Recommended method “mobile client connectivity”

  • Dear All,

    I salute the developers in this community. I am perplexed to grasp how pfsense can be open source.

    Please could you indicate what is the preferred method to serve remote users with VPN access.
    The objective:
    Provide secure VPN access to mobile users (almost always Windows clients) wherever they work from. Typical scenario is:
    {some remote user on some private network} – {Router/ Firewall (NAT)} == {Internet} == {Router (Bridge)} -- {pfsense static public ip} -- {Trusted network with resources(}

    I see many posts and some pfsense documents to serve remote users with VPN access. Most seem to point at OpenVPN. Since NAT-T had been added one may consider using IPsec. Yet the pfsense documents indicate options PPTP and L2TP (since v2).

    I fail to find an indication what is the preferred method of implementation.

    Thank you,

  • The best varies from one environment to another, as requirements vary. L2TP is a tunneling solution only in 2.0 currently, not the L2TP+IPsec VPN option. PPTP is generally undesirable because GRE has trouble getting through many NAT devices, and can't work at all with some ISPs, where we usually see that is with 3G providers who assign private IPs to customers and NAT their traffic, they frequently do not NAT GRE at all and hence PPTP can't function. That's very common in Canada and Australia, and probably elsewhere in the world though I haven't personally seen or heard of it in the US and Europe. PPTP is also the least secure option.

    In general, I prefer OpenVPN because it causes the least grief on the client side (it's userland based so it won't blue screen your PCs), it causes the least grief with firewalls and/or NAT the clients are behind, it offers the most flexibility for routing, NAT and any other advanced tricks you may need to accomplish, and it works flawlessly (not that the other options don't, they do aside from issues inherent in the protocols being used).

    There is a more comprehensive discussion of this topic in the pfSense book, in the VPN chapter, section "Choosing a VPN solution for your
    environment", that covers things in much more depth.