OPNsense vs. pfSense Round 1: WireGuard

Date: May 9, 2021
Categories: OpenVPN, OPNsense, pfSense, Wireguard

This is an issue that no doubt has brought many people to look at OPNsense again or for the first time.

WireGuard has enjoyed increasing popularity in the last year or so. Due to its stateless nature it performs really well on mobile devices that may switch between LTE, 5G, WiFi networks. There is no tunnel that needs to do the “timeout, die, renegotiate” dance.

Picture this: You are on office WiFi, using OpenVPN on your phone. You step in the lift and exit the building. Now your device loses WiFi and switches to LTE or whatever. With OpenVPN this means about a minute or so of either leaking data or having no connectivity. WireGuard has no such issue. An enpoint’s IP address can change and it is barely noticeable.

It also has CHACHA20-POLY1305 which means it will perform well on devices that lack AES-NI or similar hardware acceleration as is the case on some mobile devices and raspberry pi etc. In other words: It is often (but not always!) faster than OpenVPN 2.4x. Note: OpenVPN 2.5x now does support CHACHA20-POLY1305.

pfSense:

Promised it for 2.5.0 because people were begging for it. Released it. Release came with some controversy. Reacted very poorly to the criticism which is a bit of a pattern with this company. Withdrew it in pfSense 2.5.1 and are now working on an alpha version for 2.6.0 which as of today has no release date yet. I have worked with both flavors of pfSense WireGuard and I have worked with WireGuard on OPNsense.

For my job this is not a dealbreaker. OpenVPN 2.5.1 serves us well. We need dynamic addressing for endpoints and we need RADIUS authentication. For home and site-site stuff I prefer WireGuard. I promised to remove bias so:

OPNsense:

Had WireGuard-go user-space implementation as a package for a long time now. They now also have a path to wireguard-kmod that I am testing and find to be stable.

Verdict:

Point goes to OPNsense for WireGuard. pfSense will catch up though. The alpha of what they will put into 2.6.0 looks good!

«
»

Leave a Reply to OPNsense vs. pfSense in 2021 – Index – 7 Data Centers Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.