There are user-mode clients for almost everything now.
I think there’s kernel-mode support for BSD now or on-the-way (in addition to Linux).
Correct ciphers are something that doesn’t slow your CPU on the FW (specs often tells what can be HW-offloaded) or clients, while still being considered secure.
Also had great experiences with any connect. I guess my major upset is a great lack of a widely accepted vpn stabdard. I wish there was just a simple best practice just like https/ssl for vpns.
That’s the thing. No.
With SSL VPNs you will need to use whatever client your VPN solution entails. The benefit is in the intransparent and universal nature of SSL connections.
SSL VPN traffic is usually indistingushable from regular SSL traffic, and outgoing port 443 is blocked basically nowhere.
Not sure what documentation you are pointing to… MS has their own solution called Direct Access that is more modern but ONLY works with windows clients.
The PPTP/L2TP/IPSEC options have remained almost unchanged for decades only getting small UI updates and are kept around for legacy support. MS provides a plugin API for 3rd parties to hook their own more modern secure solutions to.
You will run into problems, when users cant login or change their password when using a VPN, thats not running as soon as the machine starts. Group policy, Network drives etc
IPsec with IKEv2 is fine, but cryptographic agility (sounds like a good thing but is actually a misfeature or worse) means it can use insecure ciphers.
Wireguard is in the Linux kernel since version 5.6 natively.
On other platforms it’s only available as a separate package afaik.
But yeah it’s a bit shit the built-in options on the leading consumer operating systems aren’t great. L2TP/IPsec if executed right (i.e. secure ciphers) will do the job I guess.
The native implementation of anything in Windows is worse than the worst VPN clients I have ever used, and the only universal thing would be IPsec. But since many providers have problems with outgoing IPsec connections you might want to rethink your stance on proper client software.
You chose the port/s for Wireguard and the canonical examples mostly use the (insecure) port 51820. You should use ports <1024 for a real roll-out.
WireGuard connectivity in PIA works by sending an HTTPS request to the server to request an IP address and connection information, then we send UDP WireGuard traffic to the server. A WireGuard connection, therefore, requires connectivity to both TCP 1337 and UDP 1337 on the VPN server.
Likely it’s a specific implementation.