Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    1000 pfSense <-> 1 pfSense VPN Tunnels

    Scheduled Pinned Locked Moved OpenVPN
    8 Posts 4 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      alfredo
      last edited by

      We are planning to deploy a large setup with 1000 pfSense 'client' boxes connecting - over the internet - to 1 huge pfSense 'server' box in our datacenter. These 1000 Tunnels should be permanently up. Each of these 1000 'client' boxes should have its own 10.x.y.0/24 subnet connecting to the 'server' box. The data transfer should be bi-directional. Our criteria are: ease of configuration, management, and performance.

      Question: Which is recommended: OpenVPN Client on the clients + OpenVPN Server on the server; or IPSec, or anything else.

      Thanks for any input,

      Alfredo.

      1 Reply Last reply Reply Quote 0
      • A
        alfredo
        last edited by

        Anybody?

        1 Reply Last reply Reply Quote 0
        • K
          KOTRz
          last edited by

          I would strongly suggest OpenVPN, I had a setup of 50+ points and never saw a problem, just keep in mind some common sense stuff,
          such as:
          since this is a large deployment then just plan things ahead, I have a long checklist of do's and dont's for such large setup.
          if you want any help then let me know.

          H.Hassan
          Sam Networks
          website: http://www.samnetworks.co.uk

          1 Reply Last reply Reply Quote 0
          • S
            Soyokaze
            last edited by

            I would go for OpenVPN too, but make sure what you will have enough speed through it for your needs.
            Also, 1 "big server" seems to be a very… questionable decision.

            Need full pfSense in a cloud? PM for details!

            1 Reply Last reply Reply Quote 0
            • H
              heper
              last edited by

              We are planning to deploy a large setup with 1000 pfSense 'client' boxes connecting - over the internet - to 1 huge pfSense 'server' box in our datacenter.

              i figure if you plan such a massive deployment, that you have funds …. use a small portion of those funds to ask for consultancy from one of the pfSense developers.

              1 Reply Last reply Reply Quote 0
              • A
                alfredo
                last edited by

                Dear List,

                Yes, lots of thing to consider. In the past, we have been advised us that "IPSec" has less "overhead" than "OpenVPN", and, as such would provide better performance. Otherwise, for us, "OpenVPN" seems a better choice.

                ad KOTRz: Ist this checklist something you could share with us (pm)? How did you deal with all the subnets? Not jus one tunnel network. :-)

                ad pan_2. Haven't had time to test you Single CPU question on our 'big' server.
                https://forum.pfsense.org/index.php?topic=113167.0
                Why do you find on big server questionable? It is fully configured with all thinkable redundancies.

                ad heper: Sure that makes sense. For now, we are still in the 'Research' Phase and just gathering ideas.

                Thanks so kindly,

                Alfredo.

                1 Reply Last reply Reply Quote 0
                • H
                  heper
                  last edited by

                  i have no clue about the overhead, but there can be a massive difference in performance between ipsec & openvpn ….

                  ipsec on freebsd already has support for the AES-NI crypto cyphers (aes-gcm)

                  openvpn doesn't at this time, but its confirmed to be available for openvpn 2.4 -- no clue when that'll ever be released (https://community.openvpn.net/openvpn/ticket/301)

                  1 Reply Last reply Reply Quote 0
                  • S
                    Soyokaze
                    last edited by

                    @alfredo:

                    ad pan_2. Haven't had time to test you Single CPU question on our 'big' server.
                    https://forum.pfsense.org/index.php?topic=113167.0
                    Why do you find on big server questionable? It is fully configured with all thinkable redundancies.

                    It is still only one server. Need to reboot? No connection. Need to upgrade? No connection. Something broke along the way? No connection. (and to continue - need to update FW on host server? No connection for a hour. ESX PSODed? No connection. And so on..)
                    So I would push for redundant setup anyway, even if you have only one host server - more room to maneveur. And it is simpler to utilize VM Host resources by running multiple instances.

                    More so - I doubt pfsense team ever tested OpenVPN WebGUI with so much VPN server definitions, there could be some hidden rocks in it.

                    Need full pfSense in a cloud? PM for details!

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.