[AusNOG] VPN Virtual appliance recommendations
James Hodgkinson
yaleman at ricetek.net
Tue Nov 3 21:53:45 EST 2015
Personally I'd recommend against it, I've tried using it a few different
ways and it's got issues with iOS/OSX clients, and even the people in
the forums/IRC recommend against using it in general for anything but
router-to-router links.
James
On Tue, 3 Nov 2015, at 10:50, Jonathan Thorpe wrote:
> Hi Joseph,
>
> RouterOS is pretty good with OpenVPN, but there’s a major limitation
> with it – at last check, it only supports TCP based connections
and not (what I would have thought were) the more common UDP. It works,
but TCP in TCP is bad for performance.
>
> There might be a way to do part of the auth on RouterOS with RADIUS,
> but it still needs a Client Certificate installed on each instance
of the machine. These can of course be transferred over SSH, but that’s
a lot to sync.
>
> Kind Regards,
> Jonathan
>
>
>
>
> *From:* AusNOG [mailto:ausnog-bounces at lists.ausnog.net] *On Behalf Of
> *Joseph Goldman *Sent:* Tuesday, 3 November 2015 11:39 AM *To:*
> ausnog at lists.ausnog.net *Subject:* Re: [AusNOG] VPN Virtual appliance
> recommendations
>
> RouterOS (on Routerboard hardware, or on x86 hardware) is pretty
> flexible with config - although I have never read or seen experiences
> of it with VPN clients in that number of connections.
> On 03/11/15 11:27, Jonathan Thorpe wrote:
>> Hi Ben,
>>
>> Given the requirement for both IPSEC and OpenVPN, Vyatta sounds like
>> a good idea, however given the number of subscribers, there are
a few challenges with authentication/authorisation (and probably
throughput of a single machine).
>>
>> 1.Vyatta will allow you to do RADIUS with IKEv2 over L2TP.
>> 2.While Vyatta does OpenVPN, in my experience, it doesn’t provide any
>> meaningful way to centrally manage authentication for large
number of distinct clients.
>>
>> Given the scale, you probably want to be able to load balance across
>> multiple servers which means you really need a single source of
truth for each one.
>>
>> With OpenVPN’s small footprint and the likely need to load balance
>> connections, it might be worth rolling your own. This would enable
you to maintain a single store that contains your client certificates
(and if necessary, client-specific config in the client-config-dir).
>>
>> You may also be able to use OpenVPN with RADIUS, allowing you to keep
>> the IPSEC/OpenVPN authentication/authorisation data together.
>>
>> With this in mind, I believe pfSense provides this functionality as
>> well, but have not tried it in this scenario myself.
>>
>> Kind Regards,
>> Jonathan
>>
>> *From:* AusNOG [mailto:ausnog-bounces at lists.ausnog.net] *On Behalf Of
>> *Ben Trigger *Sent:* Tuesday, 3 November 2015 10:51 AM
>> *To:*ausnog at lists.ausnog.net *Subject:* [AusNOG] VPN Virtual
>> appliance recommendations
>>
>> Hi All,
>>
>> Just wondering if anyone has recommendations on a virtual appliance
>> (VMWARE / Xen compatible) which can terminate xx000's of roaming
>> clients. Hoping to support ipsec ikeV2 + openVPN. I've been looking
>> at Vyatta, strongswan & openVPN server.
Wondering if anyone has experience good or bad to share on these
platforms? Or other recommendations?
>>
>>
>> Many Thanks,
>>
>> --
>> *Ben****Trigger **| Living*Networks
>> E:btrigger at livingnetworks.com.au
>>
>>
>>
>> _______________________________________________
>> AusNOG mailing list AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>
> _________________________________________________
> AusNOG mailing list AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20151103/8b964cf7/attachment.html>
More information about the AusNOG
mailing list