VPN recommendations



  • Hey

    I'm doing a new pfSense HA setup for our office. Now i need to decide a strategi of the VPN setup.

    We having some users that need to connect from Windows 8 and iPhones to the office via VPN. We also need to have a VPN tunnel to another pfSense remote setup.

    • What are the recommendations for remote client VPN running Windows 8 and iPhones? I like OpenVPN but then the users need to install a VPN client. Therefor i was thinking of using L2TP/IPsec, but is that the best solution?

    • What are the recommendations for a tunnel between two pfSense boxes? OpenVPN or?

    Running pfSense 2.2
    Office setup is 2 x C2758, 16GB ECC with SSD.
    Remote setup is 2 x Dell R420, E5-2440 v2, 32 GB ECC

    /Jacob


  • Netgate

    I would use OpenVPN.  All the flexibility is worth needing client software on the device, IMHO.



  • I'd suggest OpenVPN for user remote access, but not using the server in pfSense and the generic client.  OpenVPN Access Server is idiot-proof (admin & user) and dirt-cheap.



  • Site2Site is traditionally IPSecs business. You could try tinc, it's really cool.
    For end users, I tend to use OpenVPN because it's no hassle to install at all. But there are other cool solutions on the rise, waiting to be audited and to be proven. I particularly like the concept of SigmaVPN, utilising djbs NaCl for secure encryption at blazing fast speeds.

    In the case of OpenBSD, I also tried to deploy IPSec for end users and it did work well, too. (However, IPSec on OpenBSD is foolproof to install. I did not fiddle things out  on pfsense) If you look out for papers, IPSec is superior to all other VPNs in terms of speed, jitter and performance on bad network conditions. It has very little overhead, too. That comes in handy if you're working on the go using 3G and you used all your high speed data on your mobile plan - while OpenVPN tends to fuck the whole situation up (No productive work possible on RDP, ssh seriously delayed in comparison to IPSec), IPSec performs pretty well.

    I'm however continuing testing. Hope I could help.