In need of a better VPN solution

The Spyder

2[H]4U
Joined
Jun 18, 2002
Messages
2,628
We currently use OpenVPN at our office and it is driving my users crazy. I am hoping to either A) Give it its own hardware (it is a VM right now supporting 20-30users) or B) Replace it with a hardware solution from Cisco, ect. We have three main vlans and I will be adding more soon. I need something that will support 30-50 users (maybe 20 max simultaneously) and provide access to specific vlans. If I can setup openvpn to do this, great, but my users are begging for more speed. It chokes now with more then 20 users connected.

Has anyone used OpenVPN for this many users?
What would you guys recommend for alternatives?


My next project is going to be providing VPN access to my management network at two sites- I am thinking two pfsense boxes or ASA's will work nicely.
 

ChRoNo16

[H]ard|Gawd
Joined
Feb 3, 2011
Messages
1,493
the only thing I can even guess is pfsense would be cheaper, with ASA's isnt licensing required?
 

The Spyder

2[H]4U
Joined
Jun 18, 2002
Messages
2,628
Honestly, now that I am a one man shop for two sites/60 staff- Things like Licensing and Support contracts are my best friend. For the management network, sure it would be probably fine to use PFsense on a small 1u Atom/supermicro. But for the main VPN in, I want to know that either A) Openvpn if properly configured will handle 20+ remote desktop sessions/file transfers/what every my users are doing. Or B) If there is a better way to do it through a hardware VPN device?
 

LoStMaTt

2[H]4U
Joined
Feb 26, 2003
Messages
3,181
I tried out pfsense, messed with OpenVPN and they still weren't solid enough for me.

Hooked up a Cisco ASA 5505 and it hasn't gone down or had any issue since I configured it. Love it.
 

/usr/home

Supreme [H]ardness
Joined
Mar 18, 2008
Messages
6,160
Cisco ASA. The SSL VPN is phenomonal IMO. Being able to just go to vpn.domainname.com and downloading the client right from there automatically is awesome. They have a client for Windows, iOS, OS X, and Linux.
 
Last edited:

nitrobass24

[H]ard|DCer of the Month - December 2009
Joined
Apr 7, 2006
Messages
10,462
Turn split tunneling on, on your OpenVPN.

No sense in having your remote users run their facebook/youtube through the VM and chewing up your bandwidth.

Also tomorrow, when you have a bunch of users on, check the VM to see what memory and CPU usage is like. Maybe feeding it more resources will fix the issue.
 

RocketTech

2[H]4U
Joined
Oct 7, 2009
Messages
2,359
I have an IPSEC VPN set up between two offices. The VPN hosts ~20 RDP sessions and some additional network traffic. Both sites run on pfSense 2.01, Dell PowerEdge 1750 Dual 3GHz Xeons, 4GB and typically the CPU useage is negligible (0-5%). No speed issues.
 

marley1

Supreme [H]ardness
Joined
Jul 18, 2000
Messages
5,447
i would imagine getting off something opensource and going with a dedicated appliance.

we use Zyxel firewalls and started using the ipsec directly through the firewall. this wouldn't be in your case but i didn't like the openvpn thing, little too much user interaction.

i started looking at this last year for a smaller site and couldn't find a dedicate solution that wasn't very expensive. let me know what you find.
 

Valnar

2[H]4U
Joined
Apr 3, 2001
Messages
3,322
Another vote for a Cisco ASA5505 just to do VPN. IPSEC or AnyConnect (SSL), you'll have your users covered. Plus, the VPN is available on iPhone/iPad and select Android devices.

If you're in the market for a new firewall too, pick up the ASA 5510 and use it for both firewall + VPN.
 

Mackintire

2[H]4U
Joined
Jun 28, 2004
Messages
2,915
I highly doubt you are referring the USG line.

Zyxel makes some consumer grade products that are not too impressive, but the USG line is SMB and Enterprise class and has warranties to match.

Or am I wrong and your customer order $35,000 of SMB routers? Note: The USG100 sells for $350 each
 

Langly

Supreme [H]ardness
Joined
Dec 23, 2002
Messages
4,387
I highly doubt you are referring the USG line.

Zyxel makes some consumer grade products that are not too impressive, but the USG line is SMB and Enterprise class and has warranties to match.

Or am I wrong and your customer order $35,000 of SMB routers? Note: The USG100 sells for $350 each

I'm referring to Zyxel as a company. That rate of failure we encountered on a consumer line makes for me to blacklist them. I could care less if their industry grade products are better, they damned well better be for paying more money. When a company shows how POORLY their quality control is I don't do business with them anymore. I made the customer cancel the order and ship them all back for their deployment.

OP go with a beefier PFsense box like mentioned before or Cisco
 

obrith

Limp Gawd
Joined
Jun 11, 2004
Messages
267
I have about 100 OpenVPN dial-up clients (not all connected at once, but often a few dozen on a busy evening), along with 6 P2P OpenVPN links. I'm running them over a CARP cluster on pfSense. They're quad mid-range Xeons with 6GB of ram. They average 0-1% use on the active machine. I've got an aggregate 220mbps down and 130mbps up across 3 circuits.

