Hey there I am trying to choose SSL VPN for a remote office 3-4 people max each any given time. I have looked at Pulse and Cisco, and wanted to check in here for recommendations on latest trends. Trying to get a solution easy to manage and won’t break the bank with licenses when team grows to 10. Thanks in advance. Mehmet -- Mehmet +1-424-298-1903
sophos utm vm cant beat that Sent from my iPod
On 1 Jun 2019, at 15:53, Mehmet Akcin <mehmet@akcin.net> wrote:
Hey there
I am trying to choose SSL VPN for a remote office 3-4 people max each any given time.
I have looked at Pulse and Cisco, and wanted to check in here for recommendations on latest trends.
Trying to get a solution easy to manage and won’t break the bank with licenses when team grows to 10.
Thanks in advance.
Mehmet -- Mehmet +1-424-298-1903
A solution based upon SSTP? Have used SSTP on Mikrotik gear in the past. Works well once setup is done. https://wiki.mikrotik.com/wiki/Manual:Interface/SSTP *Windows do e.g. have built-in support for SSTP based VPN solutions. Christoffer
I've used Pulse and AnyConnect (as a user) and Windows-based SSTP (as an admin). They all worked well. The nice part about the Windows option is that it's cheap (you only need to pay for a Windows license). On Sat, Jun 1, 2019, 12:53 PM Hansen, Christoffer <christoffer@netravnen.de> wrote:
A solution based upon SSTP?
Have used SSTP on Mikrotik gear in the past. Works well once setup is done. https://wiki.mikrotik.com/wiki/Manual:Interface/SSTP
*Windows do e.g. have built-in support for SSTP based VPN solutions.
Christoffer
OpenVPN AS? I’ve been running it for ~20 users for many years — it just works, has clients for many OSes, etc. W On Sat, Jun 1, 2019 at 10:54 AM Mehmet Akcin <mehmet@akcin.net> wrote:
Hey there
I am trying to choose SSL VPN for a remote office 3-4 people max each any given time.
I have looked at Pulse and Cisco, and wanted to check in here for recommendations on latest trends.
Trying to get a solution easy to manage and won’t break the bank with licenses when team grows to 10.
Thanks in advance.
Mehmet -- Mehmet +1-424-298-1903
-- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf
I've used that too. I found the admin interface to be pretty unintuitive. And it kicks all active sessions without warning when you make a config change. On Sat, Jun 1, 2019, 2:32 PM Warren Kumari <warren@kumari.net> wrote:
OpenVPN AS?
I’ve been running it for ~20 users for many years — it just works, has clients for many OSes, etc.
W
On Sat, Jun 1, 2019 at 10:54 AM Mehmet Akcin <mehmet@akcin.net> wrote:
Hey there
I am trying to choose SSL VPN for a remote office 3-4 people max each any given time.
I have looked at Pulse and Cisco, and wanted to check in here for recommendations on latest trends.
Trying to get a solution easy to manage and won’t break the bank with licenses when team grows to 10.
Thanks in advance.
Mehmet -- Mehmet +1-424-298-1903
-- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf
There is always the open source server/client ocserv. Server is compatible with pulse and Cisco clients, Ocserv client is compatible with pulse and Cisco servers as well. Sent from my iPhone
On Jun 1, 2019, at 1:10 PM, Ross Tajvar <ross@tajvar.io> wrote:
I've used that too. I found the admin interface to be pretty unintuitive. And it kicks all active sessions without warning when you make a config change.
On Sat, Jun 1, 2019, 2:32 PM Warren Kumari <warren@kumari.net> wrote: OpenVPN AS?
I’ve been running it for ~20 users for many years — it just works, has clients for many OSes, etc.
W
On Sat, Jun 1, 2019 at 10:54 AM Mehmet Akcin <mehmet@akcin.net> wrote: Hey there
I am trying to choose SSL VPN for a remote office 3-4 people max each any given time.
I have looked at Pulse and Cisco, and wanted to check in here for recommendations on latest trends.
Trying to get a solution easy to manage and won’t break the bank with licenses when team grows to 10.
Thanks in advance.
Mehmet -- Mehmet +1-424-298-1903 -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf
On 1/Jun/19 16:53, Mehmet Akcin wrote:
Hey there
I am trying to choose SSL VPN for a remote office 3-4 people max each any given time.
I have looked at Pulse and Cisco, and wanted to check in here for recommendations on latest trends.
Trying to get a solution easy to manage and won’t break the bank with licenses when team grows to 10.
Thanks in advance.
OpenVPN in pfSense? We run tons of these around the world. Mark.
On Thu, Jun 13, 2019 at 12:59 PM Mark Tinka <mark.tinka@seacom.mu> wrote:
OpenVPN in pfSense?
We run tons of these around the world.
