I am looking for the best suited open source solution for a highly scalable VPN concentrator solution.
My current contenders are 1) SoftEther VPN, 2) LibreSwan and 3) OpenVPN.
Anyone with experience with enterprise VPN concentrator solutions for lots of remote clients? e.g. employees on laptops on their home Wifi connecting to the enterprise LAN.
*Edit: must be software appliance → intended to be deployable on cloud providers and be cloud provider agnostic (e.g. cannot be AWS Virtual Gateway, CloudHub, etc.).
Why do you need it to be open source?
If this is to build your CV with experience, I think it’s the wrong way.
There are 2 trends in VPN as I see it:
1 eliminate traditional layer 3 vpn and use domain based ZTNA agents to do policy brokering to inside networks. Most solutions for this will be commercial (fortinet, zScaler, etc), but I’m sure there is an FOSS out there.
2 vpn everything. Palo Prisma, fortinet SSAE, etc again, mostly commercial solutions. For this you’re talking massive bandwidth for not only behind the firewall but for always on inspection of company assets in the field.
A FOSS offering for 5,000+ clients I just don’t see in practice in the future in a very large scale.
My 2c. YMMV.
Are you a Windows shop? If so Microsoft Always On VPN behind load balancing with NPS, RRAS and CA roles deployed out redundant. Because you already have a license then and it is what Microsoft themselves use. Just build as many RRAS and NPS servers out to handle the load.
How much do you care about open source vs enterprise? Because there’s almost zero overlap IME.
Every enterprise that I’ve ever dealt with has used Cisco, Juniper, F5, or Palo Alto.
Things start to open up a bit if you move down to medium and small businesses.
What is lots of ???
100 concurrent connections
1000
1000 MBit, 500 MBit, Gigabit
What is the connection characteristic ?
Always on / on demand
Roadwarrior feature Set?
Gegraphical dispersed concentrators ?
DR ?
Autonoumous System available ?
Ipv6?
Ipv4 ?
Based on some research on SoftEther VPN, it seems to be a possible winner. Anyone have experience with it?
F5 + Zscaler is the way to go
Openvpn all day, setting up an access server is EASY put it in a data center then setup a tunnel so you don’t have to do load balancing.
I’m using an app from google play store called “Open Source VPN”. it uses the openvpn protocol, and has servers for almost all countries, for free.
I want to be able to use it for Proof-of-Concepts, but also have something that could be used in a real world enterprise scenario if it were to be implemented. Hence, an open source product that would be free of cost, but also actively developed and with support for large deployments
/u/klasp100 /u/tehiota I work on an open source project in category (1). Its called OpenZiti (https://docs.openziti.io/), and it allows anyone to embed zero trust networking and SDN/SDWAN principles into (almost) anything, clouds, devices, hosts, IoT, even inside apps with an SDK. No need for inbound ports on FW, no need for public DNS.
While its an open source solution we also have a SaaS version called CloudZiti with a free forever tier up to 10 endpoints (should be good for your PoVs). We have thousands of endpoints across loads of customers for CloudZiti and OpenZiti is being used by some massive organisations.
Thank you, good pointer.
For remote access VPNs, SoftEther in docs mentions that each server can handle 4096 connections with sufficient hardware. They can also be clustered and provide HA.
I will check out ZTNA though, thanks
The protocols themselves are open source, so anyone can create an implementation. I suspect vendors will only provide convenience in doing HA and clustering, monitoring, etc. SoftEther seems to provide that.
Let’s say it can scale to at least 5000 concurrent connections. Preferably always-on. High-availability capable. IPv4 support is enough. IPv6 if it has it cool, but not needed. Geographical spreading capability would be nice but I don’t think it’s necessary. No need to handle AS.
Thank you, your questions also helped me refine my search
I hate it when people give vague questions and want detailed responses 
kinda ignorant unless you are absolute beginner which would be ok at that point
No worries, I am searching for a tool to learn and invest myself in. I am not trying to figure out on the fly how to do something I was asked to do.
Not with enterprise and cluster level but i use it as access home lab vpn from around a globe). I like tons of connections variants (openvpn, l2tp, ipsec if you need it directly from windows without install softether client/openvpn client).
kinda ignorant unless you are absolute beginner which would be ok at that point