsync,
it works perfectly.
Wireguard is simple which I really appreciate.
Greetings.
On 11/21/24 7:16 PM, Devin Reade wrote:
> I'm starting to plan out some infra upgrades for a single
> organization and am looking at site-site VPN options. I would
> appreciate some general recommendations on technologies. I've
> worked with ipsec and openvpn in the distant past, and have
> done a bit of reading on but never used wireguard.
>
> There are three sites involved. The primaries, SiteA and SiteB
> will definitely be using OpenBSD routers/firewalls. SiteC might
> use OpenBSD, but OpnSense or others remain options.
>
> The SiteA upstream uses a static IPs.
> The SiteC upstream uses a dynamic (but generally stable) IP.
> It's not clear yet if SiteB will use a static or dynamic
> upstream. Anything dynamic will use RFC2136-based FQDNs
> on the upstream.
>
> The tunnels of interest are between SiteA and SiteB (at least one
> end static), and between SiteB and SiteC (maybe both dynamic).
> There is no need for a tunnel between SiteA and SiteC.
>
> While the "road warrior" case may be raised in the future, it
> is currently out of scope.
>
> So my main question is whether there are compelling reasons to
> be considering wireguard (or other options) over ipsec? I'm
> guessing that assuming stability is good for both that the
> respective approaches to dynamic IP changes may be a deciding
> factor.
>
> Although I see a few threads here on wireguard-maybe-going-numb
> under some circumstances, it looks like both stacks are stable.
> I remember that for the dynamic-dynamic case that years back there
> were potential vulnerabilities when using aggressive-mode ipsec;
> although I'm still refreshing my memory and coming up to speed
> it seems that this may be mitigated through using public keys
> in iked?
>
> A quick perusal seems to indicate that ipsec, at least, plays
> well with carp and friends.
>
> Thanks in advance.
>
No comments:
Post a Comment