Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    VPN Setup

    General pfSense Questions
    3
    4
    507
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      DavidAdl last edited by

      Hello All,

      I'm looking to setup a secure VPN with machine/certificate authentication and would like a bit of guidance please. Ideally I'm looking to set it up with the following considerations in mind:

      • VPN server running in pfSense

      • Secure as possible without majorly compromising speed, reliability or usability

      • As I said machine/certificate authentication, then username and password

      • Ideally being able to connect using the built in VPN client on Windows 8.1 and 10

      I know people will recommend OpenVPN, but at this stage I'd prefer using a technology supported natively in Windows 8.1 and 10. In the past I've setup L2TP/IPSEC VPNs with preshared key, but I'd rather certificate instead of preshared key and I'm not sure whether L2TP/IPSEC is still the way to go these days.

      Thanks in advance!

      1 Reply Last reply Reply Quote 0
      • Derelict
        Derelict LAYER 8 Netgate last edited by

        No. L2TP is not the way to go. IKEv2 is.

        In my opinion OpenVPN is the best option available for most mobile VPN circumstances.

        There is a reason the "other guys" all offer apps to get IPsec working right in Windows.

        Use IKEv2 and do the research necessary to determine what is required on every different windows version and update (think creators update) to make Windows do what you want using the "built-in" IPsec.

        I'm not even sure Windows will do cert + user/password authentication on IKEv2 using the built-in client. All I have to look at right here is a Mac and its IKEv2 client has Certificate or Username authentication. Not both.

        OpenVPN can be configured to require TLS key + Certificate + Username/password in about 5 minutes. The free (!) OpenVPN Client exporter will create an installer that includes everything you need to get a Windows 8 or 10 client up in pretty much zero time. And if you introduce android/ios/mac clients they will work too. Free. Though you might want to spring for the Viscosity client on the Mac if your time is worth anything to you and you or your users enjoy using polished-up software.

        Chattanooga, Tennessee, USA
        The pfSense Book is free of charge!
        DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • R
          robi last edited by

          +1 for OpenVPN. Additionally, the client is now able to run without admin rights, nor needs any third party management-service.

          1 Reply Last reply Reply Quote 0
          • D
            DavidAdl last edited by

            Yes after looking into it some more, I can see it is obvious that OpenVPN is the right way to go.

            Thanks for the replies.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post