site to site vpn using pfsense wireguard

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
Post Reply
User avatar
Moogle Stiltzkin
Guru
Posts: 11448
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

site to site vpn using pfsense wireguard

Post by Moogle Stiltzkin »

in the latest pfsense they added wireguard support.

wireguard vpn isn't quite designed for anonymity. instead it's for performance. so it may be good for things like remote vpn access to your nas especially when you want the best possible performance possible for vpn.

lawrence posted his guide here
https://www.youtube.com/watch?v=ZY49EAMnniY
NAS
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)


Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin
User avatar
spile
Been there, done that
Posts: 637
Joined: Tue May 24, 2016 12:13 am

Re: site to site vpn using pfsense wireguard

Post by spile »

After reading reports comparing Wireguard and Openvpn I chose the former. A year later and I am very pleased with its performance and reliability.
User avatar
Moogle Stiltzkin
Guru
Posts: 11448
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

Re: site to site vpn using pfsense wireguard

Post by Moogle Stiltzkin »

spile wrote: Fri Feb 26, 2021 3:21 pm ...
well for services like mullvad vpn, i tend to prefer using openvpn. that said, they did post a link stating their setup of wireguard is good enuff for their purpose after implementing a solution of their own to fix this :'
Is it true that a user's public IP must be logged in order for WireGuard to work?
No. When using WireGuard, your public WireGuard IP address is temporarily left in memory (RAM) during connection. By default, WireGuard deletes this information if this server has been rebooted or if the WireGuard interface has restarted.

For us this wasn't enough, so we added our own solution in that if no handshake has occurred within 600 seconds, the peer is removed and reapplied. Doing so removes the public IP address and any info about when it last performed a handshake.

If you want to hide your public IP even more, use multihopping.
What are your thoughts on the internal WireGuard IP address being static?
We acknowledge that keeping a static IP for each device, even internally, is not ideal.

Why? Because if a user experiences WebRTC leaks, that static internal IP address could leak externally. As another example, applications running on your device can find out your internal IP, and if you've installed software that is malicious, it can also leak that information.

And theoretically, a static internal IP that is leaked, together with obtaining a payment record, could help to identify a user. (Dive into the payment info we handle for a fascinating read.)

Having said that, we still believe that WireGuard overall is in a better state than OpenVPN.
https://mullvad.net/en/help/why-wireguard/

but for performance that doesn't require privacy so much, wireguard seems to win, especially for things like remote access

https://restoreprivacy.com/vpn/wireguar ... 50%20Mbps).


before people use wireguard, they best read up what the pros and cons are when comparing vs openvpn :)

but for site to site vpn for remote access, seems it shouldn't be a problem using wireguard, and now pfsense added official support with the latest update :D
NAS
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)


Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin
User avatar
spile
Been there, done that
Posts: 637
Joined: Tue May 24, 2016 12:13 am

Re: site to site vpn using pfsense wireguard

Post by spile »

User avatar
Moogle Stiltzkin
Guru
Posts: 11448
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

Re: site to site vpn using pfsense wireguard

Post by Moogle Stiltzkin »

spile wrote: Sat Feb 27, 2021 3:58 pm ...
they removed wireguard from pfsense? because of bad code?

WireGuard Removed from pfSense March 2021
https://www.youtube.com/watch?v=uGNorRLefBg
NAS
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)


Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin
User avatar
spile
Been there, done that
Posts: 637
Joined: Tue May 24, 2016 12:13 am

Re: site to site vpn using pfsense wireguard

Post by spile »

Moogle Stiltzkin wrote: Mon Apr 05, 2021 4:27 pm

they removed wireguard from pfsense? because of bad code?

WireGuard Removed from pfSense March 2021
https://www.youtube.com/watch?v=uGNorRLefBg
Or Politics...
https://arstechnica.com/gadgets/2021/03 ... se-router/
User avatar
Moogle Stiltzkin
Guru
Posts: 11448
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

Re: site to site vpn using pfsense wireguard

Post by Moogle Stiltzkin »

spile wrote: Wed Apr 07, 2021 2:56 pm ...
you should also check this out
https://www.youtube.com/watch?v=i1GEPL-X1hE

:S i am using 2.5 .... but i don't notice any issues so far generally speaking. but they do seem to exist :shock:
NAS
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)


Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin
User avatar
spile
Been there, done that
Posts: 637
Joined: Tue May 24, 2016 12:13 am

Re: site to site vpn using pfsense wireguard

Post by spile »

User avatar
Moogle Stiltzkin
Guru
Posts: 11448
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

Re: site to site vpn using pfsense wireguard

Post by Moogle Stiltzkin »

spile wrote: Thu Apr 08, 2021 1:42 pm And in particular the comments...
https://www.servethehome.com/pfsense-an ... d-support/
but in between the lines, it seems opensense vyos and some others do still have a working wireguard. whether that is because their code is good for now, or they are using regardless of whatever issue that was on pfsense. i honestly don't know :'

but even then, even those have a "beta" warning, at least i noticed opensense did. do people enjoy doing beta for their production units :shock: ? xd


on sidenote seems fortinet vpn is not having a good time :shock:
Ransomware operators shut down two production facilities belonging to a European manufacturer after deploying a relatively new strain that encrypted servers that control manufacturer's industrial processes, a researcher from Kaspersky Lab said on Wednesday.

The ransomware known as Cring came to public attention in a January blog post. It takes hold of networks by exploiting long-patched vulnerabilities in VPNs sold by Fortinet. Tracked as CVE-2018-13379, the directory transversal vulnerability allows unauthenticated attackers to obtain a session file that contains the username and plaintext password for the VPN.

Sage advice not heeded

In 2019, researchers observed hackers actively trying to exploit the critical FortiGate VPN vulnerability. Roughly 480,000 devices were connected to the Internet at the time. Last week, the FBI and Cybersecurity and Infrastructure Security agency said the CVE-2018-13379 was one of several FortiGate VPN vulnerabilities that were likely under active exploit for use in future attacks.

Fortinet in November said that it detected a “large number” of VPN devices that remained unpatched against CVE-2018-13379. The advisory also said that company officials were aware of reports that the IP addresses of those systems were being sold in underground criminal forums or that people were performing Internet-wide scans to find unpatched systems themselves.
https://arstechnica.com/information-tec ... ng-plants/
NAS
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)


Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin
Post Reply

Return to “Users' Corner”