VPN hardware suggestions.
-
There's a few different ways you can do that too. You can go the firewall route or you can use ZeroTier to deal with remote connectivity off the top of my head.
Like Scott said, most (all?) business-oriented firewalls (hardware appliance or linux distro à la Untangle) have built-in
firewallVPN capabilities.Some things to have on your radar:
- VPN topology (hub+spoke, full mesh or a combination of both).
- IPSEC throughput on the appliance (our old sonicwalls at some remote-offices were a bottleneck for the ipsec back to HO)
- If replacing firewall appliances, what other functions do you need / want
Ubiquity is pretty solid from a hardware perspective but their support is lacking, based on both personal experience and speaking with some other IT folks. I use it at home, and would definitely consider it for a business upgrading over consumer, soho or ISP gear, but if you're big enough that you've got to connect multiple sites over ipsec and it's business-critical you might want to look at something like sonicwall, fortigate or meraki.
-
@siringo said in VPN hardware suggestions.:
Thanks Scott. These sites don't always have staff, so it'd be good to be able glance at something to make sure everything is still up.
I'll take a look at the Unifi stuff.
If there is no staff, why does it matter if it's up?
That said you could use other things to test the VPN status - like a ping test. -
I really wish that UBNT would add VPN status to their GUI, sure you can CLI the status, but meh.
it's one thing I really liked about my old Sonicwalls.
-
SonicWall has (or at least had) a very expensive offering that would be a centralized controller for SonicWall devices, not that anyone here is likely to actually suggest SonicWall, the option has at least existed in the past.
-
@siringo said in VPN hardware suggestions.:
Thanks Scott. These sites don't always have staff, so it'd be good to be able glance at something to make sure everything is still up.
I'll take a look at the Unifi stuff.
If you go unifi, stick to EdgeRouters.
You'll be able to look at them all using UNMS, which also centralizes management. So things like firmware updates are just a button click.
I know Sonicwalls make you pay extra license fees to enable their web management, but you don't have to setup your own controller to do it. You'd have to decide if your time is worth the extra cost of having something ready to go.
-
@travisdh1 said in VPN hardware suggestions.:
@siringo said in VPN hardware suggestions.:
Thanks Scott. These sites don't always have staff, so it'd be good to be able glance at something to make sure everything is still up.
I'll take a look at the Unifi stuff.
If you go unifi, stick to EdgeRouters.
You'll be able to look at them all using UNMS, which also centralizes management. So things like firmware updates are just a button click.
I know Sonicwalls make you pay extra license fees to enable their web management, but you don't have to setup your own controller to do it. You'd have to decide if your time is worth the extra cost of having something ready to go.
UNMS is either self hosted, or requires you to have 10+ devices to the UBNT's offering.
-
@travisdh1 said in VPN hardware suggestions.:
@siringo said in VPN hardware suggestions.:
Thanks Scott. These sites don't always have staff, so it'd be good to be able glance at something to make sure everything is still up.
I'll take a look at the Unifi stuff.
If you go unifi, stick to EdgeRouters.
You'll be able to look at them all using UNMS, which also centralizes management. So things like firmware updates are just a button click.
I know Sonicwalls make you pay extra license fees to enable their web management, but you don't have to setup your own controller to do it. You'd have to decide if your time is worth the extra cost of having something ready to go.
UNMS does nothing to show you VPN status.
-
@Dashrender said in VPN hardware suggestions.:
@siringo said in VPN hardware suggestions.:
Thanks Scott. These sites don't always have staff, so it'd be good to be able glance at something to make sure everything is still up.
I'll take a look at the Unifi stuff.
If there is no staff, why does it matter if it's up?
That said you could use other things to test the VPN status - like a ping test.Which is a better test, anyway.
-
@siringo said in VPN hardware suggestions.:
Thanks Scott. These sites don't always have staff, so it'd be good to be able glance at something to make sure everything is still up.
I'll take a look at the Unifi stuff.
You'll want pings for that. A VPN GUI isn't as reliable as monitoring at the network level. You don't want a GUI that shows things up, you want monitoring that alerts when things go down. A GUI that shows up would only be beneficial if you had excess IT staff with nothing to do with their time and you were trying to keep them busy. Since you have less staff than you'd like, it's monitoring that you need so that you don't have to worry about it until an alarm goes off.
-
@Dashrender said in VPN hardware suggestions.:
That said you could use other things to test the VPN status - like a ping test.
That's what we do with our MPLS sites just use zabbix to ping all endpoints see if they are "up" and notify when down
-
@hobbit666 said in VPN hardware suggestions.:
@Dashrender said in VPN hardware suggestions.:
That said you could use other things to test the VPN status - like a ping test.
That's what we do with our MPLS sites just use zabbix to ping all endpoints see if they are "up" and notify when down
Yup, just keep doing that with a VPN. A point to point VPN system should require you to change nothing from the MPLS setup. MPLS is built to mimic standard VPN setups. It's all the same to the network user level of things.
-
I like Pfsense, I use it with Openvpn with good results.
Last version includes Wireguard support.
-
Thanks everyone for the help. I'll look into everything mentioned.
-
@siringo said in VPN hardware suggestions.:
Thanks everyone for the help. I'll look into everything mentioned.
Some of the comments would lead you to believe Sonicwall is not a good solution, either from central management issues or license fees.
I can't speak to the central management issues because we've chosen to not bother with it.
We have about 350 Sonicwalls in the field and nearly all of them have S2S VPNs setup among branches, as well as Global VPN setup for remote users (there is a fee for the Global VPN license).
Every one of them has a VPN into our lab for end user support. I fired up #7 to get this screenshot.
As far as your main question about reliable VPN end points, I have been happy with the Sonicwall devices. I like their "Wizard" setups for staff that are new to Sonicwall. It makes a S2S VPN about a 5 minute task (for both sides, not each side, but then, that would still only be 10 minutes!)
We also use the IP Tunnel connections in the Sonicwall when we need to control routing, ie not hub and spoke type routing.
The appliances can be pricey if you want to take full advantage of todays high speed broadband, but overall, we have been very satisfied with the products, especially the VPN stability.
Here's a SS of one:
No special/Add-on licensing; note the 1000 S2S VPNs allowed and the 12 Global VPNs allowed.
This Sonicwall does have 60 VPN Clients licensed to it, about 45 are in use daily. -
@JasGot Thanks for the help, there's some real world product experience there, which I can use. I appreciate the effort. Thanks.
-
@JasGot said in VPN hardware suggestions.:
@JasGot On a side note aren't you running insecure cryptos?
I thought 3DES-HMAC-SHA1 was considered obsolete and insecure.Normally you'd see something like AES-CBC-256-SHA256 or AES-GCM-256-SHA256.
-
@Pete-S said in VPN hardware suggestions.:
thought 3DES-HMAC-SHA1 was considered obsolete and insecure.
Normally you'd see something like AES-CBC-256-SHA256 or AES-GCM-256-SHA256.It is. I had it changed right after I took the screen shot. It's an HR problem.
-
@JasGot said in VPN hardware suggestions.:
@Pete-S said in VPN hardware suggestions.:
thought 3DES-HMAC-SHA1 was considered obsolete and insecure.
Normally you'd see something like AES-CBC-256-SHA256 or AES-GCM-256-SHA256.It is. I had it changed right after I took the screen shot. It's an HR problem.
I'm curious - how is that an HR problem?
-
@Dashrender said in VPN hardware suggestions.:
I'm curious - how is that an HR problem?
Employee didn't complete assigned duties.