Author Topic: Recommend me a VPN (Read 3483 times)

sporkman · « **on:** October 10, 2019, 01:02:57 am »

I'm kind of annoyed with OpenVPN as I could never get it to work in my particular scenario for site-to-site use. I find it's great for getting from a coffee shop to my home net though, so I'll leave that as-is.

But I have 3-4 other sites where I would like to have site-to-site setups between my home (simple network - two WANs, one just for backup, one LAN net, that's it) and some remote networks.

My requirements are:

- The other end only has proprietary stuff that only does IPSEC, so I have to tunnel back to a FreeBSD host at the other end rather than the router (I know this complicates things)
- I need to filter the traffic on my end - I should be able to reach out, none of the remote sites should reach in
- I do need to add additional routes, accessed via the remote sites
- The other end is FreeBSD in all cases, so whatever I run has to support FreeBSD

OpenVPN confuses me in these type of use cases as it has it's own internal/hidden routing table. If anyone thinks it could support the above, I'd give it a try, but I've had no luck with this on OPNSense (worked on pfsense, but not with any setup that let me filter traffic).

Or if you want to make a case for using the Cisco and SonicWall IPSEC VPNs at these sites instead, I'm all ears, but I fear interoperability headaches, and it seems like adding additional remote routes is a real pain.

Or pitch me on something I've not mentioned!

mimugmail · « **Reply #1 on:** October 10, 2019, 09:01:30 am »

Why dont you use IPsec for this?

banym · « **Reply #2 on:** October 10, 2019, 11:15:56 pm »

I agree with mimugmail.
Why no IPsec.

sporkman · « **Reply #3 on:** October 11, 2019, 05:25:46 am »

Never had much luck with IPSEC and since it's a kernel-level thing instead of a userland daemon, generally a real pain in the ass to debug.

banym · « **Reply #4 on:** October 11, 2019, 08:26:29 am »

I use it every day.
Very stable, and flexible.

If you got used to the error handling it is o.k to debugg and Google is you friend.
Stay to fix configuration of encryption, hashing and DH group and everything is fine.

*sense systems worked with every vendor I got confronted with on the other side.
And as afar as I understand OpenSwan/StrongSwan is an userland implementation that integrates with kernel.

sporkman · « **Reply #5 on:** October 21, 2019, 10:24:39 pm »

Quote from: banym on October 10, 2019, 11:15:56 pm

I agree with mimugmail.
Why no IPsec.

Also since IPSEC relies on GRE being let through, NAT not breaking it, etc. I do prefer something that just uses one protocol over one port. Easier to diagnose basic connectivity.

An example - ongoing issue where one of these carriers is doing something, including a note that some content inspection gear is doing something dumb:

https://puck.nether.net/pipermail/outages/2019-October/012696.html

mimugmail · « **Reply #6 on:** October 22, 2019, 05:34:52 am »

Then just use OpenVPN

Sorry, but all vendors use one of them or both

Author Topic: Recommend me a VPN (Read 3483 times)

sporkman

Recommend me a VPN

mimugmail

Re: Recommend me a VPN

banym

Re: Recommend me a VPN

sporkman

Re: Recommend me a VPN

banym

Re: Recommend me a VPN

sporkman

Re: Recommend me a VPN

mimugmail

Re: Recommend me a VPN