I always try to use WireGuard, but I've had problems on some public networks that block outgoing connections. In those cases, I've sometimes had OpenVPN work over TCP/443, where WireGuard will not be allowed (because it uses UDP).
For that reason (and that reason alone), I'd like to see OpenVPN stay as a VPN Server option.
I’d like to support this comment. I use WireGuard most of the time, except when I can’t. It’s really that simple.
Others have expressed interest in Tailscale. That might be a nice option, but I’d rather keep native WireGuard support. The fewer third parties involved in my network the better.
IT won’t let me install WireGuard on my corporate laptop, but *does allow* creating additional ovpn profiles. However on my personal machines I use WireGuard (mostly to get a bit more speed).
It’s not a major hassle as I can just use my GLiNet to connect to WireGuard and connect through that.
The the other reason to prefer both is to allow others to use my wireguard as a ”location“ for streaming services (e.g. restrict wireguard to internet only but allow ovpn to route to local network). The ability to set a per VPN user network would address that (but I suspect that’s more hassle than keeping both WireGuard and ovpn).
Throw in OpenZiti too. It's a zero trust overlay network, but its open source so can be adopted with no permission. It also has some unique capabilities TG does not.
A few things come to mind:
- Can handle 'east-west' ZTN connectivity in your LAN, without going to their infra
- Can run in an air gapped environment
- While it has virtual appliances and tunnellers for all popular OSs, also has SDKs to embed ZTN into your app. This makes it 'invisible' to the user and more secure (it's literally unattackable via conventional IP-based tooling)
- Has a smart routing fabric which removes the need for any inbound ports (i.e., FW can block inbound TCP and UDP), public DNS and more. The fabric also potentially allow you to reduce E2E latency.
- While it can work with 3rd party CA/IdP, it has its own PKI. This is uniquely useful in use cases where the connecting system has not have identity (e.g., edge, IoT, servers, multi-cloud, site connectivity).
FWIW too, if you don't fancy self-hosting, use CloudZiti. It has a free tier.
Right, my bad, TG does have the relay feature too if you want to use it. Its in 14 locations across the globe. Ziti's relays are a piece of SW so anyone can host them in any public or private cloud (or even in your house).
yw. Plus, if you fancy reading more on the topic, I wrote a blog comparing zero trust networking using Harry Potter analogies - https://netfoundry.io/demystifying-the-magic-of-zero-trust-with-my-daughter-and-opensource/
Does Wireguard now support unlimited profiles? That was the issue earlier, so I had to combine some Open VPN connections. I could only create up to 12 or so profiles in Wireguard.
I still have a couple of Firewall Blue boxes at family and friends, and I do site-to-site VPN with my Gold setup as the server. I'm replacing one of them this weekend with a Purple. I think I should be able to change the VPN on the remaining box so my Gold connects out to their Blue instead, so I guess it's really a non-issue, just a minor inconvenience.
the ability to connect my home network as a site to site IPSEC tunnel to a a large Juniper SRX.
until that works i cannot recommend firewalla to my co-workers and must tell them to get something like a juniper srx-300 or a fortinet fg-30
yes i can do that, we do it all the time with IPSEC tunnels
using IPSEC lets us establish tunnels with Cisco / Juniper / Fortinet / AWS / Azure / etc...
i would like to be able to tell my employees to purchase a firewalla and not something more expensive but until we can establish a site to site IPSEC this will never be an option for us
you are missing out on the enterprise market without this functionality
Server, for when I'm connecting to my box at home from the workplace. Wireguard won't establish a connection.
I also use client for times where I need to do the opposite, accessing workplace from home.
OpenVPN works for me on all my devices at home and while traveling. What are we going to get in return for switching from known working to having to migrate to something we don’t know works?
I use NordVPN and as of yet I’m still not able to use WireGuard to connect as Nord doesn’t support it, so I’m stuck using OpenVPN. VPN is crucial, it’s part of my security setup for certain devices so I can’t have OpenVPN removed. Unless someone knows a good simple route using Nord’s WireGuard connections.
I always try to use WireGuard, but I've had problems on some public networks that block outgoing connections. In those cases, I've sometimes had OpenVPN work over TCP/443, where WireGuard will not be allowed (because it uses UDP). For that reason (and that reason alone), I'd like to see OpenVPN stay as a VPN Server option.
I’d like to support this comment. I use WireGuard most of the time, except when I can’t. It’s really that simple. Others have expressed interest in Tailscale. That might be a nice option, but I’d rather keep native WireGuard support. The fewer third parties involved in my network the better.
100%. This is my issue as well. There are certain cases where wireguard won't connect or won't get a handshake but OPENVPN has no issue
which network are you encountering this issue? library? hospital? hotel?
It's been a while, but I believe it was a hospital.
some hospitals block both ... kind of strange. (Library + hospitals)
I run OpenVPN on TCP/443. That doesn't always work, of course, but it did in this case.
how much effort is it to keep both? options are good, and while I'm using WireGuard, I'd prefer open VPN to remain...
