My company uses rras for 2k concurrent connections
I just throw out there that Palo doesn’t have user counts on the VPN feature, you get whatever the box is capable of.
We have about 400-500 on a Palo Alto 3220 which works pretty well. Single transfer throughput through the VPN somewhere between 500-600 mbit from home.
Client is managed, version can be enforced, we use SAML with cert. Can also do SAML with MFA. Does not easily scale unless you have money or a VM. Or both really.
My current choice as an open source solution that doesn’t seem to be mentioned here is StrongSwan to allow use of native IPSec IKEv2 on most platforms. We use it with a radius back end and our own PKI, users onboard for a certificate through our own portal and then use that to authenticate but StrongSwan supports lots of auth methods. We run a pair of servers with DNS round robin deciding which you land on, and keepalived will failover the IPs if a server fails so we get an active/active style setup and failover.
Axis security, appgate, or twingate.
Personally not a fan of legacy firewall based VPNs any longer.
Try Pritunl, works great for the amount of users and is a lot cheaper then Cisco 
Cloudflare lmao. Off load that hardware haha
I am a big fan of this
I recommend Ivantin secure.
Rock solid client vpn for several years now running.
Supporting 6000 clients
You can use Windows Server as a VPN server… It can do health checks, etc…
You can use Linux as a VPN server
How are you deploying and managing wireguard profiles for your users?
Any additional info on how this is set up? Did you use any pre-existing packages for this?
Obviously wireguard is a package. It’s just the last time I looked at it it seemed very rigid in terms of user setup, much less an API for MFA via browser to authenticate. Interested in what you’ve done here if you have any setup notes.
I was considering a similar solution some years ago for Strongswan-based firewall. Sadly I found out that Windows and Mac did not (at that time) autodetect the captive portal on VPN connections. They do it fine on ethernet and WiFi, though. And I found captive portal unreliable. There’s TLS everywhere nowadays and HSTS, I can’t just redirect google.com .
Does detection of captive portals happen on VPN too nowadays?
Curious how many concurrent users. I run ASAv 100s on OCI with ~3,000 before performance starts to get shaky.
Once connected to your virtual ASAs in Azure do you have a tunnel back to your on prem?
I can talk for a zScaler solution. It’s not great, but I like it much more than I do client VPNs like Pulse. You get a lot of management options, your own application based port controls.
Pros: it’s as lightweight as you want, but can expand to do full packet inspection. Their in transit DLP is pretty good. Doesn’t expose your entire network in case of breach. User based policies are nice.
Cons: their customer service is not the best. Their ZIA (full internet traffic) data centers go down much more frequently than I’d like. But we rarely have issues with ZPA service edges.
One worry is that in case of a massive disturbance, Internet may or may not be internationally available, so while cloud based solutions are certainly considered, the inherent risks for cloud applications need to be accounted for. Palo’s solution with Prisma Access and a backup consisting of a local Portal and a set of gateways (likely VM-based) may be an option.
Just dropping in Cisco Secure Access into this. I’ve been part of private and public preview, it’s a promising solution going forward. With VPN headend capabilities as well.
I just drop Netskope aswell! Their private access solution is pretty solid and performance is really good! We currently do a PoC with them
You know you can have both in the same solution, right? Cato Networks.