Hello
I do work for a small non-profit (read no money) and they need to add a VPN for mobile users. They have a AD backend and just a cable internet connection. Their ISP does not do VPN solutions so they asked me.
I checked out WatchGuard and a couple from Amazon but was wondering if anyone had any preferences. Are there any that don’t require license renewals every 1-3 years?
thanks
What are they connecting to that requires a VPN from a mobile? OpenVPN could work. I think you need to be more specific about your requirements.
Could go office 365 and Azure. Microsoft offers 3.5k USD per year to eligible NFP’s
Fortigate no licences and no limitations for users or other option is OpenVPN.
So why not use RRAS on a windows server. Totally free if you have the windows server, which they should with an “AD backend”. What’s your goal?
Do you just want an L3 tunnel or other stuff like clientless access? Also, how many users? Can make better recommendations with that info.
Depending on your needs, you could get away with a Raspberry Pi, or almost ANY old (read retired) hardware with openVPN. Could even spin up a VM with something like Ubuntu server and openVPN. Basically, look into openVPN. At my place I run a Pi-hole / OpenVPN VM for the users, with a seperate RPi Pi-hole / OpenVPN setup to connect to the maintenance network. Been very happy with the setup. Rock solid for 2 years plus I save my mobile users a little bandwidth by blocking those ads.
Is it the best way to do it ? Nope. Is it cheap, easy, and fast enough for most use cases ? Yup.
Just my “pre-coffee” thoughts on the matter.
Buy a used Palo Alto firewall, and make sure it has an 8.x code or higher. Globalprotect is free to use beyond one of the 7.0.x releases (dont remember exactly which revision; but 7 is pretty old code anyways).
Wireguard on a raspberry pi. No AD backend but very simple to maintain.
I would avoid VPN because you probably don’t want those devices connecting directly to the network. I’d look into something like Zscaler for remote access. Best of all? It’s a monthly subscription. They might offer special pricing for non-profits.
take a look onto OPNsense (for of pfsense) - it’s free and provides OpenVPN+IPSEC buildin capabilities. For SOHO/SMBs a APU4D4 is powerful enough - if you need more power go for supermicro embedded or server systems.
Regarding the cable internet connection: check for static ip4 connectivity first - depending on the contract it’s mostly just DSLITE which doesn’t work with inbound ip4 VPNs
Mikrotik, which model depends on number of users and bandwidth.
If it must be free… OpenVPN. Having answered your question I would like to say the following: if they need it, they need to allocate money for it. Security is not a place to get cheap. From our side, anything you implement you own. If it has issues or is not robust, that will reflect on you and not the cost. Just facts. Just because you can “make it work” doesn’t mean you should.
I’d run pfSense firewall with OpenVPN. You can get a Netgate appliance for low cost compared to traditional enterprise solutions and it has all the features you could want. If you need to go even lower cost, you can build your own. There’s zero maintenance fees.
pfSesne makes it really easy to deploy OpenVPN. It’s all web GUI based and even makes a package installer for your various clients. You have a wealth of options when it comes to authentication. The most obvious would be certificates and/or passwords generated on pfSense. You can also leverage the existing AD server if you want to run NPS or AD Certificate Services.
Lastly, there’s a robust community that an help you along your path.
OpenVPN access server. $15/user/year (concurrent user IIRC) and AD backend. Easy peasy.
If that doesn’t work, make a pfsense vm
Why dont you look at some options for non-profit, pretty much every major vendor offers something.
SoftEther VPN! Very Versatile, Fast, Free, and Open source.
I like PureVPN because it is not a mainstream company. They have a trial, so it’s actually a pretty sweet deal to see if it works for you.
Check my profile for the link to the discounted offer.
I recently stood up wireguard in a.docker container. I like it.
I’ll have to look closer on how onsite applications are handled, thanks