Router with openvpn for small business
Discussion
Hi All,
Small business I help want advice on a openvpn router. They are currently running DD-WRT on an elderly netgear (I think it's about 10 years old), and want to upgrade (but at a price obviously)...
I've used netgear R7000 in a couple of places with its openVPN and they seem to run ok, but wondering if there is something out there a bit more on the enterprise side like maybe the fortigate (and forticlient vpn)?
TIA
Small business I help want advice on a openvpn router. They are currently running DD-WRT on an elderly netgear (I think it's about 10 years old), and want to upgrade (but at a price obviously)...
I've used netgear R7000 in a couple of places with its openVPN and they seem to run ok, but wondering if there is something out there a bit more on the enterprise side like maybe the fortigate (and forticlient vpn)?
TIA
Pfsense?
Either on netgates own hardware but I’m not sure on uk resellers
Or on something like this
https://m.youtube.com/watch?v=wUcDg_ms0is
Hardware is available from Amazon or alibaba
With either 1Gb/s or 2.5Gb/s nics
Either on netgates own hardware but I’m not sure on uk resellers
Or on something like this
https://m.youtube.com/watch?v=wUcDg_ms0is
Hardware is available from Amazon or alibaba
With either 1Gb/s or 2.5Gb/s nics
bhstewie said:
Well there's plenty that's enterprise depending on budget and requirements.
Do they have to meet any sort of compliance?
No not really just a small business (office) with CCTV they need to view - just need openVPN vs the PPTP they have currently have. The R7000 will probably suffice. He did say doesn't want to pay for recurring licence and from memory the fotigate 30 was 300 per year? Do they have to meet any sort of compliance?
Pfsense from netgate would be a good shout if you want to go with something a bit more enterprise grade but not have ongoing licensing. It is really a router/firewall though, not a wifi access point. What model depends on how many connections needed and the speed of connection. The sg-1100 is fine for up to about 400mbps (although OpenVPN will top out less than half that).
Edited by colin79666 on Monday 23 May 22:17
colin79666 said:
Pfsense from netgate would be a good shout if you want to go with something a bit more enterprise grade but not have ongoing licensing. It is really a router/firewall though, not a wifi access point. What model depends on how many connections needed and the speed of connection. The sg-1100 is fine for up to about 400mbps (although OpenVPN will top out less than half that).
They have unifi APs dotted about so wifi not needed. That pfsense is interesting I haven't looked at them for probably a decade. Did a quick search and these two came up, and I think $1.1M might be out their range for a firewall!Edited by colin79666 on Monday 23 May 22:17
Ha, Pfsense plus UniFi switches and APs is a common combination.
Check Lawrence Systems out on YouTube for reviews and guides:
https://youtube.com/user/TheTecknowledge
Netgate: https://www.netgate.com/appliances
Check Lawrence Systems out on YouTube for reviews and guides:
https://youtube.com/user/TheTecknowledge
Netgate: https://www.netgate.com/appliances
I think the security of their network should be worth a few quid......I'd not be chucking a hobby solution at this.
But I also have a better option; leverage an RDP jumphost in the network, install Tailgate on it as well as on the devices that need to look at the CCTV and dump the need for weak security at the perimeter. If the video files are on a share, you could even Tailscale that host and access the share over the Tailscale tunnel.
No port forwarding or stty security required.
But I also have a better option; leverage an RDP jumphost in the network, install Tailgate on it as well as on the devices that need to look at the CCTV and dump the need for weak security at the perimeter. If the video files are on a share, you could even Tailscale that host and access the share over the Tailscale tunnel.
No port forwarding or stty security required.
Captain_Morgan said:
Just for clarity are you suggesting that pfsense is a ‘hobby solution’?
Actually no; having said that, if the best they could do and maintain was PPTP on DD-WRT, it might not be for them.Hobbyist is PPTP on an aged DD-WRT firmware which I am sure has some massive flaws for an edge device. They need to care more because their network has value to an attacker; also CCTV access has personal data implications.
Tailscale might be an alternative that is far more suited to their needs and skill levels. pfsense too, but it's not simple given what we might assume about them....
eeLee said:
Captain_Morgan said:
Just for clarity are you suggesting that pfsense is a ‘hobby solution’?
Actually no; having said that, if the best they could do and maintain was PPTP on DD-WRT, it might not be for them.Hobbyist is PPTP on an aged DD-WRT firmware which I am sure has some massive flaws for an edge device. They need to care more because their network has value to an attacker; also CCTV access has personal data implications.
Tailscale might be an alternative that is far more suited to their needs and skill levels. pfsense too, but it's not simple given what we might assume about them....
I recall watching some tailscale videos a while back, I might go and refresh my memory.
Though tailscale does fail the no recurring costs requirement
For a business I'd want something more robust, Cisco ASA 5506 for example or even better the FP1010 with FTD. Add AnyConnect, very easy to use, the client will auto update from the firewall and it's a very easy and quick system to use and extremely flexible.
Don't forget to add a hairpin VPN option so they can watch iPlayer and UK Netflix when on holiday !
Don't forget to add a hairpin VPN option so they can watch iPlayer and UK Netflix when on holiday !
Captain_Morgan said:
Though tailscale does fail the no recurring costs requirement
it's free for up to 20 devices.We can also start the discussion as to what security value you get for free and if a set-and-forget solution for security is fit for purpose. We both know the answer to that one.....
eeLee said:
it's free for up to 20 devices.
We can also start the discussion as to what security value you get for free and if a set-and-forget solution for security is fit for purpose. We both know the answer to that one.....
I’d assumed it was more than one user, hence my point on costs but we all know what we say about assumptions eh ;-)We can also start the discussion as to what security value you get for free and if a set-and-forget solution for security is fit for purpose. We both know the answer to that one.....
Set and forget and secure are a oxymoron, I guess free is a little more nuanced but the get what you paid for ring true but as ever the devils in the details of there use / business case
A few thoughts,
An entry level Fortigate firewall would do, using their free VPN client, but it's fairly basic. I wouldn't get into licensing with their full endpoint suite.
Juniper SRX might be a good entry level enterprise router, which can do IPSec VPN.
If budget is important, Draytek would work.
They don't have to run the vpn service on the router. It could be on a separate server if they have already one. Install OpenVPN server, forward ports to that. Then your choice of router is free of the vpn requirement. OpenVPN is very good at this setup, as you only need to forward one port.
An entry level Fortigate firewall would do, using their free VPN client, but it's fairly basic. I wouldn't get into licensing with their full endpoint suite.
Juniper SRX might be a good entry level enterprise router, which can do IPSec VPN.
If budget is important, Draytek would work.
They don't have to run the vpn service on the router. It could be on a separate server if they have already one. Install OpenVPN server, forward ports to that. Then your choice of router is free of the vpn requirement. OpenVPN is very good at this setup, as you only need to forward one port.
SteveKTMer said:
For a business I'd want something more robust, Cisco ASA 5506 for example or even better the FP1010 with FTD. Add AnyConnect, very easy to use, the client will auto update from the firewall and it's a very easy and quick system to use and extremely flexible.
Don't forget to add a hairpin VPN option so they can watch iPlayer and UK Netflix when on holiday !
5506 you get x2 Anyconnect licenses thrown in, though it's RTU so technically you could use as many as you want.Don't forget to add a hairpin VPN option so they can watch iPlayer and UK Netflix when on holiday !
For the 1010 it's all smart licensing so you'll be on the hook for AnyConnect licences.
Personally I wouldn't run a 1010 without it being managed via FMC, Flexconfig can do one, it's a complete pain in the arse.
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff