In need of a better VPN solution

T

The Spyder

2[H]4U
Joined
Jun 18, 2002
Messages
2,628
We currently use OpenVPN at our office and it is driving my users crazy. I am hoping to either A) Give it its own hardware (it is a VM right now supporting 20-30users) or B) Replace it with a hardware solution from Cisco, ect. We have three main vlans and I will be adding more soon. I need something that will support 30-50 users (maybe 20 max simultaneously) and provide access to specific vlans. If I can setup openvpn to do this, great, but my users are begging for more speed. It chokes now with more then 20 users connected.

Has anyone used OpenVPN for this many users?
What would you guys recommend for alternatives?


My next project is going to be providing VPN access to my management network at two sites- I am thinking two pfsense boxes or ASA's will work nicely.
 
the only thing I can even guess is pfsense would be cheaper, with ASA's isnt licensing required?
 
Honestly, now that I am a one man shop for two sites/60 staff- Things like Licensing and Support contracts are my best friend. For the management network, sure it would be probably fine to use PFsense on a small 1u Atom/supermicro. But for the main VPN in, I want to know that either A) Openvpn if properly configured will handle 20+ remote desktop sessions/file transfers/what every my users are doing. Or B) If there is a better way to do it through a hardware VPN device?
 
I tried out pfsense, messed with OpenVPN and they still weren't solid enough for me.

Hooked up a Cisco ASA 5505 and it hasn't gone down or had any issue since I configured it. Love it.
 
Cisco ASA. The SSL VPN is phenomonal IMO. Being able to just go to vpn.domainname.com and downloading the client right from there automatically is awesome. They have a client for Windows, iOS, OS X, and Linux.
 
Last edited:
Turn split tunneling on, on your OpenVPN.

No sense in having your remote users run their facebook/youtube through the VM and chewing up your bandwidth.

Also tomorrow, when you have a bunch of users on, check the VM to see what memory and CPU usage is like. Maybe feeding it more resources will fix the issue.
 
I have an IPSEC VPN set up between two offices. The VPN hosts ~20 RDP sessions and some additional network traffic. Both sites run on pfSense 2.01, Dell PowerEdge 1750 Dual 3GHz Xeons, 4GB and typically the CPU useage is negligible (0-5%). No speed issues.
 
i would imagine getting off something opensource and going with a dedicated appliance.

we use Zyxel firewalls and started using the ipsec directly through the firewall. this wouldn't be in your case but i didn't like the openvpn thing, little too much user interaction.

i started looking at this last year for a smaller site and couldn't find a dedicate solution that wasn't very expensive. let me know what you find.
 
Another vote for a Cisco ASA5505 just to do VPN. IPSEC or AnyConnect (SSL), you'll have your users covered. Plus, the VPN is available on iPhone/iPad and select Android devices.

If you're in the market for a new firewall too, pick up the ASA 5510 and use it for both firewall + VPN.
 
I highly doubt you are referring the USG line.

Zyxel makes some consumer grade products that are not too impressive, but the USG line is SMB and Enterprise class and has warranties to match.

Or am I wrong and your customer order $35,000 of SMB routers? Note: The USG100 sells for $350 each
 
Mackintire said:
I highly doubt you are referring the USG line.

Zyxel makes some consumer grade products that are not too impressive, but the USG line is SMB and Enterprise class and has warranties to match.

Or am I wrong and your customer order $35,000 of SMB routers? Note: The USG100 sells for $350 each
Click to expand...

I'm referring to Zyxel as a company. That rate of failure we encountered on a consumer line makes for me to blacklist them. I could care less if their industry grade products are better, they damned well better be for paying more money. When a company shows how POORLY their quality control is I don't do business with them anymore. I made the customer cancel the order and ship them all back for their deployment.

OP go with a beefier PFsense box like mentioned before or Cisco
 
I have about 100 OpenVPN dial-up clients (not all connected at once, but often a few dozen on a busy evening), along with 6 P2P OpenVPN links. I'm running them over a CARP cluster on pfSense. They're quad mid-range Xeons with 6GB of ram. They average 0-1% use on the active machine. I've got an aggregate 220mbps down and 130mbps up across 3 circuits.

