1000 pfSense <-> 1 pfSense VPN Tunnels



  • We are planning to deploy a large setup with 1000 pfSense 'client' boxes connecting - over the internet - to 1 huge pfSense 'server' box in our datacenter. These 1000 Tunnels should be permanently up. Each of these 1000 'client' boxes should have its own 10.x.y.0/24 subnet connecting to the 'server' box. The data transfer should be bi-directional. Our criteria are: ease of configuration, management, and performance.

    Question: Which is recommended: OpenVPN Client on the clients + OpenVPN Server on the server; or IPSec, or anything else.

    Thanks for any input,

    Alfredo.



  • Anybody?



  • I would strongly suggest OpenVPN, I had a setup of 50+ points and never saw a problem, just keep in mind some common sense stuff,
    such as:
    since this is a large deployment then just plan things ahead, I have a long checklist of do's and dont's for such large setup.
    if you want any help then let me know.



  • I would go for OpenVPN too, but make sure what you will have enough speed through it for your needs.
    Also, 1 "big server" seems to be a very… questionable decision.



  • We are planning to deploy a large setup with 1000 pfSense 'client' boxes connecting - over the internet - to 1 huge pfSense 'server' box in our datacenter.

    i figure if you plan such a massive deployment, that you have funds …. use a small portion of those funds to ask for consultancy from one of the pfSense developers.



  • Dear List,

    Yes, lots of thing to consider. In the past, we have been advised us that "IPSec" has less "overhead" than "OpenVPN", and, as such would provide better performance. Otherwise, for us, "OpenVPN" seems a better choice.

    ad KOTRz: Ist this checklist something you could share with us (pm)? How did you deal with all the subnets? Not jus one tunnel network. :-)

    ad pan_2. Haven't had time to test you Single CPU question on our 'big' server.
    https://forum.pfsense.org/index.php?topic=113167.0
    Why do you find on big server questionable? It is fully configured with all thinkable redundancies.

    ad heper: Sure that makes sense. For now, we are still in the 'Research' Phase and just gathering ideas.

    Thanks so kindly,

    Alfredo.



  • i have no clue about the overhead, but there can be a massive difference in performance between ipsec & openvpn ….

    ipsec on freebsd already has support for the AES-NI crypto cyphers (aes-gcm)

    openvpn doesn't at this time, but its confirmed to be available for openvpn 2.4 -- no clue when that'll ever be released (https://community.openvpn.net/openvpn/ticket/301)



  • @alfredo:

    ad pan_2. Haven't had time to test you Single CPU question on our 'big' server.
    https://forum.pfsense.org/index.php?topic=113167.0
    Why do you find on big server questionable? It is fully configured with all thinkable redundancies.

    It is still only one server. Need to reboot? No connection. Need to upgrade? No connection. Something broke along the way? No connection. (and to continue - need to update FW on host server? No connection for a hour. ESX PSODed? No connection. And so on..)
    So I would push for redundant setup anyway, even if you have only one host server - more room to maneveur. And it is simpler to utilize VM Host resources by running multiple instances.

    More so - I doubt pfsense team ever tested OpenVPN WebGUI with so much VPN server definitions, there could be some hidden rocks in it.