What’s a good VPN option for businesses (road warrior) that supports Azure AD authentication (+ MFA)? We’re currently using the community version of OpenVPN but are planning to phase out our AD setup and only have AAD left (with MFA enforced). While I know that the paid version of OpenVPN can support this, I’m interested in exploring other (more polished) options. We need a network VPN for our employees. A terminal server/VDI environment isn’t sufficient. Any suggestions (commercial/open-source)?
Give Tailscale a look. I deployed it at my current job. At the end of our POC period, I asked our target group for feedback. The senior-most dev replied “management will take this from my fucking cold dead hands.”
Screenshotted that one piece of feedback, emailed it to the general manager, funding approved.
Have you looked into using the VPN solution built into most firewalls? They all pretty much support SAML which is what you need to offload auth to AzureAD
We use Global Protect since we have a Palo Alto firewall. It’s also hosted within Azure so makes sense for us to use it combined with SSO from Azure. Works well
MS Always on VPN has been solid for us with AzureAD joined Intune managed devices. The VPN authenticates via certificate based 802.1x which is a form MFA.
If you’re looking a good OpenVPN alternative, you might be interested to consider the next wave of technologies and post-VPN architectures called overlay mesh networks. There’s a range of tooling that’s super helpful for replacing VPNs that’s also Zero Trust aligned.
Full disclosure: I work for one of the companies building such tooling (enclave.io). So while this is a bit of a shameless plug for https://enclave.io, as an architecture and technology it’s a a perfect fit to mature beyond OpenVPN while maintaining feature parity like network level access, MFA and AAD integration.
Overlay mesh networks feel like a VPN; but are different in several key ways-
Serverless (data is peer-to-peer, organised by a lightweight SaaS control channel)
Dynamic (connections brought up on-demand, tunnels do not need to be always on)
More secure (No open ports required, your firewall can stay closed, it works behind NAT)
Tolerant of network change (Works with dynamic IPs, you don’t care where the other side is ahead of time)
Zero configuration (Works on the network you’ve already got, no changes, no hardware, no servers)
Give each system a static virtual IP address and DNS out of the box
Offer mutual authentication & end-to-end encryption, no servers in the middle
If you get a chance to try https://enclave.io/ we’d love to hear your feedback. To help balance the post, you could also consider exploring these other excellent solutions:
(edit: if you really fancy doing some homework, we made a small microsite that maps the whole space that you might file helpful- https://zerotrustnetworkaccess.info/)
Always On VPN is built in to Windows, although deployment is a little cumbersome unless you use Intune.
But in general VPNs are legacy and you should be moving towards Zero Trust solutions (Zscaler, Netskope, etc.), with user permission based per app tunnels with strong authentication (certificate/MFA). Or actually just making everything accessible externally and securely via the cloud and strong authentication rather, than tunneling traffic internally to your network.
We just started looking into Twingate at our company and are liking it so far. We were looking for an alternative to pulse and as luck would have it, NetworkChuck made a video on it not too long ago. https://youtu.be/IYmXPF3XUwo
Enthusiastic second for Tailscale. Deployed it as my company’s first VPN solution (newish startup) and it was one of the best product decisions I’ve made. A year and a half in, never had a service disruption that affected us, features just keep getting better, and maintenance overhead is practically non-existent. I sound like a shill, but as someone who has been primary for network management over the last decade, this is the first VPN type product I’ve ever had reason to really be excited about.