We’re considering a new client VPN solution that will only handle just that, client VPN. We will not use the current firewalls for this but other firewalls that are tasked with client VPN only may well be a solution. We want to keep this function separate.
I have two questions as part of this:
Q1: Is open source an option and what solutions are available in this area? I know a bit about risks (and advantages) with open source, but please feel free to elaborate!
Q2: What vendors have cost-effective solutions for this? It can be dedicated client VPN or firewalls with a good client VPN implementation that can scale.
Two requirements are MFA (preferably Octa, Google Authenticator or similar app with broad client support) and initial scale 1000 users, expandable to perhaps 10x that on short notice (if Covid decides to do a comeback or some other virus pops up).
We do not require host checking, like if the OS is up to date, patches installed etc., but it can be a plus. We have other means of analysing and mitigating threats. All clients can go in one big VLAN and we do not require roles or RADIUS assigned VLANs (even if I personally think that would be very nice).
I know the question is broad and I’m really only after some example solutions from each sector (open source and vendor-based) that we will evaluate in more depth later.
Let’s leave the flame wars out of the discussion, shall we?
Wireguard controlled by API for 2FA or SSO or whatever. You can use the normal Wireguard client and only allow the client connection if 2FA is solved or any other means. I do this simply by redirecting any webrequest to a captative portal where they use OTP or 2FA or whatever. As soon as this it done, the client is authorized. All the users have to do is activate Wireguard and open their browser. Tested with over 10k users. It’s all free, scales infinite and uses basically zero resources on the firewall. Firewalls are configured via RESTCONF API calls for ACL after successful authentication. Access is auto revoked after {n} time or other means (like change of client public IP). Wireguard is configured as an overlay network and access to subnets is granted via access roles, same as for static clients. Basic Zero Trust Overlay at zero cost and infinite scale and speed from any client.
My org is maintaining a pair of ASAv virtual firewalls in Azure that run AnyConnect for us with good results. They use SAML authentication back to Azure AD / Entra ID and MS provides the MFA. Conditional Access rules also apply and provide further security and handle the host checks you mentioned.
These two virtual firewalls are sitting behind an Azure traffic manager that splits load between them. The ASAs themselves can be scaled up based on license level, but you can also deploy more of them if needed to split the load horizontally.
All of this depends on if you’re using cloud or on-prem for the bulk of your resources being accessed.
I have used open-source VPN offerings personally, but not professionally to the point that I’d feel comfortable recommending them.
I’d ask whether you need a VPN in this day and age or could do with a SASE/SSE solution like Zscaler ZPA, Palo Alto Prisma Access, Akamai enterprise access etc. instead. Much better user experience at least for centrally managed devices.
I specialize in remote access VPN for large companies. Two recommendations:
F5 BIG-IP Access Policy Manager (APM) standalone. Physical or virtual appliances sized as needed. Most capable and adaptable of the traditional VPNs. I’ve run this for 400,000 users with up to 100,000 on one (very large) appliance. Better than Cisco, Palo Alto, and others based on firewalls.
AppGate, a ZTNA system that you host yourself using VMs. One of the original ZTNA projects from before they were cool. This is what I would buy if I was starting fresh and did not want to use someone’s cloud (even though you can, anyway).
If you happen to choose good old Cisco, opt for the newer Firepower VPN gateway over the old ASA VPN gateway. Only Firepower has a proper central management tool.
Palo Alto GlobalProtect scales well up to the limits of your firewall. We have 15-20k GlobalProtect users. It does everything on your wish list except open source. If you don’t want to run a big firewall, Prisma Access is the cloud version.
I’ve managed Juniper, Palo Alto and Aruba for this stuff. They all work - but scaling them on a snap isn’t exactly trivial with Juniper or Aruba. Rolling it yourself with a cluster (or two) of PAN firewalls is trivial IMO - better if you have a full Palo Alto firewall shop and integrate all this into the Panorama enterprise manager with UserID working. Then you can see everything.
If you don’t fear OSS, then I’d roll out Wireguard. It’s the clear open-source winner.
