I’m really frustrated. Somehow there seems to be some best practice / standard solution for everything but VPNs.
So pretty much everyone online suggests OpenVPN which don’t get me wrong is nice but I just don’t enjoy the implementation. It is not very well equipped for enterprise use and is a bit fiddly. Also, every business use case costs a lot of money.
Now many times I hear that using your router or firewall systems as VPN makes sense. Unfortunately, those that I have worked with have been absolute garbage. Furthermore, with any higher number of active users, I doubt that it performs well. Am I wrong?
Standalone hardware VPNs have caught my eye as well. I just don’t quite understand the benefits over server-hosted solutions.
I just want native IPsec L2TP! Mac OS, Windows 10, iPhone, and even Android all bring their native IPsec stack with them. Is there an open-source project that offers native IPsec configuration files for all those devices?
My dream software would be one that can connect to LDAP for vpn config creation. Basically, I want the system to make certificates for each user in a LDAP vpn group. Then, users log in to a web interface using their LDAP login (maybe with an additional 2F) and can download their vpn config file that configures their OSs native IPsec stack. After that, they only should have to toggle a button. Why does every VPN require its own client? Am I thinking about this all wrong?
I often work for those small and medium-sized companies that often have a BYOD policy. This is the first time I’m asked to help with a VPN strategy and I have to say I’m not comfortable consulting on this topic. But I would like to at least know a bit more about the topic.
Odd I have avoided L2TP/IPSEC for over a decade in favour of TLS/SSL based VPNs for desktop clients as they are about the only ones that are basically guarantied to not be blocked at hotels and coffee shops around the world as long as you run them on port 443. I have had to deal with a lot of traveling executives over the years and IPSEC can be blocked at various places I have found. Especially other company networks if you have to support roaming IT consultants.
As for hardware vs software based solutions. IPSEC an SSL are well accelerated on modern general purposes CPUs, it used to be that appliances provided substantial performance/ density advantages due to hardware acceleration.
I have no clear recommendation if you don’t like OpenVPN, it is the go to cheap option.
I have used Cisco AnyConnect and Paloalto GlobalProtect mostly.
Edit: clarification of L2TP to L2TP/IPSEC for desktop use as the terms get used loosely sometimes.
These can provision VPN configurations, help enroll users in SCEP to get certificates and remove both certificate and config when users leave.
As for which VPN client/server I always go with the built-in one if I can as it takes a variable out of the equation, but if I had to choose a third party solution I would go with OpenVPN simply because it is the most widely supported.
I wrote Edgewalker, a script to quickly setup an IPsec/IKEv2/MOBIKE and Wireguard server on top of any OpenBSD instance, along with QR code based setup for iDevices and Wireguard. It doesn’t have integration with enterprise directory services and SSO, and there seems to be an entire ecosystem of commercial Wireguard wrappers that offer that and little else.
StrongSwan is the big open source IPSec project. I’m sure it supports LDAP but doubt it will auto-provision user certs and such natively. I think it supports L2TP/IPSec too. Have used StrongSwan for some time and I like it.
For personal use I prefer WireGuard. Seems like a much simpler VPN overall (UDP-based tunneling with only select cipher suites supported). It does require its own client though and I’m not sure if it supports Windows.
PfSense and wireguard is a great and effective solution, although not native in Windows clients. Always use a firewall as your VPN hub.
For native clients, it’s IPSEC that is the standard you’re asking for. It’s hell to setup and debug, but when it works, it’s good. There are however different settings across droid, windows and Macs. And the default settings for IPSec in Windows is horrible. So my advice is make a Powershell script that sets correct ciphers etc on the clients and creates the tunnel. With Win Enterprise you can make that Always-On native. I’m thinking of going down this route myself, so all clients work the same whatever network they’re coming from.
I’ve been running AnyConnect for ages and it’s been rock solid as far as VPN’s go. I’ve used it in small <50 people shops to midsize enterprise (2.5k people). We used a variety of MDMs but now on airwatch and don’t bind (but sync passwords).
Native options are kinda crappy imho.
We’re deprecating it in favor of zScaler / zero trust approach since we now have a more distributed work force. You can have self enrollment essentially with or without mdm.
I read your entire post, and why would you want L2TP? I get your point about most OS’s not having great VPN stacks natively, but that’s due to a wildly diverse way to implement VPN. Everyone has their own take on it.
Thanks!!! I honestly didn’t know that there is such an issue with L2TP. Is there a specific TLS/SSL standard that is most widely supported or does this entail proprietary solutions?
Edit: Also considering hardware implications back in the day I understand why there are still so many standalone hardware solutions.
I am so surprised that everyone says it is so antiquated. When reading Windows 10 and Mac OS documentation it sounds like a native IPsec stack with L2TP is the standard way to go. Might be upselling own product/technology now where i think about it.
Yea I was thinking SSTP is quite nice. Especially since you have to do the entire certificate management centrally anyways. This btw. is a huge problem with BYOD policy since certificate management on non-domain devices is pretty much your end. Also unfortunately no support beyond Windows as far as I understood.
I love me some wireguard but it is absolutely not ready to roll-out as an Enterprise VPN solution. It’s a technology-enabler but you need some sort of system around it to manage keys and configuration.
Would second WireGuard, though the Windows implementation is currently in user-space. There are a few projects trying to add an identity management layer on top of it (self-promo for us: https://github.com/firezone/firezone).