I use wireguard with Tailscale, which is really awesome. No central VPN concentrator anymore. Decentralized mesh VPN and with ACLs you got great security too.
Yup, I’ve used wireguard for the same purpose during wfh transition during covid19. It has been doing fine. Here is what I used to create bulk certificates - https://github.com/trailofbits/algo
Just be sure to have enough resources on VPN server.
Edit - AS u/I0Like0Cake has rightly said - it would have potential problem scaling up. (<100 users with us as well.)
Business use? No thanks. Activating requires local admin rights, not to mention other challenges you might face.
I personally prefer Palo Alto FW and their GlobalProtect VPN which is free. Control access with certificates or mfa and ad groups.
I set it up for the COV19 WFH rush and it’s still going strong now. I use scripts to generate configs, remotely install the client and configure it to run without local admin rights. I only have 70 users so keeping track of configs isn’t a problem but it probably wouldn’t scale well into the hundreds.
I’m not sure why StrongSwan isn’t a more popular VPN implementation. OpenVPN and WireGuard seem to be all the rave, yet for those having a client is a must. With StrongSwan, a client is not necessary on macOS, Windows, ChromeOS, or iOS (with clients being available for Linux and Android). Additionally, you can link it to your RADIUS instance and have your users simply use their normal username and password. Plus, you can use something like Duo or PrivacyIDEA to add a push notification MFA option.
I’m sure it’s different for a lot of you guys looking for VPN solutions in terms of data security, resource availability and infrastructure support but we run our VPN through an on-prem concentrator since that allows us to log all traffic for security compliance, control access with the web filters in place for logging and through the firewall, and obviously access the on prem servers - Don’t you lose all that when going with something like wireguard? Instead of having all the traffic going to you guys you need to trust this other service instead.
I’ve been trying to replace ZeroShell (because it doesn’t do TUN adapters, so no Big Sur Macs), and one of the things I tried was Wireguard. By itself, Wireguard is a protocol, seems basically like stunnel or something. I.e. the protocol is good, and fast, but management doesn’t exist. You’re manually managing keys, odd config files, etc for every computer (and it doesn’t auth the user, it’s whoever has the wireguard KEY) by hand, or building the automation yourself, or maybe using something like pritunl to wrap wireguard for you. It’s not comparable to OpenVPN at all IMO.
Windows has a built in SSL-VPN client and there are hundreds of 3rd party ones, if you need stronger set up a site to site ipsec VPN between 2 routers/firewalls.
In my opinion it’s to much work to create a unique connection certificate for everyone, delete them when they leave, add them when they join the company. As far as I know there is no way to automate this with your AD. OpenVPN is able to do this so that would be my choice. On user creation add the VPN users group and done. VPN certificate and software already provisioned with MDT.
we looked at it but decided to go with a zero trust tool from safe-t instead. We liked it so much, we signed up as a partner, make of that what you will, and consider that my disclaimer
My only beef with openvpn has been the certificates - after a few years I end up with a revocation list five miles long. How WG does it with per-user pair seems more maintainable - when a link is gone delete the key.
I set up a wireguard vpn for a company half a year ago, enabling a profile doesn’t ask me for admin rights. Monitoring connections is also dead simple by parsing the wg command’s output. I modified a script I found on github to add new clients and organize their configs.