Any experience with Wireguard as company VPN for employees?

Hello peoples!

As many others I’ve gone full hard on for WireGuard VPN. Mostly because OpenVPN is god awful in so many ways.

I’ve been thinking of replacing OpenVPN (Via WatchGuard) with WireGuard instead for our WFH and roaming people.

Has anyone done so? Even at a homelab environment, what are your experiences? Any road bumps to keep in mind?

I haven’t, but felt compelled to comment that as bad as openVPN is, it is still better than the options we had before!

I’m also curious about business deployments of wireguard.

I use wireguard with Tailscale, which is really awesome. No central VPN concentrator anymore. Decentralized mesh VPN and with ACLs you got great security too.

Yup, I’ve used wireguard for the same purpose during wfh transition during covid19. It has been doing fine. Here is what I used to create bulk certificates - https://github.com/trailofbits/algo

Just be sure to have enough resources on VPN server.

Edit - AS u/I0Like0Cake has rightly said - it would have potential problem scaling up. (<100 users with us as well.)

I use it for my homelab and no issues.

Business use? No thanks. Activating requires local admin rights, not to mention other challenges you might face.
I personally prefer Palo Alto FW and their GlobalProtect VPN which is free. Control access with certificates or mfa and ad groups.

I set it up for the COV19 WFH rush and it’s still going strong now. I use scripts to generate configs, remotely install the client and configure it to run without local admin rights. I only have 70 users so keeping track of configs isn’t a problem but it probably wouldn’t scale well into the hundreds.

I transitioned us to OpenVPN and didn’t have any problems. What’re the complaints with it?

Pritunl let’s clients connect with either openvpn or wireguard. MFA is free, SSO with enterprise license.

I’m not sure why StrongSwan isn’t a more popular VPN implementation. OpenVPN and WireGuard seem to be all the rave, yet for those having a client is a must. With StrongSwan, a client is not necessary on macOS, Windows, ChromeOS, or iOS (with clients being available for Linux and Android). Additionally, you can link it to your RADIUS instance and have your users simply use their normal username and password. Plus, you can use something like Duo or PrivacyIDEA to add a push notification MFA option.

Have a look at softetherVPN, it’s open source and has so many ways of bringing in clients that may help with an easy migration.

I’m sure it’s different for a lot of you guys looking for VPN solutions in terms of data security, resource availability and infrastructure support but we run our VPN through an on-prem concentrator since that allows us to log all traffic for security compliance, control access with the web filters in place for logging and through the firewall, and obviously access the on prem servers - Don’t you lose all that when going with something like wireguard? Instead of having all the traffic going to you guys you need to trust this other service instead.

I’ve been trying to replace ZeroShell (because it doesn’t do TUN adapters, so no Big Sur Macs), and one of the things I tried was Wireguard. By itself, Wireguard is a protocol, seems basically like stunnel or something. I.e. the protocol is good, and fast, but management doesn’t exist. You’re manually managing keys, odd config files, etc for every computer (and it doesn’t auth the user, it’s whoever has the wireguard KEY) by hand, or building the automation yourself, or maybe using something like pritunl to wrap wireguard for you. It’s not comparable to OpenVPN at all IMO.

Windows has a built in SSL-VPN client and there are hundreds of 3rd party ones, if you need stronger set up a site to site ipsec VPN between 2 routers/firewalls.

We use wireguard for site to site and openvpn for remote user access.
The ability to push routes, dhcp options etc of openvpn beats wireguard for now.

In my opinion it’s to much work to create a unique connection certificate for everyone, delete them when they leave, add them when they join the company. As far as I know there is no way to automate this with your AD. OpenVPN is able to do this so that would be my choice. On user creation add the VPN users group and done. VPN certificate and software already provisioned with MDT.

we looked at it but decided to go with a zero trust tool from safe-t instead. We liked it so much, we signed up as a partner, make of that what you will, and consider that my disclaimer :wink:

Are you using this at scale in an enterprise environment? I haven’t heard of it, but would be thrilled to displace OpenVPN in my current networks.

My only beef with openvpn has been the certificates - after a few years I end up with a revocation list five miles long. How WG does it with per-user pair seems more maintainable - when a link is gone delete the key.

I set up a wireguard vpn for a company half a year ago, enabling a profile doesn’t ask me for admin rights. Monitoring connections is also dead simple by parsing the wg command’s output. I modified a script I found on github to add new clients and organize their configs.

On the other hand, I think it will become better. It’s the fastest and so far most stable vpn I have run.