Which VPN to use In pfsense based on different use cases
In my case, I like wireguard for P2P, OpenVPN for remote Access, and IPSec for connecting PFSense with other equipment like Cisco that doesn’t support the former two.
Edit. Missed word
So a colleague of mine was experimenting with getting maximum throughput (for P2P) using various VPN protocols and providers. Wireguard was his first choice but his performance with PIA was not great so he ended up using Mulvado because they delivered the best throughput and had port forwarding. Now the interesting part was his performance with pfSense was not great. Opnsense was much better. When he researched it it was because of differences in the kernel. Just thought I’d share that bit of anecdotal information.
OpenVPN+AD Auth+Duo MFA works good for my company!
No mention of the IPSec road warrior type of setup just site to site.
I use ddns without issue.
I’m pretty sure he’s talking about a hub and spoke topology where you want your hub to have a dedicated IP which I would agree but generally you don’t need it
The pfsense Wireguard is kernel based vs the Opnsense is written in Go and runs in userspace. Kernel based is faster that userspace so there are some other factors not being accounted for.
No Radius? You surely must be doing things wrong!
/s
We hardly ever see them anymore, most businesses we consult with are using OpenVPN for that.
I agree. I’m using WireGuard for remote access and I’ve never once looked back to OpenVPN. But I’m curious if there’s benefits to OVPN for remote access…
Don’t get me wrong. My own phone, I use wireguard. But deployment is hell for my organization. 400+ users.
The fact it doesn’t have user pass authentication is a deal breaker in my organization.
I know tailscale fixes that, and works great for direct access, buy it isn’t consisten when scanning with some tools that I use.
I’m surprised as most devices support IPsec out of the box rather than having to install another client.
Administration and user authentication. In my organization we have 400+ users. And managing that number of public / private keys is hell.
I gave tailscale a try. But it doesn’t perform as good as wireguard for applications that scan the remote network.
For direct connections I found no problem.
Btctools
Same here. So much faster at connecting and simply just faster overall.
What kind of tools? What kind of scanning?
That makes sense with that many users. I run mine at home so it’s only me that connects remotely.
What do you use with 400 users?
Btctools. For managing Asics for crypto mining. I don’t remember how nmap performed across a tailscale tunnel.
Just the other days someone tried to convince me to use LDAP and Radius around openVPN to „make it easier“ - let that sink in for a while.
At the beginning of the COVID-19 pandemic, I created VPN accounts for everybody, because I didn’t know who was going to work from home, and who didn’t.
Most of the users use the CRM, and engineering / manufacturing software. Also accessing some file repository on a share drive.
The firewall is PFSense running on a machine with 4 cores xenon, 64 GB RAM and spinning rust. The network card is a dual 10GB Fiber in a port channel configuration. (LAGG)