Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VPN Setup

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 3 Posters 863 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      DavidAdl
      last edited by

      Hello All,

      I'm looking to setup a secure VPN with machine/certificate authentication and would like a bit of guidance please. Ideally I'm looking to set it up with the following considerations in mind:

      • VPN server running in pfSense

      • Secure as possible without majorly compromising speed, reliability or usability

      • As I said machine/certificate authentication, then username and password

      • Ideally being able to connect using the built in VPN client on Windows 8.1 and 10

      I know people will recommend OpenVPN, but at this stage I'd prefer using a technology supported natively in Windows 8.1 and 10. In the past I've setup L2TP/IPSEC VPNs with preshared key, but I'd rather certificate instead of preshared key and I'm not sure whether L2TP/IPSEC is still the way to go these days.

      Thanks in advance!

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        No. L2TP is not the way to go. IKEv2 is.

        In my opinion OpenVPN is the best option available for most mobile VPN circumstances.

        There is a reason the "other guys" all offer apps to get IPsec working right in Windows.

        Use IKEv2 and do the research necessary to determine what is required on every different windows version and update (think creators update) to make Windows do what you want using the "built-in" IPsec.

        I'm not even sure Windows will do cert + user/password authentication on IKEv2 using the built-in client. All I have to look at right here is a Mac and its IKEv2 client has Certificate or Username authentication. Not both.

        OpenVPN can be configured to require TLS key + Certificate + Username/password in about 5 minutes. The free (!) OpenVPN Client exporter will create an installer that includes everything you need to get a Windows 8 or 10 client up in pretty much zero time. And if you introduce android/ios/mac clients they will work too. Free. Though you might want to spring for the Viscosity client on the Mac if your time is worth anything to you and you or your users enjoy using polished-up software.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • R
          robi
          last edited by

          +1 for OpenVPN. Additionally, the client is now able to run without admin rights, nor needs any third party management-service.

          1 Reply Last reply Reply Quote 0
          • D
            DavidAdl
            last edited by

            Yes after looking into it some more, I can see it is obvious that OpenVPN is the right way to go.

            Thanks for the replies.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.