[AusNOG] VPN Virtual appliance recommendations
Russell Brenner
rbrenner at Brocade.com
Tue Nov 3 22:10:33 EST 2015
The Brocade vRouter (née Vyatta, we renamed it about a year ago) definitely supports many, many connections.
I don't know how many active end points we have going at once, but we use vRouter internally to terminate all remote user-based VPNs.
I use Viscosity on my Mac and I believe that's the same client we use on our company issued PCs too. It's trivial to setup on the vRouter and create ovpn profiles that can be imported into Viscosity (or an open source client) is simple too.
Works a treat. At last count there were over 6000 staff worldwide and 5 or 6 end points you can dial into. I can get official stats if you're interested, but I suspect the scale meets where your demand would be.
We also use vRouter to build P2MP IPSec site-site VPNs for all offices worldwide. There's no WAN links with back haul to the HOs in various regions (APJ, EMEA, US etc), just Internet, vRouter and IPSec.
So again, eating our own dog food.
We can discuss the tech stuff and limits on list but if interested in eval or purchase, drop me a line direct.
On Tue, Nov 3, 2015 at 2:54 AM -0800, "James Hodgkinson" <yaleman at ricetek.net<mailto:yaleman at ricetek.net>> wrote:
Personally I'd recommend against it, I've tried using it a few different ways and it's got issues with iOS/OSX clients, and even the people in the forums/IRC recommend against using it in general for anything but router-to-router links.
James
On Tue, 3 Nov 2015, at 10:50, Jonathan Thorpe wrote:
Hi Joseph,
RouterOS is pretty good with OpenVPN, but there's a major limitation with it - at last check, it only supports TCP based connections and not (what I would have thought were) the more common UDP. It works, but TCP in TCP is bad for performance.
There might be a way to do part of the auth on RouterOS with RADIUS, but it still needs a Client Certificate installed on each instance of the machine. These can of course be transferred over SSH, but that's a lot to sync.
Kind Regards,
Jonathan
From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Joseph Goldman
Sent: Tuesday, 3 November 2015 11:39 AM
To: ausnog at lists.ausnog.net
Subject: Re: [AusNOG] VPN Virtual appliance recommendations
RouterOS (on Routerboard hardware, or on x86 hardware) is pretty flexible with config - although I have never read or seen experiences of it with VPN clients in that number of connections.
On 03/11/15 11:27, Jonathan Thorpe wrote:
Hi Ben,
Given the requirement for both IPSEC and OpenVPN, Vyatta sounds like a good idea, however given the number of subscribers, there are a few challenges with authentication/authorisation (and probably throughput of a single machine).
1.Vyatta will allow you to do RADIUS with IKEv2 over L2TP.
2.While Vyatta does OpenVPN, in my experience, it doesn't provide any meaningful way to centrally manage authentication for large number of distinct clients.
Given the scale, you probably want to be able to load balance across multiple servers which means you really need a single source of truth for each one.
With OpenVPN's small footprint and the likely need to load balance connections, it might be worth rolling your own. This would enable you to maintain a single store that contains your client certificates (and if necessary, client-specific config in the client-config-dir).
You may also be able to use OpenVPN with RADIUS, allowing you to keep the IPSEC/OpenVPN authentication/authorisation data together.
With this in mind, I believe pfSense provides this functionality as well, but have not tried it in this scenario myself.
Kind Regards,
Jonathan
From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Ben Trigger
Sent: Tuesday, 3 November 2015 10:51 AM
To:ausnog at lists.ausnog.net<mailto:ausnog at lists.ausnog.net>
Subject: [AusNOG] VPN Virtual appliance recommendations
Hi All,
Just wondering if anyone has recommendations on a virtual appliance (VMWARE / Xen compatible) which can terminate xx000's of roaming clients. Hoping to support ipsec ikeV2 + openVPN. I've been looking at Vyatta, strongswan & openVPN server. Wondering if anyone has experience good or bad to share on these platforms? Or other recommendations?
Many Thanks,
--
BenTrigger | LivingNetworks
E: btrigger at livingnetworks.com.au<mailto:btrigger at livingnetworks.com.au>
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net<mailto:AusNOG at lists.ausnog.net>
http://lists.ausnog.net/mailman/listinfo/ausnog
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net<mailto:AusNOG at lists.ausnog.net>
http://lists.ausnog.net/mailman/listinfo/ausnog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20151103/3043a90d/attachment.html>
More information about the AusNOG
mailing list