Mark.
With the client config generator package, "openvpn-client-export", installed, this is imho the best option for an end-user VPN. pfSense has a much nicer UI than OpenVPN AS, and that UI also supports other things you might need (like routing protocols via bird or quagga, managing the firewall, etc) as well. I can't see any reason to pay money for OpenVPN AS when you compare it to what you get for free with pfSense. The NetGate pfSense appliances are quite nicely spec'd, too, if you just have cash burning a hole in your pocket. It also easily ties in OpenVPN authentication to RADIUS or LDAP, and getting it working with Active Directory on the backend is trivially simple.
Just wondering, is the client export actually tied to the logged in user, or can every user download all other VPN profiles (which hopefully are of little use as credentials are likely unknown)? It used to be that way, would be nice if it is tied to just the logged in user. Cheers, Jasper On 13-06-19 20:06, Matt Harris wrote:
On Thu, Jun 13, 2019 at 12:59 PM Mark Tinka <mark.tinka@seacom.mu <mailto:mark.tinka@seacom.mu>> wrote:
OpenVPN in pfSense?
We run tons of these around the world.
Mark.
With the client config generator package, "openvpn-client-export", installed, this is imho the best option for an end-user VPN. pfSense has a much nicer UI than OpenVPN AS, and that UI also supports other things you might need (like routing protocols via bird or quagga, managing the firewall, etc) as well. I can't see any reason to pay money for OpenVPN AS when you compare it to what you get for free with pfSense. The NetGate pfSense appliances are quite nicely spec'd, too, if you just have cash burning a hole in your pocket. It also easily ties in OpenVPN authentication to RADIUS or LDAP, and getting it working with Active Directory on the backend is trivially simple.
If you are authenticating off radius the profile the profile then only contains the ta.key preauth key, as well as the server certs and settings. So multiple people (or:and office) can use a single profile with their unique credentials. I believe this may be succeptable to having the password cached in memory though as it will auto reconnect on failure. The default on the server setups also only allow a single active connection per user. There is a checkbox (in the pfsense server config page) to override this. It’s important to be congnizant of because there’s nothing stopping someone from using the same profile and radius creds on two devices (say a phone and computer) and the behavior they will see if just constant disconnects and reconnects. On Fri, Jun 14, 2019 at 11:55 AM Jasper Backer <jasper@jbacker.nl> wrote:
Just wondering, is the client export actually tied to the logged in user, or can every user download all other VPN profiles (which hopefully are of little use as credentials are likely unknown)? It used to be that way, would be nice if it is tied to just the logged in user.
Cheers,
Jasper On 13-06-19 20:06, Matt Harris wrote:
On Thu, Jun 13, 2019 at 12:59 PM Mark Tinka <mark.tinka@seacom.mu> wrote:
OpenVPN in pfSense?
We run tons of these around the world.
Mark.
With the client config generator package, "openvpn-client-export", installed, this is imho the best option for an end-user VPN. pfSense has a much nicer UI than OpenVPN AS, and that UI also supports other things you might need (like routing protocols via bird or quagga, managing the firewall, etc) as well. I can't see any reason to pay money for OpenVPN AS when you compare it to what you get for free with pfSense. The NetGate pfSense appliances are quite nicely spec'd, too, if you just have cash burning a hole in your pocket. It also easily ties in OpenVPN authentication to RADIUS or LDAP, and getting it working with Active Directory on the backend is trivially simple.
The former. Mark. On 13/Jun/19 20:25, Jasper Backer wrote:
Just wondering, is the client export actually tied to the logged in user, or can every user download all other VPN profiles (which hopefully are of little use as credentials are likely unknown)? It used to be that way, would be nice if it is tied to just the logged in user.
Cheers,
Jasper
On 13-06-19 20:06, Matt Harris wrote:
On Thu, Jun 13, 2019 at 12:59 PM Mark Tinka <mark.tinka@seacom.mu <mailto:mark.tinka@seacom.mu>> wrote:
OpenVPN in pfSense?
We run tons of these around the world.
Mark.
With the client config generator package, "openvpn-client-export", installed, this is imho the best option for an end-user VPN. pfSense has a much nicer UI than OpenVPN AS, and that UI also supports other things you might need (like routing protocols via bird or quagga, managing the firewall, etc) as well. I can't see any reason to pay money for OpenVPN AS when you compare it to what you get for free with pfSense. The NetGate pfSense appliances are quite nicely spec'd, too, if you just have cash burning a hole in your pocket. It also easily ties in OpenVPN authentication to RADIUS or LDAP, and getting it working with Active Directory on the backend is trivially simple.
