pfSense/Sophos vs ASUSWRT/RMerlin - Is there any reason to change?

[BeachBum]

Does anyone know if the Sophos filtering is still run through Sophos servers or done locally like pfSense?

I'm interested in Sophos UTM but don't like the idea of my traffic being scanned by a third party..

 

[sfx2000]

The ONLY reason I turned my router back on as the primary device is because Sophos UTM does not support OpenVPN right through the gui. There is some command line or other work around but in the end after 1 year I just wanted a simple vpn client to connected to Nord which Merlins fork does excellently.

FWIW - my little side project - we kicked OpenVPN to the curb in the base board support package - not that it's a bad project, it just performs badly in our architecture, giving about 10 percent compared to the wire...

And we're getting 900 MBit/Sec throughput on the wire with a Gigabit WAN connection, and OpenVPN, gives us around 90 MBit/Sec and consumes about 100 percent of resources on one core (dual core architecture Cortex-A9 here) - just not worth it compared to other approaches... and that drag on resources impacts other services.

L2TP/IPSec does quite a bit better... we do support L2TP/IPSec, as most popular desktop and mobile clients support it out of the box, just linux is a bit of an issue, but that's solved by distro package managers and a bit of text/config kung-fu...

We've put the hooks in, and provided a container that does OVPN 2.4, but this is a checkbox feature that someone would have to install...

Just my two cents - and OpenVPN shouldn't be a value added gate here...

 

[kvic]

And we're getting 900 MBit/Sec throughput on the wire with a Gigabit WAN connection, and OpenVPN, gives us around 90 MBit/Sec and consumes about 100 percent of resources on one core (dual core architecture Cortex-A9 here) - just not worth it compared to other approaches... and that drag on resources impacts other services.

Close to my finding too. On my Cortex-A9 based Asus all-in-one, OpenVPN achieved around 86mbit/s but my dual WANs back then were 200/200 and 100/100. So I thought that 100 WAN could impose an upper limit. That's the time I kissed it goodbye but back then I saw you started promoting OpenVPN though. lol.

L2TP/IPSec does quite a bit better... we do support L2TP/IPSec, as most popular desktop and mobile clients support it out of the box, just linux is a bit of an issue, but that's solved by distro package managers and a bit of text/config kung-fu...

L2TP/IPsec is a bit old. I skipped it entirely and moved to IKEv2 IPsec. You shall consider it for your project...

 

[sfx2000]

L2TP/IPsec is a bit old. I skipped it entirely and moved to IKEv2 IPsec. You shall consider it for your project...

It's there already - we're not pushing that, but nice performance there... the checkbox/customer education is L2TP/IPsec as it's already there on the client-side with much less config...

 

[sfx2000]

I kissed it goodbye but back then I saw you started promoting OpenVPN though. lol.

Gah - supported OVPN as the mob like it, or has been sold on it - so do it right - that's my thoughts there...

Don't get me wrong - OVPN is a good thing, just that it's limited a bit by the project scope - run on everything, e.g. portable source, but as a result, it is not very optimized for any platform...

 

[kvic]

L2TP/IPsec as it's already there on the client-side with much less config...

IKEv2 IPsec is common place in modern clients.

Don't get me wrong - OVPN is a good thing, just that it's limited a bit by the project scope - run on everything, e.g. portable source, but as a result, it is not very optimized for any platform...

True. I keep a server instance running as backup. OpenVPN is a handy tool in my "accessibility" category. It's not for performance/high throughput 'cos on the same platform it'll always pale behind IPsec.

 

[slidermike]

Yes it does. It's called SSL VPN. Once configured, you just login with your user account to the user portal from your phone or what ever and download the .ovpn file.

Couldn't be easier.



Sent from my iPhone using Tapatalk

Yeah that sounds like your describing the UTM as the vpn server.
In my comments I am describing using UTM as an OpenVPN CLIENT to my NordVPN account. Nord is the server, I am the client.
I found no easy way to implement that in UTM.
Unless I missed it, when I read through the Sophos forums it sounded like there was no straight forward "run OpenVPN on UTM as a client".
Otherwise, I really like UTM.

 

[Veldkornet]

Yeah that sounds like your describing the UTM as the vpn server.
In my comments I am describing using UTM as an OpenVPN CLIENT to my NordVPN account. Nord is the server, I am the client.
I found no easy way to implement that in UTM.
Unless I missed it, when I read through the Sophos forums it sounded like there was no straight forward "run OpenVPN on UTM as a client".
Otherwise, I really like UTM.

Ah okay, my mistake.

Well I see that there is a SSL Site-to-Site VPN, which is using the same general settings that I setup for the SSL Server, can setup as client and lets you upload the config file, never tried it myself though.

I have a PrivateTunnel account. I'll test it out later and confirm.
*EDIT: Tested it out, you are correct, it doesn't accept the .ovpn file.

There is a feature request for it here.

Note sure if this is any different on the XG Firewall?

Actually, a few things I'm hoping that they implement from their ideas bank (if people want to go vote) now including the above:
1. DNSCrypt-proxy Support
2. LetsEncrypt Integration
3. Web Protection - Proxy - Update Blacklists Automatically from URL
4. Converter for ovpn to apc epc

Sent from my iPhone using Tapatalk

 

[slidermike]

If you find they implement it, let me know.
I don't need it that badly to keep watching the forums but would like to have it. If and when it gets implemented.

Ah okay, my mistake.

Well I see that there is a SSL Site-to-Site VPN, which is using the same general settings that I setup for the SSL Server, can setup as client and lets you upload the config file, never tried it myself though.

I have a PrivateTunnel account. I'll test it out later and confirm.
*EDIT: Tested it out, you are correct, it doesn't accept the .ovpn file.

There is a feature request for it here.

Note sure if this is any different on the XG Firewall?

Actually, a few things I'm hoping that they implement from their ideas bank (if people want to go vote) now including the above:
1. DNSCrypt-proxy Support
2. LetsEncrypt Integration
3. Web Protection - Proxy - Update Blacklists Automatically from URL
4. Converter for ovpn to apc epc

Sent from my iPhone using Tapatalk

 

[Bamsefar]

Thought I kick this thread a bit, to see where everyone are nowdays.

I have a full pfSense/Unifi AP HD siting behind my ASUS RT-AC88U router - and it links most of the traffic... Not sure WHY I not put it in full production so to speak, since it just works.... Funny I just need to take the time to DO IT... Yea I figure that one out someday...