Best way to implement VPN

M

mic_y

Expert Member
Joined
Dec 23, 2004
Messages
1,646
Reaction score
10
Location
Slaapstad
I am looking at implementing a VPN connection for the office and just have a quick architectural question. The setup is currently as follows:

DSL Modem --> pfSense --> Windows Server 2012 R2 (AD, DHCP, DNS, NPS, NAP, etc).

Now my question is as follows: should the VPN endpoint be the pfSense box, with authentication happening on the pfSense against AD credentials using a RADIUS server (NPS/NAP) running on the AD Box, or should I just forward the incoming VPN connection to the NAP server and let the Window box handle everything (Auth, VPN, etc.)

Is there any distinct (dis)advantage to either approach? Is there any difference in terms of security?
 
mic_y said:
I am looking at implementing a VPN connection for the office and just have a quick architectural question. The setup is currently as follows:

DSL Modem --> pfSense --> Windows Server 2012 R2 (AD, DHCP, DNS, NPS, NAP, etc).

Now my question is as follows: should the VPN endpoint be the pfSense box, with authentication happening on the pfSense against AD credentials using a RADIUS server (NPS/NAP) running on the AD Box, or should I just forward the incoming VPN connection to the NAP server and let the Window box handle everything (Auth, VPN, etc.)

Is there any distinct (dis)advantage to either approach? Is there any difference in terms of security?
Click to expand...

I do a SSTP direct to the Windows Server. However, I have a dedicated VM for the VPN. You have one server doing everything, which is insecure.
 
I use OpenVPN on pfSense with a combo of signed certs and authenticating against a specific AD group via LDAP.
 
OpenVPN is the way to go with pfSense. Just make sure you install the OpenVPN Client Export Utility package which makes creating client installs super easy.
 
DrJohnZoidberg said:
OpenVPN is the way to go with pfSense. Just make sure you install the OpenVPN Client Export Utility package which makes creating client installs super easy.
Click to expand...

Forgot to mention this.

Made my life super easy at my previous job.
 
qwertydudeza said:
I do a SSTP direct to the Windows Server. However, I have a dedicated VM for the VPN. You have one server doing everything, which is insecure.
Click to expand...

Also not running everything on one machine, and can easily spin up an extra VM to handle incoming VPN connections.

In terms of the other comments, seems like OpenVPN is the way to go. Will be setting that up on the pfSense box and will keep the questions flowing if i have any issues.
 
And I am up and running now :) thanks for the tip guys :) OpenVPN does seem to be the bomb. Its a bit more of a schlep to configure than just going the RRAS route, but seems to work really well so far.
 
Late to the party but just to reaffirm your decision OpenVPN is a winner it's the one I'm using as well & can easily export clients and configs
 
I've been using openVPN on pfsense for a while. One thing I just cannot seen to get right is DNS. Even after following various guides and entering correct settings as per docs it does not work and I am forced to use IPs. Anyone else experience this?
 
trolol said:
I've been using openVPN on pfsense for a while. One thing I just cannot seen to get right is DNS. Even after following various guides and entering correct settings as per docs it does not work and I am forced to use IPs. Anyone else experience this?
Click to expand...

You mean forcing clients to use the provided DNS server?

If you've got Windows clients with this problem then make sure they start the OpenVPN client as Administrator.
 
lsheed_cn said:
Not sure why people recommend OpenVPN.
SoftEther is far far better, and supports more protocols.
Click to expand...

Don't think it comes included in PFSense (well it didn't when last I used it). It's a far better alternative than running the VPN on the Windows Server! However he could maybe use SoftEther from the FreeBSD ports collection and then simply install the management interface on the Windows server to add users etc.
 
Last edited:
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X