> OPNsense 19.7 supports WireGuard

yep, can confirm :)

currently running on this passively-cooled thing:

https://www.amazon.com/Firewall-Micro-Appliance-Gigabit-AES-...

That's pretty expensive for what is essentially a rebranded Qotom. On the other hand, if you are in the USA, it's probably a good choice.

OPNSense 20+ also support WireGuard just in case someone gets confused about that specific version reference.

I really like the Odroid H2's... https://ameridroid.com/products/odroid-h2 On backorder atm - but I have 3 currently tricked out with 16G RAM and 2x200G SATA SSD. Total cost was less then $250/unit.

The ProtectLi boxes might cost a little bit more, but they seem to be really well made and of good quality. I moved from a PCEngines APU to a ProtectLi because I needed faster packet forwarding performance when I upgraded my home internet connection to 1 Gbps.

I run an apu2c4 at home, with 1 Gbps internet connectivity. It’s a two legged setup, one leg to the ONT, and one leg to the switch carrying dot1q tagged VLAN traffic. It never fails to saturate that internal interface and does that with ~20-30% cpu idle time. I also run few small processes like DNS, NTP, syslog receiver in their own containers, serving the home. The only time this machine struggles is when my wife is out in a library, coffee shop with good connectivity and her VPN traffic (wireguard) to home is above 200 Mbps and at the same time I’m downloading from somewhere that can feed me at least 800Mbps. In this case it cannot saturate the gigabit interface because CPU is too busy.

Linux 4.19 kernel. IPtables for packet filtering and IPv4 NAT. ~30% of my traffic is v6 without NAT overhead.

i think still in the ballpark for an Atom, 8GB RAM, 128GB mSATA config. could not find exactly that model, but this one's close:

https://www.aliexpress.com/item/32740319382.html

anyways, the price difference is not terribly relevant at this pricepoint for a qty of 1 upgraded every 5-10 years.

I was thinking more in line with the actual ODM: https://aliexpress.com/item/32955679364.html

But it does indeed not matter, paying 50 or 100 more over 5 years is a rather small amount.

i should mention, it also acts as a pi-hole via dnsmasq configured with these hosts:

https://github.com/StevenBlack/hosts

Why are you dedicating a full power desktop computer as a firewall?

Most of us here wouldn't want to use an Atom processor from 2013 for our "full power desktops"...

More seriously though, there are lots of tasks that can go on a home router that take it past a simple firewall. IPS/IDS systems, Advanced QoS, OpenVPN -- all these things can require fairly significant hardware resources to run anywhere close to the 100-1000Mbps speeds on internet connections that are reasonably widespread and affordable in many countries now.

All true. It's also worth noting that with the recent arrival of Gigabit FTTH throughout the Bay Area (Peninsula and even down to Sunnyvale), typical consumer-grade routers can be the new bottleneck when attached to a real 1Gbps fiber line (for example, even though for the previous cable modem connection it worked great).

OPNSense requires AES-NI, which is an intel feature so you're stuck with an Intel CPU. Atoms are one of the more efficient intel options if you want passive cooling. as a sibling comment mentions, another option is an odroid-h2.

either way, i'd rather over-provision for an extra $150 than discover i need all new hardware when my requirements change.

Maybe a little OT but any word of a FIPS 140 implementation of this protocol? Would make the adoption of this in an enterprise environment possible.

a very good questions indeed, but that means you need certify lots of kernel crypto modules for whatever wireguard depends on, redhat has fips-140 kernel so I assume it will do something similar to wireguard, as redhat will want to sell this to governments etc

Is there a way to suggest additions to the page? Wireshark supports WireGuard dissection and decryption[1], and the pcapng[2] file format has a block type defined for WireGuard secrets.

[1]https://wiki.wireshark.org/WireGuard

[2]https://github.com/pcapng/pcapng

> "wireguard-vanity-address[0] — generate Wireguard keypairs with a given prefix string"

generating 4-5 character-prefixed keys seems to up the chances of collision by many orders of magnitude, right? but even so, is that enough of a concern to not use such a tool?

[0] https://github.com/warner/wireguard-vanity-address

It's just a brute force so I think it should not matter. Once you find a public key that match what you are looking for you have the same amount of work to do to find the private key.

It would be different if it was to generate a private key that matches the prefix.

It doesn't, you still have to do the same amount of work to find the collisions.

https://github.com/trailofbits/algo Also supports it.

Have been using it for personal VPN deployments, very easy to use and each time I notice they have made moves to be more secure.

TunSafe also works on iOS, Android, Linux and Windows. Not just on macOS!

managed wieguard: https://tailscale.com/

I’d like to try it but why force users to login with either gmail or Microsoft? What’s wrong with a plain old username/any other email provider and password?

They addressed this in another post on HN.

Basically they don't want to manage U/P. They are looking at other services as well (such as github).

Yes, its omission from the article seemed like an important oversight to me.

I see it in the "Other WireGuard goodies" section.

I stand corrected, or it was added after I looked at the page (which appears to have been updated on April 8).

You can add Firefox VPN to the list too.

All of the "clients" you mentioned are just "frontends". They all just produce openvpn configuration files and run the official OpenVPN client. Some of them (Viscosity) use the remote control daemon protocol, to more directly integrate with the openvpn client, but it's still the standard openvpn client doing the bulk of the work. These frontends are just UIs, not full fledged clients.

I obviously mean the clients as in the GUI clients, not the core binary. For OpenVPN that would be OpenVPN-GUI[0]

[0] https://openvpn.net/community-downloads/

Some of the clients mentioned, for example TunSafe, are not GUIs for Wireguard but rather their own third-party implementations of a client to the Wireguard protocol.

In context of the linked text, it was not in fact obvious what you meant.

What does OpenVPN having a shitty official client have to do with wireguard?

Both the iOS and macOS Wireguard client are functional but they aren't shining examples of great UI, UX or feature richness. Often 3rd party clients (as happened with OpenVPN) will fill that gap.

Hmm, I can't say I've noticed much UI/UX issue with the MacOS wireguard client; it seems very straight forward to me. As for feature richness, wireguard not having a bunch of knobs and buttons to tweak is one of its nicer features I think.

I think it's less about openvpn and more about having the protocol integrated with existing enterprise products/infrastructure/paradigms.

Imagine having WireGuard wrapped up in PulseSecure or one of the other 'enterprise' solutions. We'd see silly exploits in no-time. Not that WireGuard in itself is perfect, but those enterprise products have not shown any benefit over 'the rest' so far. (except more money moving around and giving sales people jobs)

It's often not the protocol that has the problem, as with OpenVPN, it's whatever gets layered around it usually causes the issues (as was with those 'SSL VPN' solutions and stuff like Citrix).

It's almost beside the point. Enterprises want to pay someone for support (and, more importantly, someone to blame when things go wrong) rather than (rightfully) attempt to put something together with duct tape and bailing wire.

The point was that 'enterprise' is not any less 'duct tape and bailing wire'.

Unless you get value out of shifting blame to a vendor or some contract thing, there really isn't much use throwing money at it. In some sectors that's probably still a requirement. I hope I never get to the point where I have to go back to that.