I need to set up a VPN on an EdgeRouter Lite for a small office. There are about 4 or 5 people that will connect to the VPN from home but probably not more then 2 at a time. I see that there are instructions in the UBNT Help to set up/configure the EdgeRouter with an L2TP IPSec or OpenVPN tunnel. Is one configuration prefered over the other? Are there any caveats for either that I need to be aware of?
OpenVPN is easier to setup for the clients, there is a lot of good third party clients available such as Viscosity and VPN Tracker. The advantage of OpenVPN is that you can push all configuration including complex dns suffixes and routing information right within OpenVPN — pushed by server to clients — which makes it trivial (to clients) to implement split-tunnel which what your clients most likely want. Setup for clients will be literally double-clicking ovpn file and entering username and password.
With L2TP/IPSEC/PPP it is kind of doable but with way more manual tweaking and setup. Advantage -no third party software needed, all modern OSes have built in support.
That said - I would have chosen OpenVPN. (And I did in fact for my network)
What throughput do you need? If it’s relatively small, OpenVPN as it’s easier. You’ll get around 10-20Mbps.
If you need speed, the ERLs and ERXs can do ~100Mbps through an IPSec tunnel with hardware acceleration enabled. I’ve got 6 remote ERX sites connected to a pfSense VM and can max every office’s 100Mbps link simultaneously. HQ has a 1Gbps link
L2TP/IPSEC, very, very easy to set up. Every single device has a client built in, and its the industry standard. (Save for ubuntu, but I believe its been added back, and there are repo’s for it if not)
Do not use PPTP, its long past insecure, and many client devices have removed support.
I’m not sure of the obsession with ovpn, its fine and all, but its not used often in enterprise.
I agree with u/mrhone as L2TP over IPSEC is the most secure option on the ERL.
Also, IMHO I always like to run the VPN server services off of the router because if there is a power outage that last longer than your battery backup, once it comes back up if you’re running the VPN server services else where and it doesn’t come up properly then you will have to wait until you get home to troubleshoot. With the ERL, once it’s up you’re good to now use thing like IPMI and such to get things back up.
I’d say it depends. Do you want faster performance? If yes, then use L2TP/IPsec. Do you want certs for authentication? If yes, use OpenVPN. Do you want users to be able to use any computer without the need of 3rd party client? If yes, use L2TP/IPsec.
Is there a Windows server on site?
There’s always the option of using a Raspberry Pi with PiVPN, so there’s less with the router to deal with. Works great as well.
what do the 3rd party clients do that the native openvpn client doesn’t?
I have two sites with ERL there and we top out around 50mbps, both sites have gigabit and without the vpn they can transfer about 800mbps. I thought I read somewhere that open vpn would be faster than the native ipsec.
What would you recommend to maximize the vpn speeds?
There is no Windows server on site. They are using a NAS for file storage.
I just did this, switching from L2TP/IPSec on the ERL to PiVPN/OpenVPN on a Pi. I should have switched years ago.
The Pi solution has much faster throughput and was infinitely easier to set up. I just use it at home though so it may not be appropriate for a commercial application.
what do the 3rd party clients do that the native openvpn client doesn’t?
This is the wrong question. It’s not about “what” but about “how”.
You could just run openvpn in command line and edit config file in the text editor and eventually after few iterations make it work to your liking. Or you can pay $9 to the company whose core business is ensuring great user experience with OpenVPN clients, where all the quirks are solved and it “just works” with a single click. What would you choose?
I think most people value their time and therefore there is absolutely no reason not to use third party commercial products in these circumstances.
(And if you are tempted to try Tunnelblick – save your sanity and just don’t, especially on MacOS.)
I’ve never seen OpenVPN out perform IPsec on the ER platforms.
Two things off the top of my head that could be causing your slow speeds:
- Hardware Acceleration (HA) is disabled; and/or
- You have DPI enabled (which bypasses HA)
Like I said, I can run 6 simultaneous iperf commands that route via their respective tunnels and all 6 remote sites get very close to their max 100Mbps connections at the same time.
ER to ER you should be getting way more than 50Mbps if you can do inter-site 800Mbps without the tunnel.
What’s wrong with tunnelblick?