We use pfSense's built in user manager for the certificates with Active Directory on top for 2-factor authentication. It takes me about 2 minutes to create a user account, 2 minutes to edit the configuration pfSense spits out to add a backup VPN, and 1 minute to email or hand the user a bundle with instructions and keys with a download link to OpenVPN for Windows clients, Viscosity for Mac clients, and apt-get for Linux clients.

We take advantage of spit-tunneling so we only see appropriate traffic, but have them use our DNS servers to be able to see/use all of our network we allow.

We have about 4 different "packages" that give users specific access to different departments.

A few hours configuration on your pfSense box and you can have an incredibly robust and easy OpenVPN deployment.
 

YeOldeStonecat

[H]F Junkie
Joined
Jul 19, 2004
Messages
11,330
We currently use OpenVPN at our office and it is driving my users crazy. I am hoping to either A) Give it its own hardware (it is a VM right now supporting 20-30users) or B) Replace it with a hardware solution from Cisco, ect. We have three main vlans and I will be adding more soon. I need something that will support 30-50 users (maybe 20 max simultaneously) and provide access to specific vlans. If I can setup openvpn to do this, great, but my users are begging for more speed. It chokes now with more then 20 users connected.

Has anyone used OpenVPN for this many users?
What would you guys recommend for alternatives?


My next project is going to be providing VPN access to my management network at two sites- I am thinking two pfsense boxes or ASA's will work nicely.

SSL VPN. Screw clunky VPN software clients for end users, SSL VPN is where it's at...simple browser based (usually run on top of Java).

Juniper SSL appliance would be my vote...like the SA series
http://www.juniper.net/uk/en/products-services/security/sa-series/

Very reliable
Excellent support
Very fast
Very simple for end users...thus....simple for you to support (which is key)

I love OpenVPN...but for doing site to site VPN tunnels. Just as with IPSec clients....for end users, I do_not_want_to_support fat software VPN clients. They've gone the way of the floppy drive, 9 pin serial port, and ISA cards...extinct!

I love PFSense, I love Untangle....and some other open source stuff...and I use them quite a bit. The thing with those though...is the hardware platforms, fast support, fast warranty of parts, replacement parts. It's a critical component of your network...gotta have a good hardware platform to base it on.
 

ToX

Limp Gawd
Joined
Feb 20, 2008
Messages
210
Ill add another vote for SSL VPN on the ASA's we have 5520's here and they are solid.
 

Mackintire

2[H]4U
Joined
Jun 28, 2004
Messages
2,915
OK..... I'm with YeOldeStonecat.

If you have the cash the juniper SSL appliance would be a more elegant solution.

Less cash.... ASA 5510

Even less.... Zyxel USG 300 with SSL upgrade (25 SSL Concurrent clients MAX and 200 concurrent IPSec tunnels)

Want to tinker with it. get PFsense
 

feffrey

Gawd
Joined
Oct 26, 2010
Messages
585
SonicWall's ssl-vpn client works good. Just go to a webpage, and log in and the client auto downloads and installs. It is similar to how the Cisco ASA vpn works.
 

The Spyder

2[H]4U
Joined
Jun 18, 2002
Messages
2,628
Just a FYI, I do not run PFsense right now, anywhere. We have OpenVPN install on top of CentOS.

I am going to look at the Juniper SSL appliance. I worked with them at my last job and can not believe I forgot about them. Thanks for the reminder!
 

rocket733

Limp Gawd
Joined
May 4, 2006
Messages
268
+1 for the Cisco ASA with the SSL VPN licenses. It works well and as long as your users have local admin you don't need to install anything ahead of time. The new x series looks pretty nice as well.
 

CEpeep

Supreme [H]ardness
Joined
Oct 23, 2004
Messages
6,061
Using pfSense 2.0's IPSEC VPN capability here for 50-70+ simultaneous users and it's working great. We have it running as a VM. We used to use OpenVPN, but it's a pain to manage (especially for the user). pfSense's IPSEC implementation is fully compatible with the default IPSEC tunneling virtual adapter in Windows (60 seconds to set up) and is fairly easy to set up on Mac and Linux. There's also integration with an LDAP or Active Directory for configuring user access.
 

CEpeep

Supreme [H]ardness
Joined
Oct 23, 2004
Messages
6,061
Our setup is fairly stock. You can get a basic overview on the pfSense wiki article but more in-depth help is in the official pfSense book. We're using an LDAP directory to handle authentication, and it's one of the standard methods for pfSense's built-in auth.

The only major thing to note is that you will want pfSense 2.0 if you are considering using IPSEC. pfSense 1.x doesn't support NAT traversal for IPSEC which is a total deal-breaker.
 

randyc

Best Person
Joined
Jun 17, 2003
Messages
1,574
Another vote here for the SA series from Juniper. Those things rock - ridiculously easy interface for end users, plus some built in conferencing/screen sharing utilities on top of it.
 

/usr/home

Supreme [H]ardness
Joined
Mar 18, 2008
Messages
6,160
^ He still needs to buy licenses.

If you go with Cisco, you'd be better off with an ASA than an IOS router IMO.
 
Top