Which PFsense VPN solution to use for Client access VPN?

MTW

I want to build in test a VPN solution with PFsense for clients: Mac OS /Windows 7-10 / (optional Linux)

• Clients will mostly behind NAT
• It need to be easy on the client side since the clients are not managed by us. We can send an installer or a manual but that's it.
• It needs to be universal on the PFsense side since one set-up need to suit all clients mentioned.
• There is no need fro site-to-site VPN.
• It need to work in the HA CARP set-up.
• Split tunneling should be supported.
• The connected VPN clients should not communicate with each other.
• A nice to have (but not mandatory) would be that we can make different groups like CompanyA, CompanyB,.. put the users in their company group and assign different firewall rules to each group. So CompanyA can only access ServerA and CompanyB can only access ServerB via the VPN.

I played around in our test environment with the Open VPN option and the L2TP/Ipsec. I used Windows 10 as test client that was on the same VLAN as the WAN interface of the PFSense.
I followed exact every step in the documentation for both options and followed every YouTube tutorial I could find but couldn't get it working.

Before I go into troubleshooting mode I would like to some opinions what the best way to go for my scenario using PFsense, so I don't start putting a load of effort in a POC with one solution and eventually end up switching to another one. :)

KOM

OpenVPN for sure.  It just works.

MTW

@KOM:

OpenVPN for sure.  It just works.

Tnx for you fast reply  :o

You mean all my requirements also the one with the different firewall rules for different groups will be covered by the OpenVPN solution?

viragomann

@MTW:

• A nice to have (but not mandatory) would be that we can make different groups like CompanyA, CompanyB,.. put the users in their company group and assign different firewall rules to each group. So CompanyA can only access ServerA and CompanyB can only access ServerB via the VPN.

Best way here is to set up different OpenVPN servers for each company. So each user group has its own VPN tunnel subnet and you can easily handle access with firewall rules.

Use the wizard to set up the servers, it's not difficult.

MTW

@viragomann:

@MTW:

• A nice to have (but not mandatory) would be that we can make different groups like CompanyA, CompanyB,.. put the users in their company group and assign different firewall rules to each group. So CompanyA can only access ServerA and CompanyB can only access ServerB via the VPN.

Best way here is to set up different OpenVPN servers for each company. So each user group has its own VPN tunnel subnet and you can easily handle access with firewall rules.

Use the wizard to set up the servers, it's not difficult.

You mean an extra set-up of OpenVPN on the same PFsense?
Does this mean that each OpenVPN setup needs a dedicated WAN IP address? >> This won't be possible sine we have more clients than available (IPv4) addresses.

Derelict

They can be on different ports (1194, 1195, 1196, etc). For firewall rules it's a lot easier if each company is on their own OpenVPN instance/interface.  Otherwise you have to assign static IP addresses and do the rules accordingly. Kind of depends on how many companies you're talking about. I don't know how many OpenVPN instances is reasonable on your hardware.

MTW

@Derelict:

They can be on different ports (1194, 1195, 1196, etc). For firewall rules it's a lot easier if each company is on their own OpenVPN instance/interface.  Otherwise you have to assign static IP addresses and do the rules accordingly. Kind of depends on how many companies you're talking about. I don't know how many OpenVPN instances is reasonable on your hardware.

OK, Using different ports sound good!
The amount of companies could be up to 300 averaging 5 users / company. But the amount of simultaneous sessions is much lower as well the traffic is rather low; RDP and http sessions.
We are planning to run them as HyperV VMs, we can assign easily 8 cores and 64GB ram to one VM. We could run them on dedicated hardware (24 core - 256GB ram) but I foresee issues with the NIC drivers since we are using HP blade systems with 10GB LOM modules connected to redundant Virtual Connect modules, these require special HP (Emulex/Broadcom) drivers. But we really prefer to run them as VMs for backup/restore and HA purpose.

MTW

Given the replies (and the amount of posts those ppl have I assume they know what they are talking about) I guess OpenVPN is the way to go since nobody is suggesting to go for the IPSec/L2TP solution.

viragomann

For hardware compatibility look here: https://www.freebsd.org/relnotes/CURRENT/hardware/support.html