How to set up a VPN? Best free VPN server: OpenVPN via pfSense

VPNs are becoming an integral part of operating almost every business in every industry in today’s fast-paced telecommuter world.  Whether the need is to connect all your branches to the home office’s resources or allowing your salesforce and project managers to access company resources remotely or simply surf anonymously, a VPN is the way to keep everyone connected to your centralized resources.  So, what is a VPN?  How to set up a VPN? How do you choose the right configuration?  What options are available and why would one be better than another?  Read on to find out!

At its core a VPN is a tunnel through the internet from point A to point B that shields the data being sent and received from public access and scrutiny.  There are two basic types of VPNs, a Site-to-Site VPN and a Client/Server VPN.  A Site-to-Site VPN connects two or more separate physical locations, such as branches of a bank or retail chain, to the main internal network of a company such as the internal network at the headquarters of a company.  This allows everyone in a branch, while in the office, to access company resources that are housed at the headquarters as if they were physically at the headquarters location.  There are clear benefits to leveraging a VPN for this purpose.  Keeping data stored on centralized servers and allowing access through folder shares over a VPN allows for a more streamlined security system that is easier to manage, and backups are guaranteed to include the most important company data since the data is centralized on servers at the main office.  The drawback to a Site-to-Site VPN is that it only allows access to centralized company resources if the employees at the remote location are in the office.  Employees that travel constantly or work from home would not have access to the VPN-available resources.  A Client/Server VPN addresses the issue of traveling and remote individual workers.  This type of VPN allows individual users to connect to centralized company resources no matter where they are; all they need is an internet connection and their laptop or mobile device to be configured for the VPN.

Whether a VPN is configured for Site-to-Site and/or Client/Server functionality, there are a number of protocols to choose from.  These options include Internet Protocol Security (IPSec), Layer 2 Transport Protocol (L2TP), Point-to-Point Tunneling Protocol (PPTP), Secure Socket Transport Protocol (SSTP), and OpenVPN.  Off the bat, PPTP has been proven to be easily hacked and should NOT be used if at all possible.  IPSec uses existing internet protocols to establish a secure connection at both ends of the tunnel and encrypt the traffic.  L2TP creates a tunnel, but is usually combined with other protocols such as IPSec to secure the traffic over the tunnel.  SSTP utilizes Secure Sockets to establish the tunnel, and either SSL or TLS to secure the tunnel.  This is a newer option for Windows platforms only, and is usually preferred for its use of SSL/TLS certificates and the fact that port 443 is always open, so no additional ports need to be opened on a firewall to allow the VPN traffic through.  OpenVPN is an open-source design for establishing a free VPN server that uses SSL to secure the traffic.  This is done with SSL certificates that are either generated by an in-house CA server or with OpenSSL, which is included in the OpenVPN install.  Additionally, passwords can be set on top of the certificates to add an additional layer of authentication and security.

There are many hardware and/or software options available these days , ranging from free VPN server software such as OpenVPN to elaborate hardware/software systems such as Cisco’s various solutions.  So, why choose one over the others  (what's the best free VPN?) and what’s involved in making that choice?  First, decide if a Site-to-Site or Client/Server VPN is what’s needed, or both.  Open-source and commercial solutions usually support both types of VPNs, and both have pitfalls in the learning curve, but look for one in each category that offers what your situation requires.  Being open-source, OpenVPN is a free VPN server, but you’re pretty much on your own if you need any help seeking your answer to "How to set up VPN?".  Cisco requires investing in their hardware and software as well as client licenses for most devices to access the VPN.  The benefits to commercial solutions is the available tech support and the unified design which can make implementation and management feel easier, even if it’s not.

If you choose to go with a commercial solution then you are done with the initial decisions, and should next start learning that particular platform in preparation for the design and implementation stages.  Choosing to go with the open-source OpenVPN is not the end of the decision making. OpenVPNOpenVPN has been put out as a stand-alone software package that will run both ends of a VPN, and is compatible with many major platforms making it a great choice for homogenized and hybrid environments alike.  In addition, OpenVPN has been integrated into other software packages such as pfSense, Untangle, and IPFire, as well as hardware such as Netgate’s pfSense appliances and Ubiquity’s EdgeMAX products.  We’ve not had any experience with Untangle or IPFire, but on paper both look similar to pfSense.  We found Ubiquiti’s EdgeMAX products to be very difficult and slow to configure.  Additionally, appliances tend to have less power under the hood, meaning this could get expensive for environments with high traffic volumes.  However, pfSense differs in that it offers an almost all-inclusive package for implementing and managing a network, including OpenVPN, and is much easier to set up than Ubiquiti’s or Cisco’s equipment.  What makes it even better is that you don’t even have to buy Netgate’s pfSense appliances. You can round up a desktop computer, apply the pre-made pfSense image, and have far more processing power than most appliances and at a fraction of the cost.  If you’ve got an old desktop sitting in the corner it’s probably just right for the job, or for smaller jobs a Raspberry Pi can be had for around $50.  Just as commercial products are designed, pfSense is also scalable to an enterprise level making it a cost-effective and viable option for SMBs and large enterprises alike.  And with features like Active Directory integration and addons like Snort for intrusion detection and real-time traffic monitoring, pfSense is again a serious contender against commercial products like Cisco or Palo Alto’s monitored firewall services.

All-in-all, the choice of a free VPN server or a commercial system will come down to your budget, your need for 24/7 phone support, and in some cases vendor-restriction requirements.  If you’re in an environment that only accepts commercial products, then feel free to propose an open-source alternative but expect to be told: “No.”  For those that don’t have such restrictions, either leveraging OpenVPN on its own or integrated into pfSense is really worth serious consideration, no matter how small or large your environment is now or grows to be in the future.  And with pfSense being maintained and updated by a for-profit company, even the free versions are benefiting from more stable releases and timely patches that help keep your network safe as the years go by, and the user interface gets new features through version updates that streamline the management of your network.