PfSense Site to Site VPN AND Remote Acess Client using IPSec???



  • Can’t seem to find a definite yes to my question. I have had Site to Site working for awhile, but now need a remote client capability as well. I have had a OpenVPN Server working in the past for a single Remote Access Client.

    If this isn’t possible, what combination will work?

    I’m assuming that processing speed will come into play trying to run a Site to Site and a Remote Access server (with AES encryption) on the same instance. I may need to move to a more powerful server on one end.

    Thanks for any help!

    Rob



  • Yes, you can have site to site as one server and remote access for a road warrior on another instance. Servers would have different listening ports and configs. Doing everything in openvpn would probably be easier, but you can have an ipsec instance as well.

    OpenVPN shared key site to site only allows one client per server. SSL TLS site to site allows multiple clients on the same server instance.

    Remote access warriors can share there own config and server.

    You can set up routes or configure it for access across the different tunnels.

    Not sure what hardware you need to satisfy your use case.



  • That’s a great input! I really do appreciate it. Yeah, I’m not sure if my PfSense processor will be able to handle the extra load or not. I don’t really have any huge amounts of sensitive data going between my sites, but I still opted to run high encryption In case I ever step up the sensitive data. The AMD CPU has AES instructions, but I can still see a dramatic increase in CPU use when traffic is passing between sites. This is a HP t620 plus. (Specs: HP Flexible t620 PLUS - tower - GX-420CA 2 GHz 4GB RAM; 16 GB SSD) I am just curious as to what most folks are using for processing a Site to Site and a Remote Access Client using IPSec.



  • @treborjm87

    I'd be curious about this as well...

    I think you need to establish how much throughput/bandwidth you need and how many concurrent user connections you anticipate, etc? (Is this box dedicated to routing and VPN only or more exotic use cases like running VMs, etc)

    I've seen some charts floating around with hardware recommendations based on required throughput here and at the servethehome website.