In my company we are thinking to setup a VPN. It will be used for restricting access to our websites beckend and servers (ssh). I’m looking at different options, mainly NordVPN, Surfshark, CyberGhost. Do you guys use any of them? Or do you use a different service?
We are also considering rolling our own OpenVPN server, but we are a bit unsure about the maintenance and security risks that come with it.
The options you’re looking at are unsuitable for corporate use.
I strongly suggest using Tailscale, and have introduced it successfully to several clients for the purposes you mentioned.
You are confusing anonymization services (which frequently mis-describe themselves as VPNs) with Virtual Private Networks.
You might get more sensible answers if you explained your use-case in your original post (I see you’ve followed up on some of the comments with more details).
There is some mention of Tailscale here - Its not available from the standard repositories of most Linux distributions (meaning that you need to actively monitor for updates and install them manually) but there is an unofficial service for Ubuntu / Debian and derivatives. But what tailscale is good at is scaling to thousands of interconnected nodes - not your use case.
Try openVPN.
Personally, I’m ripping out the VPNs in my work and replacing them with a browser-based remote access solution. If I wanted to secure remote access access to a single wordpress srvice, then I’d just do that with an nginx proxy configured with http_auth_request. However I suspect that both would be a bit of stretch for you given your technical knowledge.
I personally host a Wiregaurd and it works great for me.
I wouldn’t trust sending all company traffic trough a consumer vpn service.
The biggest reason for those consumer VPN services to exist is to circumvent geo blocking on netflix and co. Not sure why you would need such a service in an enterprise anyway.
If you want your employees to connect to your local network and NAT their IP’s, you’d need to host your own VPN endpoint anyway.
OpenVPN is your best option in my opinion.
Pritunl is a nice and easy tool. Run over Openvpn
You want something like Cloudflare Zero Trust (free/easy with no client sw to install or manage) Tailscale (heard only good things but haven’t used), or take a more manual approach and setup wireguard manuallyz
The term “VPN” basically means an encrypted tunnel for traffic. This can be used to protect company traffic if you set up your own VPN server within your network / on the servers you’re protecting, but it can also refer to “public VPN” companies like the ones you mention that sell services that use VPN tunnels to make your traffic look like it’s coming from a different country, mainly to circumvent geo blocks on video services or surf porn. These services don’t add any security as the traffic come out unencrypted at the other end.
Public VPNs also don’t provide any end user authentication, something that’s important if you’re trying to restrict access to services. Worse, public VPNs are often used to hide the origin malicious activities meaning traffic coming from them is more likely to be bad.
Tailscale is awesome IMO.
At an MSP we used OpenVPN Access Server for customers for just this situation.
A solution with a jump host (usually called Bastion host) is one common solution for this task, especially if you are a small team and want to keep maintenance low. You can use it to SSH to your servers, or even use an SSH tunnel as a SOCKS proxy.
Not so fancy as a VPN, but does the job. You can read more here (AWS doc).
Global protect, none of those are suitable for a corporate network
I’m using headscale and tailscale.
This guy is either a troll or shouldn’t be doing IT.
ProtonVPN paid service. Have had it for five years I think
Edit: I should have read the rest. Sorry
I and work use wireguard. You can also use Fortigate.
You can use Wireguard, it is simple and easy
At work, we use FortiNet, which runs over HTTPS and thus has no problem with firewalls. Seems pretty performant and reliable. I’m able to use openfortivpn on my Ubuntu laptop to access it.
I’ve run OpenVPN for a small company and it worked fine - certificate + LDAP authentication was straightforward to set up. No more maintenance-intensive than any other Linux box once it’s configured. I run OpenVPN for my home network. Wireguard is apparently more performant these days though.
Perimeter 81 is decent and user friendly for the most part. Zero trust too
As others pointed out, you named anonymization services, which make use of VPNs, but *are* not VPNs and definitely are not what you need.
You need to choose a VPN technology (IPSec, OpenVPN, WireGuard) and possibly a product to manage it. A valid option could be Tailscale (WireGuard is the actual VPN backend)