Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Recommended method “mobile client connectivity”

    Scheduled Pinned Locked Moved General pfSense Questions
    2 Posts 2 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F Offline
      fundutzi
      last edited by

      Dear All,

      I salute the developers in this community. I am perplexed to grasp how pfsense can be open source.

      Please could you indicate what is the preferred method to serve remote users with VPN access.
      The objective:
      Provide secure VPN access to mobile users (almost always Windows clients) wherever they work from. Typical scenario is:
      {some remote user on some private network} – {Router/ Firewall (NAT)} == {Internet} == {Router (Bridge)} -- {pfsense static public ip} -- {Trusted network with resources(10.1.0.0/24)}

      I see many posts and some pfsense documents to serve remote users with VPN access. Most seem to point at OpenVPN. Since NAT-T had been added one may consider using IPsec. Yet the pfsense documents indicate options PPTP and L2TP (since v2).

      I fail to find an indication what is the preferred method of implementation.

      Thank you,

      Regards,

      2.0-Beta5 (i386)- build xxx
      as vmHw 7 always E1000 nics
      on
      VMware ESX 4.x,

      1 Reply Last reply Reply Quote 0
      • C Offline
        cmb
        last edited by

        The best varies from one environment to another, as requirements vary. L2TP is a tunneling solution only in 2.0 currently, not the L2TP+IPsec VPN option. PPTP is generally undesirable because GRE has trouble getting through many NAT devices, and can't work at all with some ISPs, where we usually see that is with 3G providers who assign private IPs to customers and NAT their traffic, they frequently do not NAT GRE at all and hence PPTP can't function. That's very common in Canada and Australia, and probably elsewhere in the world though I haven't personally seen or heard of it in the US and Europe. PPTP is also the least secure option.

        In general, I prefer OpenVPN because it causes the least grief on the client side (it's userland based so it won't blue screen your PCs), it causes the least grief with firewalls and/or NAT the clients are behind, it offers the most flexibility for routing, NAT and any other advanced tricks you may need to accomplish, and it works flawlessly (not that the other options don't, they do aside from issues inherent in the protocols being used).

        There is a more comprehensive discussion of this topic in the pfSense book, in the VPN chapter, section "Choosing a VPN solution for your
        environment", that covers things in much more depth.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.