[AusNOG] VPN Virtual appliance recommendations

Jonathan Thorpe jthorpe at Conexim.com.au
Tue Nov 3 11:27:39 EST 2015


Hi Ben,

Given the requirement for both IPSEC and OpenVPN, Vyatta sounds like a good idea, however given the number of subscribers, there are a few challenges with authentication/authorisation (and probably throughput of a single machine).


1.       Vyatta will allow you to do RADIUS with IKEv2 over L2TP.

2.       While Vyatta does OpenVPN, in my experience, it doesn’t provide any meaningful way to centrally manage authentication for large number of distinct clients.

Given the scale, you probably want to be able to load balance across multiple servers which means you really need a single source of truth for each one.

With OpenVPN’s small footprint and the likely need to load balance connections, it might be worth rolling your own.  This would enable you to maintain a single store that contains your client certificates (and if necessary, client-specific config in the client-config-dir).

You may also be able to use OpenVPN with RADIUS, allowing you to keep the IPSEC/OpenVPN authentication/authorisation data together.

With this in mind, I believe pfSense provides this functionality as well, but have not tried it in this scenario myself.

Kind Regards,
Jonathan

From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Ben Trigger
Sent: Tuesday, 3 November 2015 10:51 AM
To: ausnog at lists.ausnog.net
Subject: [AusNOG] VPN Virtual appliance recommendations

Hi All,

Just wondering if anyone has recommendations on a virtual appliance (VMWARE / Xen compatible) which can terminate xx000's of roaming clients. Hoping to support ipsec ikeV2 + openVPN. I've been looking at Vyatta, strongswan & openVPN server. Wondering if anyone has experience good or bad to share on these platforms? Or other recommendations?


Many Thanks,

--

Ben Trigger | LivingNetworks

E: btrigger at livingnetworks.com.au<mailto:btrigger at livingnetworks.com.au>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20151103/faf76010/attachment.html>


More information about the AusNOG mailing list