VPN Overview

From Edge Threat Management Wiki - Arista
Jump to navigationJump to search

There are so many different VPN technologies and options that they can be overwhelming to even veterans to understand the different pro's and con's and use cases for each.

Hopefully this quick guide will give you an overview of the different VPN technologies in Untangle and scenarios in which they would be used.

Use Cases

There are many ways to use VPN technology. In an effort to reduce the complexity lets group the different use cases into a few commons ones. There is overlap and there are other use cases, but these are the major common themes.

  • 1) Connecting two networks
    • The traditional meaning of VPN - connecting two networks at different places so they can communicate securely
  • 2) Connecting remote users to a network
    • Connecting an individual remote user to the network securely so they can access internal resources securely
  • 3) Full-Tunnel filtering of remote users/networks
    • Connecting an individual remote user or network and filtering ALL of the traffic through the central site.

The apps

There are 3 apps that do "VPN" (Virtual Private Networks) related activity.

However, IPsec VPN actually includes many different VPN technologies itself. These include:

  • IPsec
  • GRE
  • L2TP
  • Xauth

OpenVPN

OpenVPN is for the useful for use case #1 and #2 and server side of #3. It can be used to connect to and allow connections from remote networks or users. It can operate as a client or a server.

OpenVPN is a SSL based protocol that is one of the simpler VPNs to manage. It supports a wide variety of devices.

IPsec VPN

As stated above IPsec VPN has many different technologies inside it so lets look at them separately.

IPsec

IPsec tunnels are useful for use case #1 when you want to connect to another network securely.

IPsec is often more complicated than OpenVPN and can have issues with NAT. However, IPsec is a more widely supported protocol so if you are connecting to non-Untangle equipment this may be the best option.

GRE

GRE (Generic Routing Encapsulation) is a tunneling protocol that can encapsulate a wide variety of network layer protocols inside virtual point-to-point links over an Internet Protocol network. Note that it does NOT provide encryption, and is thus normally used to route multiple networks between two devices where IPsec is configured to provide point-to-point transport mode encryption. It is more commonly used when IPsec IKEv1 support is required, since when using IKEv2 tunnels, multiple network routes can be defined directly in the tunnel configuration.

L2TP

L2TP is for use case #2 and use case #3 - remote works that need to connect to internal resources or you wish to filter them all the time.

The advantage of L2TP is that it is supported natively in many devices. The downside is that it is very incompatible with NAT and does not support two devices on the same remote network connecting at the same time.

Xauth

Xauth is for use case #2 and use case #3. Similar to L2TP it is a protocol that is built in to many devices and can be used to allow these devices to connect to internal resources or get full-tunnel filtering while off-site.

Xauth is a better option than L2TP because it is more compatible with NAT, but is not as widely supported as L2TP.

Tunnel VPN

Tunnel VPN is for connecting your Untangle as a client to a remote server or service is the #3 use case. In other words the tunnel VPN app is for sending some or all of your internet-bound traffic (full-tunnel) through a remote server. This remote server could be a service or another Untangle running OpenVPN.