OpenVPN vs IPSec



  • I am needing to create a Site-to-Site VPN.

    There is the main office and between four (4) to six (6) remote locations.

    I only need to allow traffic from the remote sites destined for our internal network - telnet traffic over port 22 and traffic for a VoIP phone. Otherwise the traffic should just go out the end-users Internet connection and not go through the VPN to the main site. Being able to make it telnet and VoIP traffic can run with out lag is also good.

    The ability to have mobile users would be nice too (obviously the phone would not work).

    What would work best? I'm not aware of the technical limitations of OpenVPN and IPSec and how it relates to pfSense.

    Thanks.



  • OpenVPN is less problematic if you are behind NAT or you have dynamic IPs everywhere. It's also more flexible when it comes to routing. However when using IPSEC you can filter traffic inside the  tunnel (not yet possble with IPSEC in pfsense). For site to site I would go with IPSEC but that might just be my personal preference. Maybe easier to setup too.



  • My personal Opinion: OpenVPN.
    Its just easy and you have so many possibilities.

    With IPSEC you can filter (–> you can create firewall rules for the IPSEC-Interface)
    With OpenVPN you cant do that.

    With IPSEC you need on at least one side a static IP.
    OpenVPN can have dynamic IP's on both sides.

    I'm not really sure what the IPSEC implementation on pfSense can do in relation to other implementations, since i dont use it.
    The OpenVPN on pfSense is everything you can find on http://openvpn.net/index.php

    EDIT: As hoba wrote: IPSEC might be the better solution for your site-to-site, and maybe OpenVPN better for your roadwarriors.
    You can mix however you want :)



  • To make sure I understand: if I use OpenVPN I would not be able to route certain types of traffic to through different interfaces (ie: telnet over VPN - otherwise go out the WAN and be like normal)? In which case IPSec would work better in my situation.

    If I use IPSec for Site-to-Site and OpenVPN for road warriors - that's fine by me too.

    If I use IPSec do I have the ability to give it a minimum and maximum about of bandwidth utilization?



  • If you need trafficshaping of the vpn traffic using ipsec is currently the way to go as I know that this will be working with the upcoming shaper changes. OpenVPN shaping is not supported atm, same like filtering inside openvpn tunnels.


Locked