Small business VPN solution

so i’m supporting about 20 remote workers that has to VPN to our office.

i have 2 openvpn servers on 2 ISP that act as a hot-hot vpn servers. so i have license for 40 connections.

openvpn has “overhauled” their licensing and the cost is more than quadrupled of when i first started the project.

​

my question to you guys, what are my modern options ? i’m getting away from cisco, so anyconnect won’t be in my radar.

i do have fortigate NGFW, mikrotik. i can probably do pfsense that i know come with free “openvpn”.

Wireguard is pretty light

wait, there’s license requirements for openVPN? i’ve been using it a very long time and had no idea lol.

Since you have a Fortigate you can use FortiClient VPN for free. The free version is unsupported and only offers the basic features to get connected … but it does work and if you only have 20 users it shouldn’t be much of a headache to support. It’s certainly no AnyConnect though. Make sure you’re specifically downloading the “FortiClient VPN” clients and not the full blown “FortiClient” which isn’t what you want. They are different downloads.

The more modern option is to move away from that category of VPN altogether - check out stuff like perimeter81, tailscale and twingate

WebSecureNow is suitable for small businesses. It does not impede online operations and respects users’ privacy.

You can use barracuda firewall and it doesn’t license for client to site VPN. It is more expensive than a Mikrotik but you get alot more features.

We use L2TP with IPsec on our Mikroitks. It’s simple and just works.

Actually, we have 80 something remote sites that all L2TP back to our core and then distribute the management vlans via OSPF. Only have a handful of actual “road-warriors” (me being one) who use L2TP from their desktops to gain access to the core when out and about.

Watchguard Firewall appliances come with user VPN support built in to them. It works very well and the price is quite reasonable.

You shouldn’t need 40 licenses anymore though. Now it’s only connections in use (and I believe redundant is free.) So you could get by with 20 licenses if that’s the Max that will connect at once.

If you have Fortigate you have unlimited licences on the Fortigate which can also be integrated with LDAP for even easier management. Even better option is to configure OpenVPN on the Mikrotik since the users are accustomed to using OpenVPN. Both options totally free and works like a charm. Absolutely NO NEED for extra spending, just a little bit configuration and you are there.

Twingate might be a good solution for you. Doesn’t require any changes to your existing network hardware and can integrate with IdPs for user management.

Perimeter 81 is also out there, but slightly more difficult to use.

thanks for the suggestion.

mikrotik actually support wireguard, i don’t think it can do dynamic (client / peer) ip.

might have to deploy a full fledge server for it.

there is if you use their “commercial” server, and go past 2 concurrent users.

Have you tried WebSecureNow? It’s perfect for small office settings since they have packages for that size.

thanks for the out-of-the-box suggestions.

i’m not sure these fancy “VPNs” are a fit for what i’m trying to do. i’m just allowing RDP to office machines for security and compliance reasons.

it’s interesting how others are doing remote devs tho.

How about on your personal info? Do i need to sign up using my credentials or just a pseudonym?

Plus if you acquire the firewall through a Barracuda MSP partner, it can be had as an ongoing monthly OpEx cost rather than up-front CapEx, which eliminates sticker shock for those not used to how expensive network/firewall/security kit can be.

Thanks for the suggestion,

I never really ventured into ipsec with dynamic client IP.

i think based on what i read, mikrotik need radius vs LDAP for user authentication.

we unfortunately only have LDAP currently.

you’re correct, if i go to subscription model. which is even higher than the key models.