[AusNOG] VPN Virtual appliance recommendations

Joseph Goldman joe at apcs.com.au
Tue Nov 3 11:39:02 EST 2015 

RouterOS (on Routerboard hardware, or on x86 hardware) is pretty 
flexible with config - although I have never read or seen experiences of 
it with VPN clients in that number of connections.

On 03/11/15 11:27, Jonathan Thorpe wrote:
>
> Hi Ben,
>
> Given the requirement for both IPSEC and OpenVPN, Vyatta sounds like a 
> good idea, however given the number of subscribers, there are a few 
> challenges with authentication/authorisation (and probably throughput 
> of a single machine).
>
> 1.Vyatta will allow you to do RADIUS with IKEv2 over L2TP.
>
> 2.While Vyatta does OpenVPN, in my experience, it doesn’t provide any 
> meaningful way to centrally manage authentication for large number of 
> distinct clients.
>
> Given the scale, you probably want to be able to load balance across 
> multiple servers which means you really need a single source of truth 
> for each one.
>
> With OpenVPN’s small footprint and the likely need to load balance 
> connections, it might be worth rolling your own.  This would enable 
> you to maintain a single store that contains your client certificates 
> (and if necessary, client-specific config in the client-config-dir).
>
> You may also be able to use OpenVPN with RADIUS, allowing you to keep 
> the IPSEC/OpenVPN authentication/authorisation data together.
>
> With this in mind, I believe pfSense provides this functionality as 
> well, but have not tried it in this scenario myself.
>
> Kind Regards,
>
> Jonathan
>
> *From:*AusNOG [mailto:ausnog-bounces at lists.ausnog.net] *On Behalf Of 
> *Ben Trigger
> *Sent:* Tuesday, 3 November 2015 10:51 AM
> *To:* ausnog at lists.ausnog.net
> *Subject:* [AusNOG] VPN Virtual appliance recommendations
>
> Hi All,
>
> Just wondering if anyone has recommendations on a virtual appliance 
> (VMWARE / Xen compatible) which can terminate xx000's of roaming 
> clients. Hoping to support ipsec ikeV2 + openVPN. I've been looking at 
> Vyatta, strongswan & openVPN server. Wondering if anyone has 
> experience good or bad to share on these platforms? Or other 
> recommendations?
>
> Many Thanks,
>
> -- 
>
> *Ben****Trigger **| Living*Networks
>
> E: btrigger at livingnetworks.com.au <mailto:btrigger at livingnetworks.com.au>
>
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20151103/210a99b5/attachment.html>

More information about the AusNOG mailing list