OCI Bastion vs WireGuard VPN vs IPSec (IKEv2)

Side-by-side evaluation of access, tunnelling, and site-to-site connectivity options on Oracle Cloud Infrastructure. Intended audience: cloud architects, infrastructure leads, and security reviewers.

Dimension	OCI Bastion Session-based SSH proxy	WireGuard VPN Lightweight kernel tunnel	IPSec (IKEv2) Standards-based site-to-site
1 Architecture & Protocol
Network layer OSI model	Layer 7 — Application Session-based proxy; no persistent tunnel	Layer 3 — Network Kernel tun interface; persistent peer config	Layer 3 — Network ESP/AH encapsulation; IKEv2 key exchange
Transport Protocol / port	TCP 22 (SSH) OCI control-plane TLS; SSH ProxyCommand on client	UDP 51820 Single UDP port; stateless; NAT traversal native	UDP 500 / 4500 IKE negotiation + NAT-T; ESP = IP protocol 50
Encryption Cipher suite	SSH — Ed25519 / RSA OCI-managed TLS to endpoint; SSH keys for host auth	ChaCha20-Poly1305 Noise protocol framework; Curve25519 ECDH; no cipher negotiation	AES-256-GCM / AES-CBC IKEv2 negotiated proposals; HMAC-SHA-256/384 integrity
Authentication	SSH keypair + OCI IAM OCI policy-gated; OCID-based sessions; short-lived tokens	Static public keys (peers) Pre-shared peer config; no PKI required; optional PSK layer	PKI certificates / PSK X.509 certs or pre-shared keys via IKEv2; EAP for remote access
Key exchange	N/A (SSH session per connection) No persistent tunnel; keys scoped to SSH session only	Curve25519 ECDH (Noise) Static keypairs; ephemeral session key derived per handshake	IKEv2 ECDH / DH groups Perfect Forward Secrecy via DH group negotiation; CHILD_SA rekey
2 Performance & Overhead
Throughput Relative / typical	Low — port-forwarded Single SSH session per target; not suited for bulk data transfer	High — kernel-native Minimal overhead; outperforms OpenVPN and IPSec in most benchmarks	High — hardware-offloadable Best with AES-NI CPUs or dedicated hardware; IKEv2 SA overhead manageable
Latency impact	Moderate OCI control-plane roundtrip for session creation adds cold-start delay	Minimal No per-packet handshake; tunnel activates on first send	Moderate (establishment) 1-2 RTTs for SA establishment; subsequent packets add minimal overhead
Codebase size Indicative attack surface	OCI-managed service No self-hosted daemon; Oracle owns the attack surface	~4,000 lines (kernel module) Smallest of the three; highly auditable; no external dependencies	100,000+ lines Complex IKE stacks (StrongSwan, Libreswan); larger review surface
NAT traversal	Not applicable SSH over TCP; OCI Bastion manages endpoint reachability	Native — UDP encapsulation Stateless design handles most NAT scenarios without extra config	Requires NAT-T (UDP 4500) IKEv2 NAT-T defined in RFC 3947; most CPEs support it
3 OCI Integration & Operations
OCI native?	Fully managed (PaaS) Console, CLI, Terraform; no compute required; IAM-enforced sessions	Self-managed on OCI Compute Deployed on Linux instance; NSG/SG and routing config manual	OCI IPSec Service (DRG) DRG + CPE object; Oracle manages endpoint; 2 tunnels provisioned per connection
Routing support	None — port-forward only One target resource per session; no subnet-level routing	Subnet-level (AllowedIPs) AllowedIPs acts as routing table; split-tunnel or full-tunnel mode	Full subnet + BGP OCI DRG supports BGP dynamic routing; route advertisements per tunnel
HA / redundancy	Built-in (OCI-managed) Regional HA by Oracle; no client-side config required	Manual — ECMP or failover Multiple peer entries; failover logic must be implemented separately	Two tunnels per CPE (OCI) Oracle provisions 2 IPSec tunnels per CPE connection for path redundancy
Setup complexity Relative effort	Low Console wizard; SSH config snippet auto-generated; no VPN server to manage	Medium wg genkey / wg setconf; NSG rules; peer config exchange is manual	High CPE config, IKE proposals, Phase 1/2 alignment, BGP ASN, route tables
Client software	SSH client only No VPN client required; native OpenSSH with ProxyCommand	WireGuard client (all platforms) Available for Linux, Windows, macOS, Android, iOS; kernel module on Linux	OS-native or IKEv2 client Windows/macOS built-in; Linux via StrongSwan/Libreswan; mobile via IKEv2 apps
Logging & audit	OCI Audit (native) Session creation/destruction logged; integrates with OCI Logging Analytics	Instance-level logging wg show; system journal; no native OCI audit integration	OCI VPN Metrics (native) Tunnel status, byte counters via OCI Monitoring; CloudWatch-style alerts
Terraform support	oci_bastion_bastion, oci_bastion_session Full Terraform OCI provider support; ephemeral sessions scriptable	Custom (Compute + user_data) Provision instance + WireGuard config via Terraform; no managed resource	oci_core_ipsec, oci_core_ipsec_connection_tunnel_management Full Terraform support via OCI provider
4 Security Posture
Session TTL	Configurable (max 3 hours OCI) Short-lived sessions reduce exposure window; no persistent VPN tunnel	No TTL (persistent peers) Peer keys remain valid until manually revoked; long-lived by design	SA lifetime (IKEv2) Phase 1 / Phase 2 SA lifetimes negotiated; automatic rekey
Zero-trust alignment	High No inbound port; IAM session creation; per-resource access scope	Medium Peer trust is static key-based; no per-session IAM control	Medium Tunnel grants broad subnet access; least-privilege requires firewall layering
Compliance suitability	High (OCI-native controls) OCI IAM, audit logs, and session TTL aid compliance posture	Medium Strong crypto; lacks native audit trail; self-managed key rotation	High (FIPS-140-2 capable) AES-256-GCM + SHA-384 satisfies FIPS requirements; NIST SP 800-77 aligned
5 Cost & Licensing
Licensing	Free — OCI managed service No license cost; Oracle Universal Credits not consumed by Bastion itself	Free — GPLv2 open source WireGuard is free; Compute instance cost applies (shape-dependent)	Free Site-to-Site VPN is a free service with no port hour charges. Data transfer cost is covered under networking cloud pricing.
Infrastructure cost	No compute overhead No VM required; Bastion is a managed endpoint	Compute instance required Minimum: VM.Standard.E4.Flex 1 OCPU / 1 GB OCPU for light workloads	No compute overhead OCI-managed service; DRG cost may apply based on outbound data transfer

