Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN/tomato or IPSec/Draytek for site-to-site tunnel?

    Off-Topic & Non-Support Discussion
    2
    3
    4.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      arad85
      last edited by

      I am in the process of setting up a site-to-site tunnel for my partners new business premises.

      I have a pfSense (2.1 snapshot) system running as my home network firewall and I want to bridge this network with a small (2 or 3 computer + router) setup remotely. The main reason to do this is to enable me to offer remote support (it's a 25 minute drive) should I need to and to facilitate automated backups and data acuisition. I also run an Asterisk PBX here, so expansion to VoIP may be possible in the future.  I've narrowed things down to two options:

      • Asus RT-N66U running tomatoUSB. Connection would be done through an OpenVPN

      • Draytek 2830n with stock firmware. Connection via IPSec

      The server machine (my pfSense box) has a static IP and the remote box will probably have a sticky dynamic IP (it can change, but not very often). Has anyone any experience with these two setups that can help me understand the pros and cons of the setup? In no articular order, the following questions come to mind:

      • Does one setup have any advantages over the other (would I lose any features for selecting one over the other)

      • If the line stability is not good (I haven't tried it yet) is one more reliable than the other?

      • Is there any way to enable the link at certain times of the day only (I can't see any, but just thought I'd check)?

      • The remote location is in a shop, so not fully secure and I'm not in 100% control of the machines. I'm thinking of only allowing a subsection of the net across the bridge. E.g. IPs 192.168.2.16-192.168.2.32 are the only ones that can access my local network (192.168.1.0/24) and that I can access. I'm guessing this is relatively easy to do via some firewall rules. Is it (I know it doesn't stop the determined hacker, but I'm thinking of DHCPing all addresses on the wireless network so I can allocate those I want to have access to have static IPs based on their MAC address whilst others will be DHCP'd outside this range)? Any better ideas for security whilst also allowing 2-way comms between the two networks for a subset of machines?

      Anything else I should be considering or is it just a question of buy one and you'll get there in the end anyway (I'm fairly network literate, so will get there if both solutions can do what I want)?

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        I would go for the Asus + Tomato  + OpenVPN.

        It would be more stable than IPsec, less likely to break due to random IP or tunnel changes, and there are probably more ways to filter/secure things in Tomato than on the Draytek (or at least as many).

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • A
          arad85
          last edited by

          Thanks jump. I may well go for a pfSense box on an esxi server. I need an SMB server to share files and I could run pfSense on the same hardware (already do that at the other end anyway). Will update the thread when I have it working.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post