pfSense Load Balancing multiple Surfshark’s WireGuard

Requirements

Our client required a privacy VPN connection to enhance security and privacy, with the objective of moving multiple large files as securely and quickly as possible, but wished to avoid the bandwidth restrictions typically experienced when using a single VPN tunnel.

Challenges

The challenge was that, while WireGuard was the best option for performance and simplicity, it was a relatively new technology and therefore not yet fully experienced or documented in specific use cases.

Proof of concept (PoC)

Our feasibility test involved using our test appliance, the Netgate 1541, equipped with pfSense Plus. The implementation of WireGuard within pfSense operates in Kernel mode, typically ensuring superior performance by handling VPN operations directly within the operating system’s kernel, thus enhancing speed and reducing latency.

The chosen privacy VPN was Surfshark, as it supports WireGuard. WireGuard and IPSec are currently the two best-performing VPNs, with WireGuard being incredibly simpler than IPSec and nearly as fast as hardware-accelerated IPSec.

The Internet uplink at the office was a symmetrical 1 Gbps.

Additionally, we aimed to test whether implementing multiple Surfshark-WireGuard connections in a load balancing configuration within pfSense would yield any performance benefits when copying multiple files simultaneously.

Our test Netgate 1541 appliance was updated with the latest version of pfSense Plus, version 23.09.1. The full specifications of the appliance can be found here. WireGuard version 0.2.1 (pfSense-pkg-WireGuard-0.2.1) was configured within pfSense to establish a connection to the Surfshark privacy VPN. We set up multiple WireGuard connections to Surfshark, configured to operate in load balancing as described in the Netgate configuration documentation, available here.

We utilised the Ookla speed test (www.speedtest.net), known for offering the option to use multiple simultaneous connections. This feature allowed us to use two Surfshark VPNs concurrently. Verification was achieved by adding two Traffic Graphs to the pfSense dashboard, one for each WireGuard interface. We observed that both interfaces were being utilised equally at the same time. A clip recorded during the speed test can be viewed for further insight.

The implementation of pfSense’s Load Balancing feature, in conjunction with Surfshark’s WireGuard tunnels on the Netgate 1541 appliance, has demonstrated the feasibility of load balancing integration. A single WireGuard VPN was almost capable of fully saturating the expected maximum speed of Surfshark’s WireGuard in the UK, anticipated to be between 760 and 950Mbps [Source: TechRadar]. Theoretically, a load-balanced connection using multiple Surfshark WireGuard tunnels should enable greater bandwidth for moving multiple large files securely and swiftly, aligning with our client’s requirements. While full verification of this capability was beyond the scope of our lab setup due to the symmetrical 1Gbps connection limit, the preliminary results are promising and suggest potential for higher bandwidth utilization when utilising a faster Internet uplink.

Selecting the appropriate Surfshark server is crucial to achieve optimal performance in the desired region. A critical phase in our test involved correctly setting up the routing to allow WireGuard to initiate its VPN connections to the Surfshark endpoints. It’s also important to consider the implications of running WireGuard in kernel mode versus user mode. Kernel mode offers superior performance, lower latency, and greater efficiency, while user mode, albeit slower and less efficient, provides better security isolation. Currently, there are no known security or vulnerability risks associated with running in kernel mode. However, our advice would be to consistently keep pfSense and WireGuard up to date. Maintaining system updates is a task with which we should all be familiar anyway.