Hi to all!

I'd like to help me make a decision. I want to establish VPN configuration on a company with about 60 employees. The firewall we have is the CCR1016-12S-1S+ and is already on place for about 3 weeks. I have made a configuration for SSTP VPN connection already, but to be honest on other customers I used to provide WireGuard as a VPN solution.

Regarding the configuration, I believe that is a bit easier to deploy WireGuard compared with SSTP, but I can't say which of the two is more secure. That is the first point where I'd like to have your opinions.

Secondly, I have the following concern. The users (road-warriors) will be connected with their laptops, but they are working on non-administrative profiles. Which means that the WireGuard VPN client cannot be controlled by them. The administrator configures and connects it for the first time and then every time the users are connected to the internet (and not in the company), the laptop establishes automatically a VPN connection, without letting the users even to notice it. If you know, the WireGuard VPN client is not even shown in the tray on a simple-user's profile. So there is no concern for the user to establish a VPN connection before he starts his remote work. On the other hand he is not controlling the VPN connection and he can't troubleshoot anything, if he needs.

But with SSTP connection, there isn't any special VPN client and we use only Windows features and functions. The users are responsible for their VPN connection and they need to decide if they want to connect or not, depending of what kind of work they will do and if that requires access to the company's servers.

I am also worrying which one of the two is more stable. I tried both of them and I noticed that in some cases with a laptop and a wireless connection the SSTP VPN is sometimes disconnected (and not re-established by itself). I noticed that only when didn't have access to the company's server anymore. But there were opened and not-saved files, which made me worry that a simple user could just lose hours of work or even have corrupted files. This is not happening with the WireGuard, or at least it is re-established by itself if the internet (or the wireless) connection is back. What do you think about that? Which one is more stable?

And finally, I am not sure what is better. Letting the users being responsible for their VPN connection and be able to control it (SSTP via Windows functions), or make it completely automated and not-controlled by them (WireGuard VPN client, hidden from the taskbar tray because they are simple-users). Which one is more trouble-free? What's your opinion about that?

Thank you all very much in advance for your help!


With kind regards,
Angelos Pitsos

Which Model of WatchGuard are you comparing to the MikroTik CCR1016-12S-1S+ ?

WatchGuard are typically purchased for their UTM capability ... but WatchGuard can be purchased without the UTM License .... MikroTik do not have UTM capability in any way shape or form .... WatchGuard Firewall is excellent as is the MikroTik Firewall .... however if UTM is used you cannot compare MikroTik to WatchGuard .... WatchGuard UTM are outstanding but very expensive. Performance wise WatchGuard is dramatically faster due to the type of ASIC they use all depending on the Model of WatchGuard.

UTM = Unified Threat Management
A UTM appliance will usually include functions such as: antivirus, anti-spyware, anti-spam, network firewalling, intrusion detection and prevention, content filtering and leak prevention. UTM models also provide services such as remote routing, network address translation (NAT), and virtual private network (VPN) support + + + +

Which Model of WatchGuard are you comparing to the MikroTik CCR1016-12S-1S+ ?

Hi @mozerd,

I am completely stupid! I wanted to write "WireGuard", but instead I wrote everywhere "WatchGuard". I'm so sorry for my mistake... I apologize. I know WatchGuard are other firewall devices (the red ones), but I mixed the terms in my mind.

I have also corrected my post above.

My recommendation is to use WireGuard because it is VERY secure and performance is outstanding …

Hi mozerd,

Thanks a lot for your opinion. I will reconsider.

With kind regards,
Angelos Pitsos

I agree with @mozerd about WireGuard being fast and secure but it wouldn't hurt to have a backup VPN system in case users aren't able to connect. If that's the case then SSTP is certificate based and also secure but not as fast as WireGuard.

Note: WireGuard uses UDP connections and SSTP uses TCP. TCP is slower than UDP but works where UDP might fail (e.g. CG-NAT Internet connections).

+1 for Wireguard.

Note: WireGuard uses UDP connections and SSTP uses TCP. TCP is slower than UDP but works where UDP might fail (e.g. CG-NAT Internet connections).

Wireguard works just fine behind CGNAT provided you have a device with public IP available as target to set up the connection.

So you are saying that wireguard clients will fail because UDP might fail (they are connected via CG-NAT????
I think your toilet water circles in the wrong direction!!
Either that or too much catnip.

[sarcasm]Thank you sooo much for your reply @anav.[/sarcasm] I have had VPN connections fail because they were running on a UDP connection through an ISP using CG-NAT so this isn't anecdotal but something I've seen. Also, I said the VPN connection might fail not that it would fail.

From Wikipedia:

UDP uses a simple connectionless communication model with a minimum of protocol mechanisms. UDP provides checksums for data integrity, and port numbers for addressing different functions at the source and destination of the datagram. It has no handshaking dialogues, and thus exposes the user's program to any unreliability of the underlying network; there is no guarantee of delivery, ordering, or duplicate protection. If error-correction facilities are needed at the network interface level, an application may instead use Transmission Control Protocol (TCP) or Stream Control Transmission Protocol (SCTP) which are designed for this purpose.