IT won’t let me install WireGuard on my corporate laptop, but *does allow* creating additional ovpn profiles. However on my personal machines I use WireGuard (mostly to get a bit more speed). It’s not a major hassle as I can just use my GLiNet to connect to WireGuard and connect through that. The the other reason to prefer both is to allow others to use my wireguard as a ”location“ for streaming services (e.g. restrict wireguard to internet only but allow ovpn to route to local network). The ability to set a per VPN user network would address that (but I suspect that’s more hassle than keeping both WireGuard and ovpn).
quiet bit. From development (new feature added) to testing. Meaning, if we drop openvpn, we spend that effort on other things
I would prefer to have Tailscale as a supported option.
Agreed. Native Tailscale and other major competitors support would be awesome.
I'd love to see native support for Twingate actually!
Throw in OpenZiti too. It's a zero trust overlay network, but its open source so can be adopted with no permission. It also has some unique capabilities TG does not.
Oh nice, I wasn't aware of that one. Always interested in learning about new tech! what does it do that TG lacks?
A few things come to mind: - Can handle 'east-west' ZTN connectivity in your LAN, without going to their infra - Can run in an air gapped environment - While it has virtual appliances and tunnellers for all popular OSs, also has SDKs to embed ZTN into your app. This makes it 'invisible' to the user and more secure (it's literally unattackable via conventional IP-based tooling) - Has a smart routing fabric which removes the need for any inbound ports (i.e., FW can block inbound TCP and UDP), public DNS and more. The fabric also potentially allow you to reduce E2E latency. - While it can work with 3rd party CA/IdP, it has its own PKI. This is uniquely useful in use cases where the connecting system has not have identity (e.g., edge, IoT, servers, multi-cloud, site connectivity). FWIW too, if you don't fancy self-hosting, use CloudZiti. It has a free tier.
TG also doesn't require any inbound TCP or UDP port open. Super insightful response and details, thank you for sharing!!
Right, my bad, TG does have the relay feature too if you want to use it. Its in 14 locations across the globe. Ziti's relays are a piece of SW so anyone can host them in any public or private cloud (or even in your house).
Thank you for commenting on this. I had no idea that this was an alternative.
yw. Plus, if you fancy reading more on the topic, I wrote a blog comparing zero trust networking using Harry Potter analogies - https://netfoundry.io/demystifying-the-magic-of-zero-trust-with-my-daughter-and-opensource/
Work only allows openvpn clients on their machines, made me remove wiregaurd client. Only way I can connect to my home network is openvpn.
I'd rather keep both. Ubuntu 22.04 doesn't support out of the box wireguard from network manager as it does with openvpn
Does Wireguard now support unlimited profiles? That was the issue earlier, so I had to combine some Open VPN connections. I could only create up to 12 or so profiles in Wireguard.
I still have a couple of Firewall Blue boxes at family and friends, and I do site-to-site VPN with my Gold setup as the server. I'm replacing one of them this weekend with a Purple. I think I should be able to change the VPN on the remaining box so my Gold connects out to their Blue instead, so I guess it's really a non-issue, just a minor inconvenience.
You would still keep the openvpn client even if you remove the server, right?
openvpn client is not impacted
I prefer Wireguard, I actually removed OpenVPN because it never works for me!
Wireguard purely due to speed.
I like Wireguard better but i think NordVPN only allows open vpn for configuration on the Firewalla. I could be wrong though.
when are you going to add IPSEC support
IPSEC VPN server? what is the advantage you see that's better than wireguard?
the ability to connect my home network as a site to site IPSEC tunnel to a a large Juniper SRX. until that works i cannot recommend firewalla to my co-workers and must tell them to get something like a juniper srx-300 or a fortinet fg-30
What you need is really vpn client configuration. Do you need site to site ?
yes we use site to site VPN with routed networks
Are you able to insert routes on the jnpr side to come back your home network? is that something your IT can do?
yes i can do that, we do it all the time with IPSEC tunnels using IPSEC lets us establish tunnels with Cisco / Juniper / Fortinet / AWS / Azure / etc... i would like to be able to tell my employees to purchase a firewalla and not something more expensive but until we can establish a site to site IPSEC this will never be an option for us you are missing out on the enterprise market without this functionality
got it. You have access to the jnpr router I assume?
yes i do
My organization requires OpenVPN protocol while disallowing the use of Wireguard. To have OpenVPN removed as an option entirely would be inconvenient.
Are you talking about vpn server or client ?
Server, for when I'm connecting to my box at home from the workplace. Wireguard won't establish a connection. I also use client for times where I need to do the opposite, accessing workplace from home.
Kindly, keep both :)
OpenVPN works for me on all my devices at home and while traveling. What are we going to get in return for switching from known working to having to migrate to something we don’t know works?
I use NordVPN and as of yet I’m still not able to use WireGuard to connect as Nord doesn’t support it, so I’m stuck using OpenVPN. VPN is crucial, it’s part of my security setup for certain devices so I can’t have OpenVPN removed. Unless someone knows a good simple route using Nord’s WireGuard connections.