My client base needs all the traffic routed through a connection for open ports and better monitoring on my end.
Each Client has a router for their use to connect to their internet connection and supports Wiregaurd, L2TP, and OpenVPN.
I have a bare metal cloud server installed currently with PFSENSE, im looking for help either with a different option or help making PFSENSE work. I will have hundreds of clients connected to this server and I need easy user management and preferred GUI management.
My current configuration with OpenVPN currently works but not all traffic is routed through the vpn even with that option enabled. Also can’t get the routers to connect. I’ve tried L2TP which is preferred security isn’t the goal here just bypassing some geo restrictions and some blocked ports. L2TP is my preference if it worked, I like just giving the server IP and then a username and password that’s very simple and easy.
If anyone has any other suggestions I’m open to anything, this is hurting buisness and need it to work properly. I’m not bad at networking but this is over what I’m used to dealing with.
Security needs to be at the forefront of your mind if you are routing multiple clients traffic through 1 cloud hosted router. You are asking for trouble. More information on your requirements would help us suggest a long term solution.
I did pull off what I was looking for, at least with most of the features. I am looking into a radius configuration but for now Wiregaurd works great, it’s not as easy to use and as quick to setup more users so it will take more time but it will solve the problem for now.
I will say Wiregaurd performance is excellent, with 10% cpu usage im maxing out the 1gb connection on the server. With the max of 5gb available through this cloud provider this server can more than handle that amount of traffic.
you need to use a real cloud provider like microsoft azure or amazon aws
then make an IPSEC tunnel mode ipsec tunnel to the cloud provider’s vpn gateway or a hosted virtual appliance that you manage (fortinet, etc)
scrap openvpn. scrap pfsense. scrap l2tp. that’s trash and you’ll waste your time j—king off with it.
you want to STANDARDIZE your infrastructure using BEST OF BREED cloud networking and VPN. if your bare metal server is at John’s Cloud service (instead of Azure/AWS) then you need to lead on them to give you an appliance or lease your a managed fortinet or palo alto, etc
your infrastructure seems to be your business and you are starting behind the 8 ball with toys a kid would use at his college dorm. there is a reason AZURE/AWS are the leaders. and a big reason is their vpn connectivity is well documented, guaranteed to work and perform when properly configured…
some light reading:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways
https://aws.amazon.com/vpn/pricing/
Right so what I believe you are looking for is a P2S VPN , Azure VNGS Support this but too costly that’s fair. You have a PFSense box and using with OpenVPN, there’s no reason this shouldn’t work you probably have a split tunnel Misconfiguration
If you can afford Paloalto this would be great but they cost alot and you already said price was of concern (taken from what you said re AZ) Fortinet support L2TP are significantly cheaper
Another option which personally I loathe is Microsoft Always on VPN (AOVPN), you can spin up a windows 2019 box on your bare metal cloud install RRAS then have a NAT rule from your PFSense FW to the AOVPN box, AOVPN can use OpenVPN client or preferred the windows native VPN Client
Your post history suggests this will end poorly with immediate DMCAs to your carrier. Good luck
The reason I said security isn’t the main concern is that all information going through the vpn isn’t sensitive. I’m not building this in order to VPN to a work network and access local files.
Each client router has its own nat and firewall and all traffic will be run through the client routers.
Requirements are just a long term solution that connects to our customer routers and routes all traffic through it.
In terms of hardware the reason I went bare metal is I needed unlimited bandwidth with the ability to upgrade my connection, I need high performance, I’ve had performance limitations with Vcpus before. I’ve already tested one connection up to about 700mbps and I’ll limit each client to 25 or 50mbps so performance is there.
I just need to get this off the ground and get it working then I’ll be hiring to build it better and how I want it done.
I appreciate the information, but look at it as though I’m trying to build my own VPN company, although I’m not, my company sells internet, and some isp providers we use customers have throttles in place or a carrier nat and I need to bypass that. I need unlimited bandwidth. Hardware acceleration is great too. This is proof of concept if it works yes I’ll use it for a couple hundred or so customers. If it works ill rent a rack and deploy my own infrastructure. I’m basically building a VPN service and paying per connection or for data used won’t make financial sense.
I already looked at AWS and AZURE, the documentation i found both bill by data usage and possibly how many connections. I even looked at Pfsense in AZURE or AWS, their pricing just doesn’t make it work, plus I need really high performance which is why I went bare metal. AWS and AZURE offer high performance options but completely price it out as an option as I scale up. AZURE does appear to have possibly unlimited bandwidth but they limit the amount of connections and charge additionally per connection. If I’m wrong and the cloud option are very price competitive let me know but from how I read the documentation the pricing is just not possible.
I did pick a pretty well regarded Cloud provider. And if this works I can always pick different locations or different cloud providers all together or just rent a rack, half rack or Co location.
I’m interested in the fortinet and Palo alto I’ve seen there names thrown around but I’ve never used one. If they work alot better I’d be interested in that.
I recognize I’m not as up to date on this which is why I’m asking for advice, as my buisness scales I’ll be hiring network engineers and possibly a software team but I need this to work so I can get to that point. Trust me I’d much rather someone with more experience do this, plus it’s beyond frustrating although it’s fun and I want to know how absolutely everything works so I can make informed decisions.
I appreciate your imput, while yes I don’t want to dump tons of money into it at least at this stage, most of my concern is monthly cost. More expensive up front cost as long as it works and I don’t have to pay licensing per tunnel or connection or any fee like that can be justified with a higher cost appliance. But I have so much room im working with for monthly cost AWS and AZURE aren’t price competitive
I’ll read through some Documents on fordinet and Palo alto.
It’s possible I have something misconfigured on OpenVPN, although I have the settings set according to the guides I’ve followed, video traffic seems to slip by the open VPN tunnel and that’s the most important traffic to run through the tunnel.
I’ve done a fair amount of networking and sys admin but I never had to use VPNs when I was in IT, other than site to site and our routers had that ability built in. Also we were working with static IPs where my clients have dynamic ips so some configurations I’ve used in the past won’t work unless running ddns on every client router.
ok i get it now.
you want ALL traffic to route through the openvpn including internet then send the tunnel traffic back out a pfsense firewall to reach the internet?
Thats correct, the goal is to allow the customers ISP to only see an encrypted tunnel and that’s it, I don’t need the isp playing man in the middle. And constantly changing IP addresses as some banks don’t allow you to use online banking with certain ISPs ect.
It can be Openvpn or any method the client router supports but the clients don’t have a static IP and that eliminates some options I’ve used in the past.