VPN recommendations

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.
J

Jon Massey

Active Member
Nov 11, 2015
339
82
28
37
Having been away from the coalface of networking for the past 5-6 years I could do with some help on a project which has some VPN requirements. Many years ago in my sysadminning days I used to run L2TP/IPSec and OpenVPN on Smoothwall on generic x86 boxen for site-to-site and remote worker VPNs but I'm not sure what's new/best these days!

We are currently undertaking an animal imaging R&D project where we are placing hardware (main system with IPMI + IPTV camera for general monitoring) on remote farms and need a means of securely managing them remotely.

We currently have a web service for transfer of the data resulting from local processing, have set up a "heartbeat" service to keep an eye on things and are using Teamviewer for remote management. Unfortunately, Teamviewer ain't much good when the box has been turned off (or a brownout caused by the vacuum pumps on the milking machine tripping the UPS into triggering a shutdown!) hence why we're now speccing the boxes with IPMI.

Some questions of how best to securely remotely access IPMI (and HTTPS for the IPTV camera, and FTPS for deploying new software versions) without port forwarding on the remote site firewall have arisen:
  • Protocol?
    • Needs to be NAT-traversing with zero config on client-side firewall
    • Needs to be fairly lightweight/performant
    • Ideally something open so we're not tied to a particular vendor
  • Hardware?
    • Small
    • Easy-to-manage
    • Relatively inexpensive
    • Ideally an "appliance" that doesn't require any buildout
  • Architecture?
    • Bridge into one massive flat L2 network
    • Routing at head office device
    • NAT at client devices
My first thought was to get one of the small Mikrotik routerboards and run OpenVPN site-to-site tunnels back to an Amazon EC2 instance running OpenVPN server to which the head office could connect to using either OpenVPN or IPSec/whatever, since OpenVPN is fairly broadly supported and can punch through domestic NAT router firewalls easily but it seems there are some quite serious performance issues with it. Softether looks like an interesting prospect for the server but I'm unsure as to what client device support is like.

Any ideas/suggestions?
 
B

bds1904

Active Member
Aug 30, 2013
271
76
28
Affordable choice with support available: pfsense

Expensive choices that work and have good support: juniper, Cisco and sonicwall. Not that I really love any of them, but they work and have good support.

All of the options have options for active directory integration to make setup easier too.
 
wildchild

wildchild

Active Member
Feb 4, 2014
389
57
28
Ubiquiti edgerouter
Or build something yourself using vyos.
The latter preferred because it will allow you to provision a self choosen box, and will allow you some freedom
Down side : very much hands on

The first is very usuable, small, supports openvpn/ipsec, can be bought for 100 usd for a 5 port poe version, which may be used for ubiquiti camera.
Down side : less freedom
 
B

bds1904

Active Member
Aug 30, 2013
271
76
28
wildchild said:
Ubiquiti edgerouter
Or build something yourself using vyos.
The latter preferred because it will allow you to provision a self choosen box, and will allow you some freedom
Down side : very much hands on

The first is very usuable, small, supports openvpn/ipsec, can be bought for 100 usd for a 5 port poe version, which may be used for ubiquiti camera.
Down side : less freedom
Click to expand...
Just remember that OpenVPN on the Edgerouter line is not hardware accelerated. Multiple remote-workers will max the CPU pretty quickly. IPSEC is hardware accelerated.
 
wildchild

wildchild

Active Member
Feb 4, 2014
389
57
28
bds1904 said:
Just remember that OpenVPN on the Edgerouter line is not hardware accelerated. Multiple remote-workers will max the CPU pretty quickly. IPSEC is hardware accelerated.
Click to expand...

thanks wasn't aware of that, although must admit i rarely use openvpn.
Then again, mostly use Juniper, or VyOs, which allows me to add pleny of CPU power :)
 
J

Jon Massey

Active Member
Nov 11, 2015
339
82
28
37
Cool, thanks for the suggestions - I'll take a look at the Edgerouter.

Is the lack of hardware acceleration only a problem with multiple sessions or will it generally be a slow? There's only likely going to be one session but could potentially be a lot of bandwidth, albeit not over the VPN: some sites will have regular sneakernet retrieval of raw image data (c.60GB/day) at regular intervals but some ones which are further away and have fast connections (e.g. JANET in a couple of cases!) will be archiving this to B2 as fast as we can manage!

I'm guessing there's no way to use IPSec without configuring the upstream router/firewall?
 
B

bds1904

Active Member
Aug 30, 2013
271
76
28
OpenVPN on the Edgerouter will max out around 15Mbit-20Mbit depending on your config. You can use L2TP/IPSEC for roaming clients, but it isn't anyways the easiest to set up on the client side. If I remember correctly windows natively supports it. I however can not remember if l2tp/IPSEC is hardware accelerated as of now, that will take some research.

If you plan on doing just site-to-site connections and have static ip's IPSEC is the way to go. If one side does not have statics it can begin to get complicated.

I'm a big fan of a good, fast pfsense box at the site with good upstream and inexpensive clients at the offices and OpenVPN for the rouge remote worker.

Keep in mind that you can get some good, cheap little pfsense boxes with warranty and support right from the PFSense store. They are perfect for a small set up and/or remote offices.
 
You must log in or register to reply here.
Top Bottom