Comment by apple4ever
5 years ago
I've run into the Netgate folks plenty of times, and so have many others. They are not nice people. Just look over Reddit or their Forums (especially during the AES situation where I was banned for life for a post saying I was unhappy with the decision even though I apologized).
I kept hand waving it away and using pfSense but no more. They do not deserve anybody's business. They are not good partners for the community.
My point, for you, is you did nothing wrong. The blame lays on their side.
What will you go with instead of pfsense?
I don't really care about this wireguard debacle (besides better code = good, and openvpn alternative = good), but I don't like the pfsense plus pro definitive paid game of the year edition.
I moved over to opnsense this weekend in a few locations. Will do more over time. In the few locations where an official appliance is used, I will likely move to swap those down the line.
Ive used pfSense since well before netgate even existed, and enough its not just in use in my home or lab. I generally dont made decisions based on bad PR or internet drama. So i didn't really bother to move over the AESNI stuff, or even the gnid/build tools etc. Though the gnid thing was what opened my eyes to what netgate was doing.
But their choice to diverge their code to basically closed source [1] and only contribute minimally to the CE, and leave it on people using CE to "enable" their features/changes leaves me with little choice but to move on. I use products like these because they are open to audits and fixes both for bugs and vulnerabilities. In the cases where I have used close source devices, especially at an edge location, its been with a trusted company with a storied history of security focus (like Cisco, Proofpoint, Palo Alto etc).
Netgates decisions on 2.6/pfsense+ basically mean that I would need to trust the security of the device to a small number of people that have a history of reacting very poorly to any question or criticism. And the pattern of moving their code base to something that isn't open to audit's/researchers eyes gives me practical reason to stop using or recommended their products. Which is something I find unfortunate. Its not just the wireguard thing in a vaccuum, its the pattern over time coupled with the choices they have made.
All that said my initial moves to opnsense have been mostly positive.
[1] https://www.netgate.com/blog/announcing-pfsense-plus.html
OPNsense, simple as that. It forked off pfSense back in 2015ish. It's not a perfectly drop-in replacement but it's close, has nice devs and community, and easily exceeds pfSense in certain regards (not least wg itself, topic related, since unlike netgate they don't have an issue with using one of the perfectly decent user space versions while waiting on a kernel version).
Like xoa says below, I'm probably going opnsense. There are other options (untangled, straight OpenBSD, VyOS), but for the switch I'd make I think it would be the easiest.
This seems to come up again and again. Too bad really. Seems like Opnsense is a solid alternative for those who want to avoid pfSense.