Disclaimer: I’m not a Sysadmin but a developer, I write here bacause I believe that my question can receive better answers from sysadmins.
At work I have to deal with a lot of VPNs, while on Windows usually things go smoothly enough (and even there sometimes problems arises) on GNU/Linux configuring most VPNs is a PITA and support for mobile OSs (iOS and Android) is usually an hit and miss. This makes me wonder about a thing, we built SSH which became a “de facto” standard for text based remote control and can work smoothly not only on popular desktop and mobile OSs (Windows, GNU/Linux, MacOS, iOS, Android) but even on unpopular ones such as the BSD family or HP-UX, why we can’t do the same for VPNs building only one or two VPN programs which are open source, easy to port and easy to configure? Why we should have so much fragmentation and complication with VPNs given the importance that they have on a modern enterprise?
Openvpn and wireguard are the two that come to mind as solutions to this issue. The problem I see in most corporations is the big push to avoid open source solutions, for whatever reason. I’m the opposite, I believe in open source and use it whenever possible.
I’ve used openvpn in several installations and it works great among different devices, is easy to configure, etc. I’m just starting to look into wireguard for wider deployments.
Because companies are allergic to “open source” and “free”. It obviously can’t be any good if you aren’t paying a fortune every year for CALs and support.
I suspect because it is relatively easy and cheap for anyone to start a VPN business by white-labeling a Windows VPN solution.
This is why there are many, as to why there are more in non-Linux platforms, well, my take is that the majority of “enterprise” users tend to be MSFT so Windows tools have a bigger market than Linux.
Frankly, up until the pandemic aside from TOR, I had no use for a VPN “solution”…
For SSL VPNs that connect to hardware-based VPN concentrators (and even software based VPN concentrators), pretty much every vendor writes their own software client. I’ve heard of and seen some open source client alternatives that work under certain circumstances, but the hardware vendors have very little motivation to collaborate on this and make something that is universally compatible. In general I think they would prefer to keep all their stuff completely closed source and use it as a differentiating factor between them and other vendors in order to gain a competitive advantage.
Outside of SSL VPNs, there are other VPN standards that are intended to be universally compatible. You can create an IPSEC site to site tunnel between pretty much any vendor hardware. That’s a defined standard so compatibility is more guaranteed.
on linux / mobile the problem is typically that you have to specify what routes need to go over the VPN, I typically just tell it to route all traffic over the VPN with a route of 0.0.0.0/0. MacOS (and probably IOS) has a button in the VPN settings to “route all traffic over the VPN” that makes it easy to use and accomplishes the same thing as the 0.0.0.0/0 route in linux. This method does assume that what ever your network your using the VPN to connect to has NAT configured to allow the VPN network to access the internet, this may not always be the case though, so YMMV.
There are really only a handful of common VPN protocols that are in use, L2TP/IPSEC, SSL, IKEv2 and GRE. It is true that a lot of companies constantly recycle the common VPN protocols into their own proprietary VPN clients.
Some vpns run checks on the computer before letting them connect. Check if updated or comprised or look to see if phones rooted. So that can make some vers harder to run. The vpn isn’t just a VPN its also a policy’s checker or what ever. Also you might have multiple vpns bc of dif company’s you connect to or work with or how things need to be protecte
There are only a handful of fundamental VPN technologies and a whole bunch of wrappers/user interfaces on top of it. They are not designed for users, they’re just libraries.
If you want, you can write your own wrapper that is more user-friendly than others. But at that point you might want to sell it to someone and make $$$ instead of just internet respect points.
Usually open source comes out of necessity. You need something for yourself so you go and do it. People that need it out of necessity don’t need it to be end-user friendly which is why most open source software looks like shit and the interface is straight from 2002.
SSH is not for end users either, it’s for power users/professionals. Stuff you’d do with normal command line utilities the end user has to download a GUI tool full of trojans from a shady website.
As others have mentioned, OprnVPN is a good solution. I’m a guy that wants simplicity so I use OpenVPN with a wrapper so configuration is a breeze with web frontend, it’s called Pritunl.
Money. Plain and simple. That’s why Mozilla got into the VPN business, because people want vpns and are willing to pay for it. Mozilla has a reputation for being privacy based, and that is their angle.
I hope Wireguard takes off because it is way better.
Because there are bad products and good products. It takes a long time to find out which one is good. That’s why I keep contact with many admins to keep an eye on what everyone uses. It saves me huge amounts of time to find the right product by just copying their choices. I also know who is really a good source of information.
In case you’re asking for a VPN product, I chose StrongSwan. It’s slightly difficult to install, but works great on my mobile phone.
The fun part of standards is that there’s so many of them.
The OpenVPN for client access and IPSec for site to site VPN is exactly how I’ve both done it and seen others implement it. Seems like the most logical uses of both.
It might be wishful thinking, but parts of me hope WireGuard gets some better management features and takes off. It’s great for site to site. It’s good for a couple of client endpoints. I couldn’t imagine using it for 100 users though.