Here are the things I kept in my mind before starting:<\/p>\r\n\r\n\r\n\r\n
<\/p>\r\n\r\n\r\n\r\n
- \r\n
- Simplicity<\/strong>: Simple for admins to setup networks, users, SSO etc.<\/li>\r\n
- Remote Access:<\/strong> Access Private network from any remote location and any Platform.\u00a0\u00a0<\/li>\r\n
- Strong Encryption<\/strong>: Encrypted\u00a0 tunnel between VPN clients and VPC.\u00a0<\/li>\r\n
- Site-to-site Implementation<\/strong>: Tunnelling between AWS VPC and a remote network, eg, connection between office network and VPC.<\/li>\r\n
- Access control<\/strong>: Ie, Certain users can access a certain set of hosts only.<\/li>\r\n
- Access control for 3rd Party apps<\/strong>: Connection can be established with 3rd party apps from VPN ip only and not directly.<\/li>\r\n<\/ul>\r\n\r\n\r\n\r\n
Each VPN can handle the same feature but it may be in a different way. Here we are defining the criteria for comparison:<\/p>\r\n\r\n\r\n\r\n
- \r\n
- Architecture<\/li>\r\n
- Pricing<\/li>\r\n
- Access control<\/li>\r\n
- High Availability \/ Replication<\/li>\r\n
- Protocols<\/li>\r\n
- Clients<\/li>\r\n
- Performance<\/li>\r\n
- GUI<\/li>\r\n
- Authentication<\/li>\r\n
- TWO step AUTH<\/li>\r\n
- Ease of setup and Utilization<\/li>\r\n<\/ul>\r\n\r\n\r\n\r\n
Following VPNs have qualified above criteria and has been compared throughly.<\/p>\r\n\r\n\r\n\r\n
- \r\n
- OpenVPN<\/li>\r\n
- Pritunl<\/li>\r\n
- AWS VPN<\/li>\r\n
- Pulse Secure<\/li>\r\n<\/ul>\r\n
[ Also Read: Simplifying Site-to-Site VPN Connectivity with StrongSwan<\/a> ]<\/strong><\/p>\r\n\r\n\r\n\r\n
Architecture<\/strong><\/h2>\r\n\r\n\r\n\r\n
Pritunl<\/span><\/strong><\/p>\r\n\r\n\r\n\r\n
Pritunl works as a distributed and scalable infrastructure with no master server. So, Pritunl can be easily scaled up based on the requirements. It uses mongodb as its database which can be installed on the same instance as well as on a managed instance in case we need a redundant vpn server.<\/p>\r\n\r\n\r\n\r\n
Basic pritunl cluster architecture.\u00a0<\/p>\r\n\r\n\r\n\r\n
<\/p>\r\n\r\n\r\n\r\n
Pritunl Remote Access<\/p>\r\n\r\n\r\n\r\n
<\/p>\r\n\r\n\r\n\r\n
Site-to-site pritunl implementation<\/p>\r\n\r\n\r\n\r\n
<\/p>\r\n\r\n\r\n\r\n
OpenVPN Access Server<\/span><\/strong><\/p>\r\n\r\n\r\n\r\n
OpenVPN works as a standalone OpenVPN access server running in the VPC. It works as primary and secondary nodes as well (cluster with multiple instances), where in case of failure of primary node, secondary\/standby node takes up. But the functionality does not works with AWS.\u00a0<\/p>\r\n\r\n\r\n\r\n
Remote Access with OpenVPN Access Server.<\/p>\r\n\r\n\r\n\r\n
<\/strong><\/p>\r\n\r\n\r\n\r\n
Site-to-Site Implementation of OpenVPN Access server.<\/p>\r\n\r\n\r\n\r\n
<\/p>\r\n\r\n\r\n\r\n
AWS VPN\u00a0<\/span><\/strong><\/p>\r\n\r\n\r\n\r\n
AWS implicitly supports both Site-to-Site vpn access and remote access vpn tunnels.\u00a0These services are fully managed by AWS<\/a> which means administrators need not worry about failures or high availability.<\/p>\r\n\r\n\r\n\r\n
Below is an architecture diagram for a remote employee to connect to many VPCs.<\/p>\r\n\r\n\r\n\r\n
<\/p>\r\n\r\n\r\n\r\n
Site-to-Site VPN in aws<\/p>\r\n\r\n\r\n\r\n
<\/p>\r\n\r\n\r\n\r\n\r\n\r\n
Pulse Secure<\/span><\/strong><\/p>\r\n\r\n\r\n\r\n
Pulse secure simple implementation will be almost the same as openVPN.\u00a0 A cloudFormation template could be used to provision a PCS instance in aws. And it can be connected through any pcs client software.\u00a0<\/p>\r\n\r\n\r\n\r\n
Availability \/ Replication<\/strong><\/h2>\r\n\r\n\r\n\r\n
Pritunl<\/span><\/strong><\/strong><\/p>\r\n\r\n\r\n\r\n