We just deployed FortiClient ZTNA for a customer. Not at your scale, this was for 400 users. But they are quite happy with it. They are using Azure integration with MFA tied to that.
A good place to start might be to consider if the traditional VPN concentrator model is actually the architecture you want / need.
Traditional VPNs are having their blockbuster moment and being generally phased out in favour of ZTNA aligned solutions, but there are a range of architectures that can deliver modern remote access that’s ZTNA aligned.
Forticlient might be an okay solution for this, and has some vuln scanning/antivirus features which you can take or leave. I think it’s pretty cheap per seat but obviously means you’d be stuck with Fortigate firewalls. AFAIK you can make VPN profiles that have multiple servers to balance clients across, with a few different methods of balancing e.g. ping. Just need to keep on top of SSL VPN vulnerabilities.
As for open source, wireguard is probably where you want to be looking.
My first thought is to look at whatever your current firewall platform is, just for supportability. If your team is as taxed as many that I see, then perhaps seeing what you can do with what you already know is the way to go.
If your team has the bandwidth to integrate another technology, then develop the wishlist of must have features and get that list to your VAR. See if they have any suggestions for you to explore and let them help you with the legwork.
Another option for you is OpenZiti/CloudZiti (former open source, latter commercial SaaS).
Ziti makes it easy to embed zero trust networking and SDWAN/SDN principles into anything, any cloud, any device, any host OS, even apps using SDKs. It allows you to connect any private address space to any other private address space with no inbound ports, no VPNs, no public DNS etc.
Wrt the requirements, Ziti has its own identity/PKI, this is the route of doing mTLS, E2EE, authenticate-before-connect, though you can bring your own external x509 provider (very very soon any OICD/SAML provider). It also incl. posture checks incl. TOTP MFA such as Google Authentication. Though you do not need it, the posture checks also incl. check OS, patches, domain join, MAC address, executables running and more etc.
My rec would be OpenVPN hosted on either OpenVPN Access Server or pfSense. Authorization can be configured via RADIUS, and many OpenVPN users out there have set up RADIUS Azure sync to push MFA over the Microsoft Authenticator.
Client support for OpenVPN is second only to IPsec, and works amazingly for Windows/Mac/Linux/iOS/Android. Heck, some ASUS routers even allow for OpenVPN clients.
Both options can be entirely self-hosted bare metal, run in VMs, or cloud hosted in AWS/Azure.
Ivanti VPN appliance, formerly pulse secure / juniper. Ivanti should have everything your looking for, I think you can download the appleance with a free 2 user license.
You really don’t want to have a open source solution managing thousands of connections, 1 bug, bad firmware update etc with no support contract is a disaster.
Microsoft RRAS supports MFA. I’m not sure about the scaling but I suppose you can have more than one server and do DNS round-robin. RRAS also gives you the option to use more than one protocol: PPTP, L2TP and SSTP.
Would a wireguard setup, which brings you to a login page for user/pass/2fa be an idea?
Only thing I’ve found so far with wireguard is managing peer creation isn’t fun. The tools proposed like JavaScript online WG config generator what could go wrong?!
You get Okta, Google, Azure AD out of the box, and I can’t imagine it not scaling to 1000s of client nodes (you might need to read a doc or two to figure out how to partition your nodes into groups, but that’s it probably, e.g. with 100k nodes you should definitely read the docs ).
Their pricing says $18/month/user for “Premium Tier”.
If you actually have 1000s of users, you can probably get their sales to demo something for you.
Recently my significant other was telling me, that one of her colleagues who works remotely from home and was having issues was being told by their company IT to request from his home ISP to go back from DS-Lite to IPv4 only, because of CGNAT issues. I think they’re on Cisco + Palo Alto and … whatever.
I’m comparison, Tailscale is great at figuring out NAT and V4/V6 nonsense, and you can run your own DERP relays as containers.
It might not work as in privacy hostile countries, since it uses wireguard underneath which is possible to detect and thus be blocked by governments operating “great firewalls”.
Zscaler or whatever Checkpoint is calling their ZTNA offering… Perimeter 81 I believe. VPNs these days are just open paths right into your network ripe for exploitation.
).