We use pfSense's built in user manager for the certificates with Active Directory on top for 2-factor authentication. It takes me about 2 minutes to create a user account, 2 minutes to edit the configuration pfSense spits out to add a backup VPN, and 1 minute to email or hand the user a bundle with instructions and keys with a download link to OpenVPN for Windows clients, Viscosity for Mac clients, and apt-get for Linux clients.

We take advantage of spit-tunneling so we only see appropriate traffic, but have them use our DNS servers to be able to see/use all of our network we allow.

We have about 4 different "packages" that give users specific access to different departments.

A few hours configuration on your pfSense box and you can have an incredibly robust and easy OpenVPN deployment.
 
The Spyder said:
We currently use OpenVPN at our office and it is driving my users crazy. I am hoping to either A) Give it its own hardware (it is a VM right now supporting 20-30users) or B) Replace it with a hardware solution from Cisco, ect. We have three main vlans and I will be adding more soon. I need something that will support 30-50 users (maybe 20 max simultaneously) and provide access to specific vlans. If I can setup openvpn to do this, great, but my users are begging for more speed. It chokes now with more then 20 users connected.

Has anyone used OpenVPN for this many users?
What would you guys recommend for alternatives?


My next project is going to be providing VPN access to my management network at two sites- I am thinking two pfsense boxes or ASA's will work nicely.
Click to expand...

SSL VPN. Screw clunky VPN software clients for end users, SSL VPN is where it's at...simple browser based (usually run on top of Java).

Juniper SSL appliance would be my vote...like the SA series
http://www.juniper.net/uk/en/products-services/security/sa-series/

Very reliable
Excellent support
Very fast
Very simple for end users...thus....simple for you to support (which is key)

I love OpenVPN...but for doing site to site VPN tunnels. Just as with IPSec clients....for end users, I do_not_want_to_support fat software VPN clients. They've gone the way of the floppy drive, 9 pin serial port, and ISA cards...extinct!

I love PFSense, I love Untangle....and some other open source stuff...and I use them quite a bit. The thing with those though...is the hardware platforms, fast support, fast warranty of parts, replacement parts. It's a critical component of your network...gotta have a good hardware platform to base it on.
 
Ill add another vote for SSL VPN on the ASA's we have 5520's here and they are solid.
 
OK..... I'm with YeOldeStonecat.

If you have the cash the juniper SSL appliance would be a more elegant solution.

Less cash.... ASA 5510

Even less.... Zyxel USG 300 with SSL upgrade (25 SSL Concurrent clients MAX and 200 concurrent IPSec tunnels)

Want to tinker with it. get PFsense
 
SonicWall's ssl-vpn client works good. Just go to a webpage, and log in and the client auto downloads and installs. It is similar to how the Cisco ASA vpn works.
 
Just a FYI, I do not run PFsense right now, anywhere. We have OpenVPN install on top of CentOS.

I am going to look at the Juniper SSL appliance. I worked with them at my last job and can not believe I forgot about them. Thanks for the reminder!
 
+1 for the Cisco ASA with the SSL VPN licenses. It works well and as long as your users have local admin you don't need to install anything ahead of time. The new x series looks pretty nice as well.
 
Using pfSense 2.0's IPSEC VPN capability here for 50-70+ simultaneous users and it's working great. We have it running as a VM. We used to use OpenVPN, but it's a pain to manage (especially for the user). pfSense's IPSEC implementation is fully compatible with the default IPSEC tunneling virtual adapter in Windows (60 seconds to set up) and is fairly easy to set up on Mac and Linux. There's also integration with an LDAP or Active Directory for configuring user access.
 
Our setup is fairly stock. You can get a basic overview on the pfSense wiki article but more in-depth help is in the official pfSense book. We're using an LDAP directory to handle authentication, and it's one of the standard methods for pfSense's built-in auth.

The only major thing to note is that you will want pfSense 2.0 if you are considering using IPSEC. pfSense 1.x doesn't support NAT traversal for IPSEC which is a total deal-breaker.
 
Another vote here for the SA series from Juniper. Those things rock - ridiculously easy interface for end users, plus some built in conferencing/screen sharing utilities on top of it.
 
^ He still needs to buy licenses.

If you go with Cisco, you'd be better off with an ASA than an IOS router IMO.
 
You must log in or register to reply here.
Back
Top