[AusNOG] VPN Virtual appliance recommendations

Jonathan Thorpe jthorpe at Conexim.com.au
Tue Nov 3 11:50:43 EST 2015


Hi Joseph,

RouterOS is pretty good with OpenVPN, but there’s a major limitation with it – at last check, it only supports TCP based connections and not (what I would have thought were) the more common UDP. It works, but TCP in TCP is bad for performance.

There might be a way to do part of the auth on RouterOS with RADIUS, but it still needs a Client Certificate installed on each instance of the machine. These can of course be transferred over SSH, but that’s a lot to sync.

Kind Regards,
Jonathan



From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Joseph Goldman
Sent: Tuesday, 3 November 2015 11:39 AM
To: ausnog at lists.ausnog.net
Subject: Re: [AusNOG] VPN Virtual appliance recommendations

RouterOS (on Routerboard hardware, or on x86 hardware) is pretty flexible with config - although I have never read or seen experiences of it with VPN clients in that number of connections.
On 03/11/15 11:27, Jonathan Thorpe wrote:
Hi Ben,

Given the requirement for both IPSEC and OpenVPN, Vyatta sounds like a good idea, however given the number of subscribers, there are a few challenges with authentication/authorisation (and probably throughput of a single machine).


1.      Vyatta will allow you to do RADIUS with IKEv2 over L2TP.

2.      While Vyatta does OpenVPN, in my experience, it doesn’t provide any meaningful way to centrally manage authentication for large number of distinct clients.

Given the scale, you probably want to be able to load balance across multiple servers which means you really need a single source of truth for each one.

With OpenVPN’s small footprint and the likely need to load balance connections, it might be worth rolling your own.  This would enable you to maintain a single store that contains your client certificates (and if necessary, client-specific config in the client-config-dir).

You may also be able to use OpenVPN with RADIUS, allowing you to keep the IPSEC/OpenVPN authentication/authorisation data together.

With this in mind, I believe pfSense provides this functionality as well, but have not tried it in this scenario myself.

Kind Regards,
Jonathan

From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Ben Trigger
Sent: Tuesday, 3 November 2015 10:51 AM
To: ausnog at lists.ausnog.net<mailto:ausnog at lists.ausnog.net>
Subject: [AusNOG] VPN Virtual appliance recommendations

Hi All,

Just wondering if anyone has recommendations on a virtual appliance (VMWARE / Xen compatible) which can terminate xx000's of roaming clients. Hoping to support ipsec ikeV2 + openVPN. I've been looking at Vyatta, strongswan & openVPN server. Wondering if anyone has experience good or bad to share on these platforms? Or other recommendations?


Many Thanks,

--

Ben Trigger | LivingNetworks

E: btrigger at livingnetworks.com.au<mailto:btrigger at livingnetworks.com.au>




_______________________________________________

AusNOG mailing list

AusNOG at lists.ausnog.net<mailto:AusNOG at lists.ausnog.net>

http://lists.ausnog.net/mailman/listinfo/ausnog

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20151103/92c1ac0b/attachment.html>


More information about the AusNOG mailing list