Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN vs IPSec

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 3 Posters 21.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      al4
      last edited by

      I am needing to create a Site-to-Site VPN.

      There is the main office and between four (4) to six (6) remote locations.

      I only need to allow traffic from the remote sites destined for our internal network - telnet traffic over port 22 and traffic for a VoIP phone. Otherwise the traffic should just go out the end-users Internet connection and not go through the VPN to the main site. Being able to make it telnet and VoIP traffic can run with out lag is also good.

      The ability to have mobile users would be nice too (obviously the phone would not work).

      What would work best? I'm not aware of the technical limitations of OpenVPN and IPSec and how it relates to pfSense.

      Thanks.

      1 Reply Last reply Reply Quote 0
      • H
        hoba
        last edited by

        OpenVPN is less problematic if you are behind NAT or you have dynamic IPs everywhere. It's also more flexible when it comes to routing. However when using IPSEC you can filter traffic inside the  tunnel (not yet possble with IPSEC in pfsense). For site to site I would go with IPSEC but that might just be my personal preference. Maybe easier to setup too.

        1 Reply Last reply Reply Quote 0
        • GruensFroeschliG
          GruensFroeschli
          last edited by

          My personal Opinion: OpenVPN.
          Its just easy and you have so many possibilities.

          With IPSEC you can filter (–> you can create firewall rules for the IPSEC-Interface)
          With OpenVPN you cant do that.

          With IPSEC you need on at least one side a static IP.
          OpenVPN can have dynamic IP's on both sides.

          I'm not really sure what the IPSEC implementation on pfSense can do in relation to other implementations, since i dont use it.
          The OpenVPN on pfSense is everything you can find on http://openvpn.net/index.php

          EDIT: As hoba wrote: IPSEC might be the better solution for your site-to-site, and maybe OpenVPN better for your roadwarriors.
          You can mix however you want :)

          We do what we must, because we can.

          Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

          1 Reply Last reply Reply Quote 0
          • A
            al4
            last edited by

            To make sure I understand: if I use OpenVPN I would not be able to route certain types of traffic to through different interfaces (ie: telnet over VPN - otherwise go out the WAN and be like normal)? In which case IPSec would work better in my situation.

            If I use IPSec for Site-to-Site and OpenVPN for road warriors - that's fine by me too.

            If I use IPSec do I have the ability to give it a minimum and maximum about of bandwidth utilization?

            1 Reply Last reply Reply Quote 0
            • H
              hoba
              last edited by

              If you need trafficshaping of the vpn traffic using ipsec is currently the way to go as I know that this will be working with the upcoming shaper changes. OpenVPN shaping is not supported atm, same like filtering inside openvpn tunnels.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.