pfSense » pfSense Packages

I am writing to propose two new features for pfSense that would greatly enhance the reliability, usability, and management of the WireGuard VPN service. As a dedicated user of pfSense, I believe these features would be valuable additions.

Background:
pfSense already provides a robust firewall solution that is designed to failover seamlessly, ensuring continuous network connectivity without human intervention. However, the same level of failover functionality is not currently available for VPN services, such as WireGuard. Additionally, pfSense currently lacks the ability to export and import WireGuard instances and peers separately, which can make managing and migrating configurations more challenging.

Problem Statement:
1. From an end user's perspective, if the VPN service goes down, they lose access to the site even if the firewall functionality remains operational. This leads to disruptions and requires manual intervention to restore VPN connectivity.

2. The absence of export and import functionality for WireGuard instances and peers separately makes it difficult to manage and migrate configurations between different pfSense installations or backup and restore specific components of the WireGuard setup.

Proposed Solutions:
1. Implement a two-node, active-standby configuration for WireGuard VPN that is capable of syncing WireGuard peer and instance information between the nodes. In this setup, the WireGuard configuration on the CARP active node should automatically propagate to the second node. If the active node goes down, the standby node should seamlessly take over the active role, ensuring uninterrupted VPN connectivity.

2. Add the ability to export and import WireGuard instances and peers separately. This functionality would allow administrators to easily manage and migrate specific components of the WireGuard configuration between different pfSense installations, as well as facilitate backup and restore processes for granular control over the VPN setup.

Addressing Potential Concerns:
According to the official pfSense guide, enabling WireGuard on both nodes simultaneously during a CARP interface maintenance could potentially cause network issues. To mitigate this risk, I suggest enabling WireGuard only when one node goes down while keeping the WireGuard configurations in sync between the nodes. This approach would prevent any conflicts arising from having WireGuard active on both nodes simultaneously.

Benefits:
- Improved reliability and availability of the WireGuard VPN service
- Seamless failover without requiring manual intervention
- Enhanced user experience and reduced downtime
- Increased confidence in the pfSense platform for critical VPN deployments
- Simplified management and migration of WireGuard instances and peers
- Granular control over backup and restore processes for the VPN setup

I believe that these features would address current gaps in pfSense's functionality and provide significant value to users who rely on WireGuard VPN for secure remote access and require flexible management options.