Distributed architecture is at the core of pritunl. So, it is easy to have redundancy and handling failovers.\u00a0 One pritunl host can run multiple instances of OpenVPN server. And each server can be attached to multiple hosts, so that if one of the hosts fail, the server can be started on another host.<\/p>\r\n\r\n\r\n\r\n
OpenVPN Access Server<\/span><\/strong><\/span><\/strong><\/strong><\/p>\r\n\r\n\r\n\r\n
OpenVPN access server provides backup\/standby nodes for failure and recovery. However, this feature does not works with AWS. But we can achieve HA on OpenVPN Access server using Route 53.\u00a0<\/p>\r\n\r\n\r\n\r\n
Here<\/u> is the document reference to achieve the same.<\/p>\r\n\r\n\r\n\r\n
Pulse Secure<\/span><\/strong><\/strong><\/p>\r\n\r\n\r\n\r\n
Pulse Secure recommends High Availability through active-active cluster of multiple pcs instances with a Virtual Traffic Manager(a pulse product) as a load balancer<\/p>\r\n\r\n\r\n\r\n
Here is the diagram of pcs active-active pair<\/p>\r\n\r\n\r\n\r\n
<\/p>\r\n\r\n\r\n\r\n
AWS VPN\u00a0<\/span><\/strong><\/strong><\/p>\r\n\r\n\r\n\r\n
AWS VPN is fully managed by AWS. So, we do not need to worry about replication and redundancy explicitly.<\/p>\r\n
[ Good Read: What is the AWS Cost and Usage Report (CUR)?<\/a> \u00a0]<\/strong><\/p>\r\n\r\n\r\n\r\n
Access control<\/h2>\r\n\r\n\r\n\r\n
OpenVPN Access Server<\/span><\/strong><\/span><\/strong><\/strong><\/p>\r\n\r\n\r\n\r\n
OpenVPN<\/a> access server has inbuilt rule based access control. Which means, we can define which networks\/hosts a user can have access to and rest are blocked.<\/p>\r\n\r\n\r\n\r\n
Pritunl<\/span><\/strong><\/strong><\/p>\r\n\r\n\r\n\r\n
Pritunl does not provide rule based access control like Openvpnas. But there are groups to achieve access control. However, it does not seems as straightforward as openvpn.<\/p>\r\n\r\n\r\n\r\n
Pulse Secure<\/span><\/strong><\/strong><\/p>\r\n\r\n\r\n\r\n
Pulse secure supports rule based access control. For example, we can allow or deny tcp:\/\/*:80,443 for some specific role.\u00a0<\/p>\r\n\r\n\r\n\r\n
AWS VPN\u00a0<\/span><\/strong><\/strong><\/p>\r\n\r\n\r\n\r\n
Access to specific networks can be allowed to specific user groups(Active directory SID or Group ID in IDP). Port or protocol based access control is not supported.<\/p>\r\n\r\n\r\n\r\n
Protocols<\/strong><\/h2>\r\n\r\n\r\n\r\n
OpenVPN Access Server<\/span><\/strong><\/span><\/strong><\/strong><\/p>\r\n\r\n\r\n\r\n
As the name suggests, OpenVPN Access server is built upon the open source vpn protocol openvpn.\u00a0<\/p>\r\n\r\n\r\n\r\n
Pritunl<\/span><\/strong><\/strong><\/p>\r\n\r\n\r\n\r\n
Pritunl also uses OpenVPN protocol at its core by default. But it implements wireguard protocol as well. It uses IPSec for site-to-site links.\u00a0<\/p>\r\n\r\n\r\n\r\n
Pulse Secure<\/span><\/strong><\/strong><\/p>\r\n\r\n\r\n\r\n
Not revealed by the vendor<\/p>\r\n\r\n\r\n\r\n
AWS VPN\u00a0<\/span><\/strong><\/strong><\/p>\r\n\r\n\r\n\r\n
AWS VPN uses OpenVPN protocol for remote access tunneling.\u00a0 And IPsec for site-to-site vpn<\/p>\r\n\r\n\r\n\r\n
Clients<\/strong><\/h2>\r\n\r\n\r\n\r\n
OpenVPN Access Server<\/span><\/strong><\/span><\/strong><\/strong><\/p>\r\n\r\n\r\n\r\n
OpenVPN client supports almost all the major platforms. Here is the list:\u00a0<\/p>\r\n\r\n\r\n\r\n
- \r\n
- LinuxOpenVPN client supports almost all the major platforms. Here is the list<\/li>\r\n
- Windows<\/li>\r\n
- IOS<\/li>\r\n
- macOS<\/li>\r\n
- Android.\u00a0<\/li>\r\n<\/ul>\r\n\r\n\r\n\r\n
AWS VPN\u00a0<\/span><\/strong><\/strong><\/p>\r\n\r\n\r\n\r\n