On 13/Jun/19 20:06, Matt Harris wrote:
With the client config generator package, "openvpn-client-export", installed, this is imho the best option for an end-user VPN. pfSense has a much nicer UI than OpenVPN AS, and that UI also supports other things you might need (like routing protocols via bird or quagga, managing the firewall, etc) as well. I can't see any reason to pay money for OpenVPN AS when you compare it to what you get for free with pfSense. The NetGate pfSense appliances are quite nicely spec'd, too, if you just have cash burning a hole in your pocket. It also easily ties in OpenVPN authentication to RADIUS or LDAP, and getting it working with Active Directory on the backend is trivially simple.
+1. Mark.
OpenVPN in pfSense?
yep
We run tons of these around the world.
i only do 0.5kg wireguard, https://www.wireguard.com/, is simpler (always a good thing with security), and has had code looked at by some credible experts. randy
On Jun 13, 2019, at 2:32 PM, Randy Bush <randy@psg.com> wrote:
OpenVPN in pfSense?
yep
We run tons of these around the world.
i only do 0.5kg
wireguard, https://www.wireguard.com/, is simpler (always a good thing with security), and has had code looked at by some credible experts.
This is the second time I’ve seen WireGuard this past week, and honestly sounds really promising. I’m probably going to test out on VyOS since I know it has support, but any word on ASA or JunOS? I.E. is this going to export to hardware since it’s in the kernel already?
randy
On Thu, Jun 13, 2019 at 6:12 PM Eric Tykwinski <eric-list@truenet.com> wrote:
This is the second time I’ve seen WireGuard this past week, and honestly sounds really promising. I’m probably going to test out on VyOS since I know it has support, but any word on ASA or JunOS? I.E. is this going to export to hardware since it’s in the kernel already?
The kernel? Which kernel? Given that neither Cisco nor Juniper ever adopted support for running OpenVPN on their platforms, I suspect it's unlikely that they'd adopt support for Wireguard. I would venture that as far as appliance support, the best bet is likely to be NetGate and pfSense, but I think Wireguard is going to have to come out with an "OK, we're comfortable with being considered production-ready" statement first, given that the front page of their website right now still proclaims the opposite. Once that happens - and the ball is largely in Wireguard's court to move that forward - then we should expect to see more mainstream adoption into products like pfSense.
On 14/06/2019 01:11, Eric Tykwinski wrote:
This is the second time I’ve seen WireGuard this past week, and honestly sounds really promising. I’m probably going to test out on VyOS since I know it has support, but any word on ASA or JunOS?
If you want to take VyOS 1.2.x for a test drive with WireGuard VPN. Consider OPNsense, too. (If you don't like the distro, then a least for a test drive) They have also bundled WireGuard support.[0] Afaik. You can find guides around with how-to-wireguard-package-into-pfsense in best DIY fashion. NetGate is currently holding back with official WireGuard Package for now. [1][2] Christoffer [0]: https://docs.opnsense.org/manual/vpnet.html#configuration [1]: https://forum.netgate.com/topic/132375/installing-wireguard-vpn/40 [2]: https://redmine.pfsense.org/issues/8786
On Jun 13, 2019, at 1:32 PM, Randy Bush <randy@psg.com<mailto:randy@psg.com>> wrote: OpenVPN in pfSense? yep We run tons of these around the world. i only do 0.5kg wireguard, https://www.wireguard.com/, is simpler (always a good thing with security), and has had code looked at by some credible experts. randy Looks like wireguard has some similarities to ZeroTier. But a big difference is that wireguard is based on layer 3 while ZeroTier is based on layer 2 and calls itself an "Ethernet switch for planet Earth”. https://www.zerotier.com --- Bruce Curtis bruce.curtis@ndsu.edu<mailto:bruce.curtis@ndsu.edu> Certified NetAnalyst II 701-231-8527 North Dakota State University
+1and it also support HA. Sent from my Samsung Galaxy smartphone. -------- Original message --------From: Mark Tinka <mark.tinka@seacom.mu> Date: 13/06/2019 14:59 (GMT-03:00) To: nanog@nanog.org Subject: Re: SSL VPN On 1/Jun/19 16:53, Mehmet Akcin wrote:> Hey there>> I am trying to choose SSL VPN for a remote office 3-4 people max each> any given time.>> I have looked at Pulse and Cisco, and wanted to check in here for> recommendations on latest trends.>> Trying to get a solution easy to manage and won’t break the bank with> licenses when team grows to 10.>> Thanks in advance.OpenVPN in pfSense?We run tons of these around the world.Mark.
participants (14)
-
Brielle -
Colin Johnston -
Curtis, Bruce -
Eric Tykwinski -
Hansen, Christoffer -
Jasper Backer -
Mark Tinka -
Matt Harris -
Mehmet Akcin -
Randy Bush -
Ross Tajvar -
santiago.martinez.uk -
Stephen Cotton -
Warren Kumari