WireGuard in 5.6 is not a surprise. The code was merged into network maintainer Dave Miller's repository in December 2019 but not pulled in by Torvalds until today. 'Linus pulled in net-next about a half hour ago. So WireGuard is now officially upstream,' said the announcement on the WireGuard mailing list. Sophos UTM drives threat prevention to unmatched levels. The artificial intelligence built into Sophos Sandstorm is a deep learning neural network, an advanced form of machine learning, that detects both known and unknown malware without relying on signatures. Trying to get wireguard going as a VPN option, and we're able to get to the subnet local to the server, but it seems like the XG won't route the traffic over the s2s VPNs. I've got the wireguard subnet set up in the XG and assigned to the tunnel, but any tracert shows the wg server, then the sophos IP, and then just a bunch of timeouts. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployable. WireGuard is a newer VPN protocol that seeks to provide better performance and more security over existing protocols. It was officially released from beta in 2020 and continues to gain popularity due to superior performance over legacy protocols.

This article has been last updated on August 3, 2020.

There are countless Free an Open Source Linux/BSD distributions to choose from for your router. However, there are many outdated recommendations on the internet, so it's not an easy choice. For that reason, we have decided to create a definitive firewall comparison for 2020.

Wikipedia has a list of router and firewall distributions, but the list is not useful, because it's inaccurate (as of August 2020) and it doesn't really compare these systems in any useful way. It also lists many outdated and irrelevant systems that should be avoided in 2020.

If you are looking to get the most of your hardware appliance, or are building a new firewall, we have done the research for you.

Why is our router distro comparison better than others?

For many years we have been selling hardware for building Open Source firewalls and routers. Over the last year, we have installed and configured most, if not all the distributions out there. We install and configure pfSense, OPNSense, OpenWRT, ClearOS, IPFire, and other OSes every day, so we have a good idea which Operating systems work better than others. We don't make any money from any software vendors, which make this recommendation relatively objective.
We hear customer feedback daily, if there are performance issues or problems with updates, we hear about it.

Top 10 Open Source Firewall Software to avoid - what you should NOT use.

Other comparisons out there are recommending Operating Systems that are long dead or no longer relevant. This is most likely because these 'Top 10 Open Source Linux Firewall Software' lists are copied from year to year by non-technical users, without doing the actual comparison.

Some Operating Systems have been superseded or simply stopped being maintained and became irrelevant. You want to avoid such systems because of security reasons - these distros use outdated and have insecure Linux/BSD kernels which can potentially expose you to security exploits.

1. IPCop - avoid at all cost

Once popular operating system, included in all 'top 10' lists such as this one. You should avoid using it. The last release was in 2015, and the system is ancient by today's standards. The official website is dead, but the source code is still out there. Don't use it.

2. Smoothwall - long dead

Smoothwall got some good reputation in the early days when it was competing with IPCop. It went silent in 2014. Smoothwall OS has been abandoned and is no longer relevant, or secure. You should avoid it. The website is still up and running, but hasn't been updated in many years.

3. DD-WRT - no longer competitive

This is a little controversial recommendation because I know that many users still feel that DD-WRT is good. It certainly was back in the day. Today DD-WRT is still functional and works, but it's not great or innovative. It's mostly unchanged since 2014 and fell far behind other open source competitors. Today there are many good alternatives, such as OpenWRT.

4. M0n0wall - retired

M0n0wall is the godfather of the most successful operating systems we have today. It's been one of the most innovative projects in its day, but it's now retired. System hasn't received any updates since early 2014 and is officially abandoned.
Manuel Kasper, the author of M0n0wall recommends OPNSense as its successor.

5. Tomato - not for new routers

Tomato is cool, and we love it, but it's a minimal firmware designed for flashing off-the-shelf routers such as D-Link and Asus. The system is still relevant if you want to resurrect your old hardware and make it functional again, but if you are building a new router you probably don't want to use tomato on it. We are building powerful routers from scratch, so we generally don't use this system (we still love it).

6. Zeroshell - poor choice

We like the concept of Zeroshell, and we hope it succeeds, but today the system is far behind it's competitors. The Web UI is very rudimentary, and the functionality is limited. We will keep an eye on it, and update this recommendation if things change. The website hasn't been updated since 2018, so at the moment this project doesn't look promising.

Not recommended because they are not user friendly

There are other systems that are relevant, and receive updates, but we still don't recommend them, at least to less technical users.

We don't recomment the below systems, because they require relatively high expertise to perform simple tasks. These days, SOHO routers (Small Office / Home Office) should be easy to setup and have Intuitive Web Interface to manage. For these reasons we don't recommend the following systems:

7. VyOS - no Web interface

We love VyOS, but we highly discourage our customers from getting it, unless they really know what they are doing. This system must be managed from command line, and it requires high level of expertise to maintain and use.

8. OpenBSD and FreeBSD - use only if you have 10+ years of the command line experience

OpenBSD and FreeBSD are actively developed and are very capable, but these systems require a high level of understanding of operating system internals, and low-level networking to be used as routers.

