I’ve been using openvpn for nearly 20 years and it has served me well. Lately I’ve been using wireguard and it is really easy to set up (no CA to manage, just exchange hex keys). Lately I’ve been really enamored with Zerotier (full mesh peer to peer overlay network).
In short, only use IPSec for site-to-site use cases. IPSec does not cut through NAT well whatsoever. For devices needing remote access, Wireguard and OpenVPN are solid choices.
I’ve moved off of IPSec to OpenVPN just for the extra functionality. It’s unfortunate that OpenVPN is not supported in the EdgerouterX GUI (but it is supported via CLI).
Same here, OpenVPN software is built into my router from the factory. So I don’t have to do anything other than set it up and turn it on. I’ve never notice any kind of performance issues - though I’m already limited by my slow upload speeds of my home network. I don’t do any heavy file transfers - only to secure untrusted connections when I’m away from home.
I hear good things about Wireguard but there are several major limitations for me that make it useless: No VPN over TCP, no TAP support. Sometimes I require VPN over TCP while travelling to ensure I can get by simple VPN filtering I often encounter. I require TAP support for a few Android devices I use. So Wireguard isn’t even an option for me.
I think most devices have LT2P/IPSec clients built in. For example, Windows 10 does, Android does. I don’t have any Apple products, but I assume that MacOS and Ios would.
You can set up other protocols on Ubiquiti. I haven’t done it - I prefer to configure from the config tree where I can - or at least implement command line scripts that have a correlation to the config tree.
Just guessing, I’d assume that OpenVPN is the most popular overall for enthusiasts and Wireguard is generating the most buzz.
My Edgerouter X has an IPSec setting as well as a L2TP. The IPSec does not include any L2TP settings but the L2TP has an area for IPSec settings. Documentation shows plenty of ways to set up IPSec that do not include a mention of L2TP settings.
Wow. There’s been so much hype about Wireguard this is actually the 1st time I’m hearing about any feature drawbacks. If you hop on r/homelab there are people who literally berate you for not using Wireguard, so thanks a lot for this.
Don’t bother with OpenVPN now that Wireguard is out. OpenVPN has a pretty significant performance hit. The only advantage that OpenVPN has is that you can push client config from the server, which is really useful if you want a split-tunnel VPN. If you add a new subnet for example, it’s trivial to push that route to all clients when they connect. With Wireguard, IPs and routes must be manually set on each client. IPSec allows dynamic IPs pushed from the server, but I don’t think you can push routes, DNS servers, etc.
I’ve generally replaced OpenVPN entirely with Wireguard, minus a couple of my VPSes which only need the VPN to talk to my syslog server. In those cases I haven’t replaced it partially out of laziness, but also because performance doesn’t matter and so that I can manage their config centrally from the VPN server.