Dimension

OCI Bastion Session-based SSH proxy

WireGuard VPN Lightweight kernel tunnel

IPSec (IKEv2) Standards-based site-to-site

1 Architecture & Protocol

Network layer

OSI model

Layer 7 — Application

Session-based proxy; no persistent tunnel

Layer 3 — Network

Kernel tun interface; persistent peer config

Layer 3 — Network

ESP/AH encapsulation; IKEv2 key exchange

Transport

Protocol / port

TCP 22 (SSH)

OCI control-plane TLS; SSH ProxyCommand on client

UDP 51820

Single UDP port; stateless; NAT traversal native

UDP 500 / 4500

IKE negotiation + NAT-T; ESP = IP protocol 50

Encryption

Cipher suite

SSH — Ed25519 / RSA

OCI-managed TLS to endpoint; SSH keys for host auth

ChaCha20-Poly1305

Noise protocol framework; Curve25519 ECDH; no cipher negotiation

AES-256-GCM / AES-CBC

IKEv2 negotiated proposals; HMAC-SHA-256/384 integrity

Authentication

SSH keypair + OCI IAM

OCI policy-gated; OCID-based sessions; short-lived tokens

Static public keys (peers)

Pre-shared peer config; no PKI required; optional PSK layer

PKI certificates / PSK

X.509 certs or pre-shared keys via IKEv2; EAP for remote access

Key exchange

N/A (SSH session per connection)

No persistent tunnel; keys scoped to SSH session only

Curve25519 ECDH (Noise)

Static keypairs; ephemeral session key derived per handshake

IKEv2 ECDH / DH groups

Perfect Forward Secrecy via DH group negotiation; CHILD_SA rekey

2 Performance & Overhead

Throughput

Relative / typical

Low — port-forwarded

Single SSH session per target; not suited for bulk data transfer

High — kernel-native

Minimal overhead; outperforms OpenVPN and IPSec in most benchmarks

High — hardware-offloadable

Best with AES-NI CPUs or dedicated hardware; IKEv2 SA overhead manageable

Latency impact

Moderate

OCI control-plane roundtrip for session creation adds cold-start delay

Minimal

No per-packet handshake; tunnel activates on first send

Moderate (establishment)

1-2 RTTs for SA establishment; subsequent packets add minimal overhead

Codebase size

Indicative attack surface

OCI-managed service

No self-hosted daemon; Oracle owns the attack surface

~4,000 lines (kernel module)

Smallest of the three; highly auditable; no external dependencies

100,000+ lines

Complex IKE stacks (StrongSwan, Libreswan); larger review surface

NAT traversal

Not applicable

SSH over TCP; OCI Bastion manages endpoint reachability

Native — UDP encapsulation

Stateless design handles most NAT scenarios without extra config

Requires NAT-T (UDP 4500)

IKEv2 NAT-T defined in RFC 3947; most CPEs support it

3 OCI Integration & Operations

OCI native?

