VPN options. Looking to replace PPTP.
I have a pfSense 1.2.2 setup at the office. I also have few IP pools(not NATed) at the farms. Those pools are closed by firewalls to anyone but the office. So what I did until now is give the users a pptp-user to connect to the office and once they did - they had access to the farms too.
Now, from what I understand, PPTP is the least preferred VPN. Looking at the other options I have IPsec and OpenVPN.
As far as I understand, IPsec will not work, unless I configure each and every user's router to passthrough the IPsec (I understand it's mainly has to do with NAT-T, which is not to be seen until 2.0 is released). And even then I am not sure they will be able to access the outside IP pools. Am I right/wrong here?
What about the OpenVPN? Will it be able to provide the described needs. It seems like a lot of hassle to set it up, and I understand I need to do it for each user individually?
Should I just stay with PPTP?
You haven't really said what you actually need, which makes it a challenge to help you ;)
Well, what I need is a VPN for the users to connect to the office and the outside IP pools(farms), i.e. to also get the office IP when conected. And I would've stayed with the PPTP, but I hear it's not that safe and better be replaced with OpenVPN or IPsec.
I would also love it if it was as easy to setup as a pptp client on windows - some small guide to give the users to do at home. From what I've read it's a nightmare for the regular user to setup OpenVPN, unless I'm missing something.
The VPN is basically needed to connect from home as well as from laptops when outside.
So to sum up, I need something simple to setup on client machines and something that would give the client the office IP and give access to the office LAN when connected.
I hope I explained it better now.
PPTP is the no-brainer setup for Windows since it doesn't require any extra software. However neither IPsec or OpenVPN are difficult to set up.
With OpenVPN you have to install the software and then a configuration file, the user's private key and optionally a TA key (for increased security). It's up to you whether you go for bridged (they appear as if they're connected to the LAN directly) or routed (they appear on a separate subnet, allowing you to easily identify VPN hosts).
I didn't quite understand the last part. In what case will I be able to connect from home to the office, so that if I enter from my home PC whatismyip.com I'll see my office external IP?
And regarding OpenVPN, according to this guide http://doc.pfsense.org/index.php/VPN_Capability_OpenVPN it's gonna be hell for users.
Can it be simplified somehow? I understand they'll have to transfer me their generated keys at some point. Right?
Note that the majority of the work (certificate creation) is done by the administrator. You simply supply the config file and key. It should be trivial to ship a script to install those.