Best option for a site-site VPN?



  • I just set up a new pfSense 2.0rc3 (netgate Hamakua) at a remote office and these guys want a way to access one of their file servers at the main office.  I was thinking of trying to set up a permanent OpenVPN connection for this.

    is that the "best practice" or should I use another method?  I noticed pfSense has numerous tunneling options as well.  These are SMB shares on a Windows server.  thanks for any advice.



  • OpenVPN seems to be a good one. I use them regularly and it's pretty rock solid. Look in the wiki if you need instructions.



  • Cool, that's what I was thinking too.  Just wanted a little confirmation.  Will try to set it up.  I've done client-server OpenVPN setups but never a site-site.  My remote site is a dual-wan (failover, not round robin) setup- what will happen to the  VPN if the primary wan goes down?  does pfSense automatically try to re-establish the tunnel over the 2nd gateway?



  • Site to site is still client server. Set the server to be the one that won't change and the client may connect any way it can. I've never done that so I'm speculating.



  • ipsec is what I use for site-to-site with pfsense mostly. I use openvpn or ppptp for remote users, depending on the needs for the organizational users.



  • hmm - curious why you chose IPSEC over ovpn for site-site, could you elaborate at all?



  • Ipsec can only be used if you have only one subnet. In other cases you need openvpn.



  • Hmm, ok.  Well yes each site has just  1 subnet (and they are unique) so that should work, right?  Is an IPSEC site-site connection somehow more durable/faster/easier to set up than ovpn?  or- what is the reason you prefer it, out of curiosity



  • We have OpenVPN site to site, one of them is  mobile and uses satellite as it's primary and 3G as a fall back if they can't get a lock. Works fine and fails over transparently if you set you gateway groups up to fail over rather than load balance.



  • I've run both and I've had much better success with OpenVPN. A lot more reliable from my personal experiences.



  • Thanks again for the advice guys.  Since I've some previous experience with OpenVPN I think based on the feedback here that I'll at least give that a try first.



  • "It depends". There's in depth discussion of the options and the best choice depending on specifics in http://pfsense.org/book which is no different in 2.0.



  • I had about 20 sites using ipsec and changed them all to openvpn. It's been much more reliable for me.

    The book is a great investment if you want to go more in depth.



  • As I've replaced hardware firewalls at remote sites with pfsense, I've moved tunnels from ipsec to openvpn. Both work well, but for me, every now and then I'd get ipsec tunnels that seemed to get out of sync, and refuse to connect for somewhat lengthy periods of time (anywhere from 10 minutes to a couple hours), to the point I'd have to reboot both boxes to force a connection. And no numbers to back it up, but openvpn tends to feel a little faster than ipsec - might be the compression that is enabled.


Log in to reply