I'm looking to setup a secure VPN with machine/certificate authentication and would like a bit of guidance please. Ideally I'm looking to set it up with the following considerations in mind:
VPN server running in pfSense
Secure as possible without majorly compromising speed, reliability or usability
As I said machine/certificate authentication, then username and password
Ideally being able to connect using the built in VPN client on Windows 8.1 and 10
I know people will recommend OpenVPN, but at this stage I'd prefer using a technology supported natively in Windows 8.1 and 10. In the past I've setup L2TP/IPSEC VPNs with preshared key, but I'd rather certificate instead of preshared key and I'm not sure whether L2TP/IPSEC is still the way to go these days.
Thanks in advance!
No. L2TP is not the way to go. IKEv2 is.
In my opinion OpenVPN is the best option available for most mobile VPN circumstances.
There is a reason the "other guys" all offer apps to get IPsec working right in Windows.
Use IKEv2 and do the research necessary to determine what is required on every different windows version and update (think creators update) to make Windows do what you want using the "built-in" IPsec.
I'm not even sure Windows will do cert + user/password authentication on IKEv2 using the built-in client. All I have to look at right here is a Mac and its IKEv2 client has Certificate or Username authentication. Not both.
OpenVPN can be configured to require TLS key + Certificate + Username/password in about 5 minutes. The free (!) OpenVPN Client exporter will create an installer that includes everything you need to get a Windows 8 or 10 client up in pretty much zero time. And if you introduce android/ios/mac clients they will work too. Free. Though you might want to spring for the Viscosity client on the Mac if your time is worth anything to you and you or your users enjoy using polished-up software.
+1 for OpenVPN. Additionally, the client is now able to run without admin rights, nor needs any third party management-service.
Yes after looking into it some more, I can see it is obvious that OpenVPN is the right way to go.
Thanks for the replies.