We routinely install both systems for customers that are experts, such as network administrators or software developers. If you don't want to mess with system internals and spend hours reading manuals, this is not a system for you. It does not provide any Web UI or GUI tools for configuration. It's a barebones terminal based system.

9. Debian and Ubuntu - don't use general purpose OS for your router

These systems are not intended for routers. They are general purpose operating systems, and should not really be used as routers. Similar to OpenBSD and VyOS, you will have to configure everything by hand without a Web Interface.

Nor recommended because they are not really free

There are also a few systems we don't recommend because they are not truly free or open source.

10. Untangle - is it really free if OS asks you to upgrade to a paid version?

Untangle NG Firewall is truly great software, with many happy users. We don't recommend it because the free version is very limited, and the operating system constantly incentivizes the users to upgrade to a paid subscription to unlock the cool functionality. The cheapest license is $50 USD/year.

11. Sophos - small fish in an enterprise pond

Sophos 'XG Firewall' distribution has a very nice user interface and is free for home use. We generally don't recommend it because it's not a system that Sophos itself promotes. Sophos' website seems to make it purposefully hard to find, and the community is very small. Sophos, in general, is an enterprise software company, with one community product. There's no Open Source spirit here.

12. Endian - you really have to pay to use it fully

Endian is actually pretty cool, and free. We don't recommend it because features like WiFi are available only in paid subscriptions. Similar to Untangle, it's good software, but you have to pay for it - this disqualifies it from our consideration.

To choose the best Operating System for routers we have set a few basic guidelines. All systems not compatible with these guidelines have been rejected.

Basic requirements for choosing Firewall Operating System

1. The system must be actively maintained, and regularly receive security patches.
2. The system must be fully Free and Open Source
3. The system must have a Web interface or GUI. Command line operating systems are disqualified.
4. The system must be performant, and work well for a typical user.

These basic requirements are reducing the list of recommendations to 4 systems. pfSense, OpenWRT, OPNSense and IPFire.

Researchers have discovered a security flaw in macOS, Linux, and several other operating systems that could let attackers hijack a wide range of virtual private network (VPN) connections.

The bug, discovered by University of New Mexico researchers William J Tolley, Beau Kujath, and Jedidiah R. Crandall, lets a malicious access point or someone on the same network snoop on a user’s VPN session. The snooper can tell that they’re on a VPN and figure out what site they’re visiting. The researchers explain:

Sophos Xg Wireguard Support

This provides everything that is needed for an attacker to hijack active connections inside the VPN tunnel.

The attack begins by working out the VPN client’s virtual IP address, which is the fake IP address that a VPN gives you when you use it to pretend that you’re somewhere else. It does this by sending SYN (short for synchronization) and ACK (short for acknowledgement) packets to the device. Because it doesn’t know the device’s exact address, it sends these packets to all addresses in the virtual IP space. When this noisy attack eventually hits the victim’s machine, it will respond with a reset (RST) packet that drops the connection.

That tells the attacker that the device is using an external network connection that gives it a virtual IP address. It can then send its own RST packets. The victim machine responds with a ‘challenge ACK’, inviting its VPN to set up a new connection, and the attacker can sniff out these packets by timing them and examining their size. By analysing the packets, it can determine the in-window sequence number of the connection, which tells it what type of VPN connection the victim is using.

From there, they can work out how to inject malicious packets into the VPN connection. An attacker could use those techniques to inject malicious code into a website that could help to compromise a browser.

The bug, CVE-2019-14899, works against a variety of VPN protocols including OpenVPN and IKEv2/IPSec, along with the young upstart WireGuard P2P protocol that is angling for inclusion in the Linux kernel. It exists in Linux distributions including but not limited to Ubuntu, Fedora, Debian, Arch, Manjaro, Devuan, MX Linux, Void Linux, Slackware and Deepin. It also affects FreeBSD and OpenBSD, as well as Android, macOS, and iOS.

Having said that, the issue doesn’t seem to be an exploitable problem in all flavours of Linux. The researchers said that they couldn’t replicate it on Ubuntu versions before 19.10, for example, and pointed to a configuration update in systemd (the startup system used in many Linux distributions) made on 28 November 2018 as a possible trigger condition.

The researchers haven’t tested the vulnerability against the Tor onion routing protocol, which focuses on anonymous communications, but believe that this wouldn’t be vulnerable to the attack. That’s because Tor handles its authentication and encryption outside of the operating system kernel.

What to do

Sophos Firewall Wireguard

The researchers’ proposed workarounds all have problems. Turning reverse path filtering on (which would stop routing packets from inappropriate addresses) won’t solve the issue for all operating systems and the attack may still work anyway, the researchers said. Filtering bogus packets (known as bogon filtering) could interfere with local network addresses in some instances, they added.

The good news is that this is likely to be extremely hard for attackers to exploit – and those that would wish to have very little information to go on.

The best bet is to wait for a patch from your Linux distributor. The researchers have chosen not to publish a detailed paper on the hack until then.