Fully managed (PaaS)

Console, CLI, Terraform; no compute required; IAM-enforced sessions

Self-managed on OCI Compute

Deployed on Linux instance; NSG/SG and routing config manual

OCI IPSec Service (DRG)

DRG + CPE object; Oracle manages endpoint; 2 tunnels provisioned per connection

Routing support

None — port-forward only

One target resource per session; no subnet-level routing

Subnet-level (AllowedIPs)

AllowedIPs acts as routing table; split-tunnel or full-tunnel mode

Full subnet + BGP

OCI DRG supports BGP dynamic routing; route advertisements per tunnel

HA / redundancy

Built-in (OCI-managed)

Regional HA by Oracle; no client-side config required

Manual — ECMP or failover

Multiple peer entries; failover logic must be implemented separately

Two tunnels per CPE (OCI)

Oracle provisions 2 IPSec tunnels per CPE connection for path redundancy

Setup complexity

Relative effort

Low

Console wizard; SSH config snippet auto-generated; no VPN server to manage

Medium

wg genkey / wg setconf; NSG rules; peer config exchange is manual

High

CPE config, IKE proposals, Phase 1/2 alignment, BGP ASN, route tables

Client software

SSH client only

No VPN client required; native OpenSSH with ProxyCommand

WireGuard client (all platforms)

Available for Linux, Windows, macOS, Android, iOS; kernel module on Linux

OS-native or IKEv2 client

Windows/macOS built-in; Linux via StrongSwan/Libreswan; mobile via IKEv2 apps

Logging & audit

OCI Audit (native)

Session creation/destruction logged; integrates with OCI Logging Analytics

Instance-level logging

wg show; system journal; no native OCI audit integration

OCI VPN Metrics (native)

Tunnel status, byte counters via OCI Monitoring; CloudWatch-style alerts

Terraform support

oci_bastion_bastion, oci_bastion_session

Full Terraform OCI provider support; ephemeral sessions scriptable

Custom (Compute + user_data)

Provision instance + WireGuard config via Terraform; no managed resource

oci_core_ipsec, oci_core_ipsec_connection_tunnel_management

Full Terraform support via OCI provider

4 Security Posture

Session TTL

Configurable (max 3 hours OCI)

Short-lived sessions reduce exposure window; no persistent VPN tunnel

No TTL (persistent peers)

Peer keys remain valid until manually revoked; long-lived by design

SA lifetime (IKEv2)

Phase 1 / Phase 2 SA lifetimes negotiated; automatic rekey

Zero-trust alignment

High

No inbound port; IAM session creation; per-resource access scope

Medium

Peer trust is static key-based; no per-session IAM control

Medium

Tunnel grants broad subnet access; least-privilege requires firewall layering

Compliance suitability

High (OCI-native controls)

OCI IAM, audit logs, and session TTL aid compliance posture

Medium

Strong crypto; lacks native audit trail; self-managed key rotation

High (FIPS-140-2 capable)

AES-256-GCM + SHA-384 satisfies FIPS requirements; NIST SP 800-77 aligned

5 Cost & Licensing

Licensing

Free — OCI managed service

No license cost; Oracle Universal Credits not consumed by Bastion itself

Free — GPLv2 open source

WireGuard is free; Compute instance cost applies (shape-dependent)

Free

Site-to-Site VPN is a free service with no port hour charges. Data transfer cost is covered under networking cloud pricing.

Infrastructure cost

No compute overhead

No VM required; Bastion is a managed endpoint

Compute instance required

Minimum: VM.Standard.E4.Flex 1 OCPU / 1 GB OCPU for light workloads

No compute overhead

OCI-managed service; DRG cost may apply based on outbound data transfer

Recommended Use Cases

OCI Bastion — when to choose

WireGuard VPN — when to choose

IPSec (IKEv2) — when to choose

• Admin SSH/RDP to private OCI instances

• Short-lived, audited privileged access

• No client VPN software requirement

• Dev / ops access without persistent tunnel

• Compliance-gated access with IAM session TTL

• Break-glass emergency admin access

• Peer-to-peer encrypted mesh networks

• Remote workforce access to OCI subnets

• High-throughput, low-latency tunnelling

• Containerised / microservice environments

• Replacing OpenVPN in Linux-centric stacks

• IoT device to cloud secure channel

• On-premises to OCI site-to-site VPN

• Multi-vendor CPE interoperability

• BGP-based dynamic routing over OCI DRG

• Compliance mandating FIPS-140-2 ciphers

• Hybrid cloud with redundant tunnel pairs

• Enterprise WAN integration at scale

Search This Blog

The Geek Life

OCI Bastion vs WireGuard VPN vs IPSec (IKEv2)

Recommended Use Cases

Comments

Post a Comment

Popular posts from this blog

Access Oracle OCI Object Storage through GUI Client

Instance OS Baseline Configuration Runbook

Accessing OCI Compute Instances Using VNC Console (Instance Console Connection)