currently I am running two VPN-Services on my Opnsense:
Wireguard for my daily use for our personal clients (mobile, tablet, notebook; all different OS)
OpenVPN for three Car-GPS-Trackers: Currently Android Devices.
My Plan is to change from Android Devices to iPhone SE 2020s and thus I want to rethink the VPN-Usage. Wireguard will still be active due to its usage for Site-2-Site and personal devices. Historically I switched from Wireguard to OpenVPN for the Android trackers because Wireguard had the issue, that since I am using a dynamically provisioned IPv4 Adress, sometimes the tunnel lost connection, if e.g. my router went down (due to an update or Service degradation) or if the public IP changes. OpenVPN hadn’t that issue.
Now: What VPN-Technlogy should I use and what works best with iOS? IPSec, OpenVPN or Wireguard?
Must-Have is: Auto-Reconnect on Client restart, Auto-Reconnect on Router restart, dynamically updating DNS/IP-Adress of Router if Connection drops or is re-established
For WireGuard it doesn’t really do the whole “connect/disconnect” like Openvpn. It just initates the connection when there’s traffic that needs to go over the tunnel. So if your side goes down and comes back up, and the client device starts sending traffic again it will just establish the connection again.
dynamically updating DNS/IP-Adress of Router if Connection drops or is re-established
Yeah this is gonna be an issue. WireGuard doesn’t reload the domain once it’s up, so if your server changes its IP the phone will have no way of knowing it.
I typically use a VPS in the middle to make sure that IP address never changes and the phones can always reach the peer with the dynamic IP through the VPS. If you have a cheap VPS you’re already running for things this could be an option.
Thanks for your input. Unfortunately I haven’t setup a VPS and actually it wasn’t my plan either. So do you know if e.g. IKEv2 for IPSec wouldn’t have that issue?
I know that Wireguard is the easiest way to go, but I would rather use another technology which works without the need of a VPS…
But another Question to Wireguard: apparently there is an Script on the OPNsense box called resolve-dns.py on /usr/local/opnsense… do you know, when this script is called and do you know, if I can use monitor to restart Wireguard if it detects a change ion the WAN IP?