Site2site with Wireguard or OpenVPN on Netgate 6100/7100

Hi,

We are deploying 12 Netgate 6100 and 8 Netgate 7100 units to renew our firewalls.

We have one site with a fixed IP, and several firewalls are behind NAT.

While we have the most experience with OpenVPN, we are starting from scratch and can choose the best option for site-to-site VPN.

I’ve watched Tom’s video from October, but I’m wondering which solution would be best for our case.

I’ve read that Wireguard is faster and easier. Am I missing something?

This is solely for site-to-site communication.

Greetings from Belgium,
Thijs

WG by itself requires open ports at your edge firewall, while Tailscale (which is a layer on top of WG) will traverse NAT and Dynamic IPs. I set up Tailscale between two pfSense sites in 30 minutes. It’s works automagically!

Hi
thx for the quick response. The 12 Netgate 6100 and 8 Netgate 7100 are pfSense appliances.
Can we connect the 20 devices with the free account?

We do Offsite backups accross the VPN. Is Wireguard with tailscale not to slow?

Greetings

Yes, 100 devices, up to 3 users. You can check their tiered pricing levels vs features.

Yes, from what I have read there will be a performance hit with Tailscale in it’s current implementation on pfSense.

You will have to weigh the ease of authenticating, configuring, maintaining, and compliance Tailscale offers vs a raw DIY WG implementation. Why not set it up in labs between the two sites and take it for a spin? Then compare to your results using OpenVPN

I deployed recently Headscale which is a self-hosted, open source alternative to the Tailscale coordination server. You can track my progress here. The cool thing is that NAT problems are almost solved automatically with Headscale/Tailscale. You might want to jump on my journey.

Check out Christian McDonald’s video which I have linked in my post.