AWS VPN has clients supported on following Platforms\u00a0<\/p>\r\n\r\n\r\n\r\n
- \r\n
- Windows<\/li>\r\n
- MacOS<\/li>\r\n<\/ul>\r\n\r\n\r\n\r\n
Since AWS VPN uses OpenVPN protocol, third party OpenVPN clients are also supported. But if you are using a federated authentication method, third party openvpn clients will not work.\u00a0<\/p>\r\n\r\n\r\n\r\n
Pulse Secure<\/span><\/strong><\/strong><\/p>\r\n\r\n\r\n\r\n
Pulse clients are available for below OS<\/p>\r\n\r\n\r\n\r\n
- \r\n
- Windows 10<\/li>\r\n
- Windows 8.1<\/li>\r\n
- Windows 7+<\/li>\r\n
- macOS 10.15<\/li>\r\n
- macOS 10.11<\/li>\r\n
- Ubuntu 17.x<\/li>\r\n
- Ubuntu 16.x<\/li>\r\n
- Debian 9.x<\/li>\r\n
- Debian 8.x<\/li>\r\n
- Cent OS 7.x<\/li>\r\n
- Cent OS 6.x<\/li>\r\n
- RHEL 7.x<\/li>\r\n
- Fedora 26<\/li>\r\n
- Android<\/li>\r\n
- IOS<\/li>\r\n<\/ul>\r\n\r\n\r\n\r\n
Apart of that, pulse secure clients can also be launched from web browser.\u00a0<\/p>\r\n\r\n\r\n\r\n
Pritunl<\/span><\/strong><\/strong><\/p>\r\n\r\n\r\n\r\n
Here is the list of Pritunl clients supported platforms:\u00a0<\/p>\r\n\r\n\r\n\r\n
- \r\n
- Ubuntu-18,20<\/li>\r\n
- Fedora-33<\/li>\r\n
- Debian-10<\/li>\r\n
- Centos-8<\/li>\r\n
- arch linux<\/li>\r\n
- oracle linux-8<\/li>\r\n
- macOS Intel<\/li>\r\n
- macOS Apple Silicon<\/li>\r\n
- windows.\u00a0<\/li>\r\n<\/ul>\r\n\r\n\r\n\r\n
However, pritunl supports clients of OpenVPN as well but openVPN clients lag some features like automatic sync of VPN profiles. So it makes it supportable for all major platforms.<\/p>\r\n\r\n\r\n\r\n
Performance<\/strong><\/h2>\r\n\r\n\r\n\r\n
Bandwidth of below vpns are the one that they claim. Actual performance may vary and can be determined with iperf.\u00a0<\/p>\r\n\r\n\r\n\r\n
OpenVPN Access Server<\/span><\/strong><\/strong><\/p>\r\n\r\n\r\n\r\n
Performance of an openVPN server is dependent on how much bandwidth we want to route through the vpn server.<\/p>\r\n\r\n\r\n\r\n
A modern CPU with an AES-NI chipset uses 12MHz of CPU to process each Mbps transferred in one direction. So, for example, a 4 core<\/strong> system at 3GHz<\/strong> would count as 12,000MHz<\/strong>. Which equates to 1000 Mbps maximum throughput<\/strong>.\u00a0 For memory, It’s a rough estimation of 1 GB of memory for every 150 connected devices.\u00a0Around 16GB of disk space should be more than enough as only data that are necessary to store on disk are connection and program logs, and user certificates and settings.<\/p>\r\n\r\n\r\n\r\n
OpenVPN recommends not to use more than 1000 connections from a single instance. The default limit is however 2048.<\/p>\r\n\r\n\r\n\r\n
Pritunl<\/span><\/strong><\/p>\r\n\r\n\r\n\r\n
As we know pritunl uses OpenVPN protocol at its core, so the hardware requirements would be almost the same. However, Pritunl claims a 100mbps maximum bandwidth per connection with fast Intel CPU with AES-NI on both client and server side.\u00a0<\/p>\r\n\r\n\r\n\r\n
A wireguard implementation on pritunl would be faster as wireguard protocol is comparatively faster than OpenVPN.<\/p>\r\n\r\n\r\n\r\n
AWS VPN\u00a0<\/span><\/strong><\/strong><\/p>\r\n\r\n\r\n\r\n
AWS Recommends to use iperf to measure bandwidth for its vpn connections. According to aws, bandwidth depends on a number of factors.
AWS allows maximum of 2000 concurrent connections. And this can be increased through limit increase requests.<\/p>\r\n\r\n\r\n\r\nPulse Secure<\/span><\/strong><\/strong><\/p>\r\n\r\n\r\n\r\n
PSA has 3 types of virtual appliances. The data sheet is below.\u00a0<\/p>\r\n\r\n\r\n\r\n
\r\n
- Remote Access:<\/strong> Access Private network from any remote location and any Platform.\u00a0\u00a0<\/li>\r\n