🧭 1. Introduction
OPNsense offers three major VPN solutions, each suited for different connectivity models:
| Type | Protocol | Use Case | Highlights |
|---|---|---|---|
| IPsec | IKEv2 / ESP | Site-to-Site | Enterprise-grade, interoperable |
| OpenVPN | SSL/TLS | Remote Access | Flexible, user-friendly |
| WireGuard | UDP / Curve25519 | Cloud / Mobile | Fast, lightweight, modern |
🧩 2. IPsec VPN
🔹 Overview
Operates on the network layer (Layer 3), encrypting entire IP packets.
Uses IKE for key exchange and ESP for encryption.
🔹 Common Use Cases
- Site-to-Site VPN between offices
- Integration with third-party firewalls (Cisco, Fortinet)
- Business partner connectivity
🔹 Configuration Path
VPN → IPsec
Steps:
- Enable IPsec
- Add Phase 1 (IKE settings)
- Add Phase 2 (Network ranges, ESP)
- Open UDP 500/4500
- Verify Security Associations
Pros: High security, stable
Cons: Complex setup, not ideal for casual users
🧩 3. OpenVPN
🔹 Overview
OpenVPN operates at the application layer using SSL/TLS encryption.
It’s ideal for both remote access and site-to-site deployments.
🔹 How It Works
- Client connects via TCP/UDP
- TLS handshake & authentication
- Virtual tunnel (tun/tap) established
- Traffic encrypted through the tunnel
🔹 Configuration Path
VPN → OpenVPN → Servers
Steps:
- Use the built-in Wizard to create CA & server
- Configure ports/protocol
- Generate user certificates
- Use “Client Export” to deliver configurations
Pros: Cross-platform, easy to manage, supports LDAP/2FA
Cons: Slightly lower performance than WireGuard
🧩 4. WireGuard
🔹 Overview
WireGuard is a modern VPN protocol built with simplicity and performance in mind.
Uses state-of-the-art cryptography and a minimal codebase.
🔹 How It Works
- Uses UDP only
- Each peer identified by public/private keys
- No handshake overhead, instant connection
🔹 Configuration Path
VPN → WireGuard
Steps:
- Enable service
- Create Local instance (generate keys)
- Add Peer (define public key and subnet)
- Allow UDP port in firewall
Pros: Very fast, lightweight, secure
Cons: Lacks advanced authentication (LDAP, Radius)
🧠 5. Comparison Summary
| Feature | IPsec | OpenVPN | WireGuard |
|---|---|---|---|
| Layer | L3 | L4–7 | L3 |
| Encryption | AES/3DES | SSL/TLS | ChaCha20 |
| Setup Complexity | High | Medium | Low |
| Performance | Medium | Medium–Low | High |
| Mobile Support | Native | App-based | Native |
| Best Use Case | Enterprise site links | Remote users | Cloud/mobile VPN |
✅ 6. Conclusion
Each VPN type in OPNsense serves a specific purpose:
- IPsec: rock-solid for site-to-site links;
- OpenVPN: best for flexible user access;
- WireGuard: the new-generation VPN—fast, simple, and ideal for cloud.
By leveraging these three VPN options, OPNsense can provide a comprehensive, scalable, and secure remote access strategy for modern enterprise networks.