Morning MSP,
We have Ubiquiti firewalls across the board and their Windows Client to VPN solution is pretty bad for any client that needs VPN.
Not every client has a Windows Server and we are looking for a VPN solution that is reliable.
Is anyone using a software or additional VPN appliance that they can recommend from experience? Pricing is not a concern at this point - reliability is.
Thank you!
Softether works very well. You install it on a workstation / server, click through a couple settings, and your done. It you use their vpnazure, you don’t even have to port forward (although for quicker access, I would recommend it).
Following - We have a large fleet of Meraki firewalls out in the wild and have the same complaint about the built in Windows VPN client.
I’d recommend implementing a NGFW rather than the UniFi gateway. You’re really doing your clients a disservice not having any real security on the edge.
I come to places with weak edge security, plug in my firewall in line for a week or so as a free assessment (just in audit mode) and every time it catches so much.
Perhaps an always on VPN type solution would be ideal. These typically have increased security too.
Are a few
I’ve toyed with the OpenVPN virtual appliance: https://openvpn.net/virtual-appliances/ It came up a little short because of the lack of an always-on network detection feature. Otherwise it seemed pretty good for a totally stand alone and commercially supported product.
We run the Microsoft VPN server in most instances. I’ll admit to being frustrated with the Microsoft VPN client and actively looking for alternatives.
Pritunl and Pritunl Zero are magnificent. Spin them up in VMs and check 'em out.
I would recommend OpenVPN
A little while ago i created a powershell script for automating OpenVPN:
https://github.com/arjansturing/Auto-OVPN
This script automates the following:
I absolutely love RouterOS. It’s the same software that runs on every MikroTik router. It’s also available as a VM image in level 4, 5 and 6 licenses, depending on how many VPN tunnels you need to support. It supports the out-of-the-box L2TP/ipsec functionality on the Windows 10 VPN client, MacOS client, Android client, and iPhone client. So, no need for additional client software to be installed. If you’re using Windows 10, it also supports SSTP. If you have some other VPN routers that may not be so good (only support PPTP), RouterOS also supports that (I don’t recommend it though, for security reasons).
There’s plenty of tutorials for setting it up because MikroTik/RouterOS has a lot of grassroots support:
If you want to install it on Vultr, here are the instructions:
https://www.wirelessnetware.ca/blog/mikrotik-canada-install-mikrotik-routeros-on-a-vultr-vps/
If you want to install it on your own virtualization environment, I’ve successfully run it on VMWare, KVM and Virtualbox.
You’ll need to download a CHR file (Cloud Hosted Router: vmdk, vhdx, vdi, ova, img formats) from:
https://mikrotik.com/download#chr
Or an ISO file (for virtualization platforms that you can’t use the CHR file formats on) from:
https://mikrotik.com/download#md5_6_47_7
After you’ve downloaded that, you’ll need to purchase a license. One place you can purchase them from is Wireless Netware (https://www.shop.wirelessnetware.ca/35-software). Full disclaimer: I do not work for them, own the company or receive any kickbacks from the company. They’re just a vendor I’m extremely happy with and am happy to recommend. Hani, the owner also goes above and beyond for support.
Once you’ve purchased the license, it’s time to install the image in your favorite virtualization platform. For a very powerful installation, 1GB RAM, 1GB drive space, and 1 core should be more than sufficient if it’s being run non Xeon class hardware. If you decide later that 1 core isn’t enough, you can always increase the number of CPUs on the VM. RouterOS will take advantage of more than one core for most operations (most notable exception is BGP, so if you need dynamic routing, I would suggest using OSPF if you want it to be scalable across more than one VCPU).
Finally, in closing, if you want to evaluate RouterOS to see if it’ll pass the muster for what you need to do and to see if it’s something you’ll feel comfortable with, if you don’t activate a license on it, the install is good for 24 hours without being activated, and you can install as many times as you want.
There’s also plenty of help on the wiki:
https://wiki.mikrotik.com/wiki/Main_Page
And The Brothers WISP are also a good resource on Youtube:
https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg
If you’re just looking for something you can install into an existing Linux or Windows box to provide a VPN server and/or client, you can also look at OpenVPN. The packages are freely available via the package manager of all major Linux vendors. For Windows, you’ll need to download an installer for either the server or the client. Trying to navigate OpenVPN’s website to find the proper download is proving to be a nightmare lately because they’re trying to promote their commercial product more now, but the relevant section of their website is at:
Just curious, what issues have you experienced with the UniFi L2TP VPNs? We use them across multiple clients with both USGs & UDMPros, and after the initial setup headaches, haven’t noticed any real issues.
Do your clients need to connect to premise resources, or hardening due to WFH restrictions?
I have been using Todyl for my clients. Not cheap but great solution and stupid easy to deploy. Works for Windows, Mac and mobile devices. Reach out to them to get a demo. Allows for almost any scenario.
Just my nickel (Canadian MSP, don’t have pennies anymore)
I’ll probably get flamed, but I have two clients using LMI Hamachi in production. They’ve both been successfully using it for more than two years. They’re both also SMB with less than 25 users.
OpenVPN seems to be the most widely used standard now from my observations, but it’s slowly being surpassed by wireguard.
ZeroTier or Todyl (but it’s expensive)
We use Netmotion and have had great success and easy integration with auth services and client side deployments.
Worth a look into for sure
OpenVPN. Set up on Ubuntu in hyper-v, open udp 1194 to the hyper-v vm, install client and config on win10 machine. Good to go.
Strongswan is what you want. Native IPsec on almost every OS.
You don’t mention if it is a USG or an Edgerouter, but either can run OpenVPN directly on the device (with some caveats for the USG).
Edgerouter with OpenVPN is pretty reliable where I’ve deployed it. I’ve found L2TP to be less easy to work with on these though.
Checkpoint VPN is extremely awesome. Not an expert, but had it at a previous job. You can configure always on VPN so that when a device is detected as being off the corporate network, the VPN client will auto connect. When on the corporate network, the VPN client will disengage. Certificate authentication can be used so passwords and the like can be a thing of the past.
I’m curious what your issues have been with the Unifi VPNs. Like someone else said, I don’t know if you’re using USGs or Edgerouters, but I’ve had great success with the USG VPN on both PPTP and L2TP. Solid connection, good speeds, reliable.