Open in app

Sign in

Write

Sign in

VPN Services Comparison- How to find the best VPN for your business?

Gyanendra Veeru
Opstree
Published in
9 min readJul 20, 2021

VPNs are a great way to securely connect your private networks. They are even used to mask your public IP, so that you can access a public server without getting traced. There are a number of VPN offerings in the market ranging from open-source to proprietary software, self-managed to VPN-as-a-service, and with a huge range of features.

I recently got an assignment to get the best offering in the market. Best is a vague term. An Open-source VPN covering all the basic functionalities can be best for a simple implementation . Or a proprietary VPN having a lot of simplicity and customisation can be best for a medium or high budget implementation. So, I decided to compare different offerings in the market. Complete open-source VPNs are out of the scope.

Here are the things I kept in my mind before starting:

  • Simplicity: Simple for admins to setup networks, users, SSO etc.
  • Remote Access: Access Private network from any remote location and any Platform.
  • Strong Encryption: Encrypted tunnel between VPN clients and VPC.
  • Site-to-site Implementation: Tunnelling between AWS VPC and a remote network, eg, connection between office network and VPC.
  • Access control: Ie, Certain users can access a certain set of hosts only.
  • Access control for 3rd Party apps: Connection can be established with 3rd party apps from VPN ip only and not directly.

Each VPN can handle the same feature but it may be in a different way. Here we are defining the criteria for comparison:

  • Architecture
  • Pricing
  • Access control
  • High Availability / Replication
  • Protocols
  • Clients
  • Performance
  • GUI
  • Authentication
  • TWO step AUTH
  • Ease of setup and Utilization

Following VPNs have qualified above criteria and has been compared throughly.

Architecture

Pritunl

Pritunl works as a distributed and scalable infrastructure with no master server. So, Pritunl can be easily scaled up based on the requirements. It uses mongodb as its database which can be installed on the same instance as well as on a managed instance in case we need a redundant vpn server.

Basic pritunl cluster architecture.

Pritunl Remote Access

Site-to-site pritunl implementation

OpenVPN Access Server

OpenVPN works as a standalone OpenVPN access server running in the VPC. It works as primary and secondary nodes as well (cluster with multiple instances), where in case of failure of primary node, secondary/standby node takes up. But the functionality does not works with AWS.

Remote Access with OpenVPN Access Server.

Site-to-Site Implementation of OpenVPN Access server.

AWS VPN

AWS implicitly supports both Site-to-Site vpn access and remote access vpn tunnels. These services are fully managed by AWS which means administrators need not worry about failures or high availability.

Below is an architecture diagram for a remote employee to connect to many VPCs.

Site-to-Site VPN in aws

Click here for more information about aws client vpn endpoint

Pulse Secure

Pulse secure simple implementation will be almost the same as openVPN. A cloudFormation template could be used to provision a PCS instance in aws. And it can be connected through any pcs client software.
Click here for admin guide

Availability / Replication

Distributed architecture is at the core of pritunl. So, it is easy to have redundancy and handling failovers. One pritunl host can run multiple instances of OpenVPN server. And each server can be attached to multiple hosts, so that if one of the hosts fail, the server can be started on another host.

OpenVPN access server provides backup/standby nodes for failure and recovery. However, this feature does not works with AWS. But we can achieve HA on OpenVPN Access server using Route 53.

is the document reference to achieve the same.

Pulse Secure recommends High Availability through active-active cluster of multiple pcs instances with a Virtual Traffic Manager(a pulse product) as a load balancer

Here is the diagram of pcs active-active pair

AWS VPN is fully managed by AWS. So, we do not need to worry about replication and redundancy explicitly.

Access control

OpenVPN access server has inbuilt rule based access control. Which means, we can define which networks/hosts a user can have access to and rest are blocked.

Pritunl does not provide rule based access control like Openvpnas. But there are groups to achieve access control. However, it does not seems as straightforward as openvpn.

Pulse secure supports rule based access control. For example, we can allow or deny tcp://*:80,443 for some specific role.

Access to specific networks can be allowed to specific user groups(Active directory SID or Group ID in IDP). Port or protocol based access control is not supported.

Protocols

As the name suggests, OpenVPN Access server is built upon the open source vpn protocol openvpn.

Pritunl also uses OpenVPN protocol at its core by default. But it implements wireguard protocol as well. It uses IPSec for site-to-site links.

Not revealed by the vendor

AWS VPN uses OpenVPN protocol for remote access tunneling. And IPsec for site-to-site vpn

Clients

OpenVPN client supports almost all the major platforms. Here is the list:

  • LinuxOpenVPN client supports almost all the major platforms. Here is the list
  • Windows
  • IOS
  • macOS
  • Android.

AWS VPN has clients supported on following Platforms

Since AWS VPN uses OpenVPN protocol, third party OpenVPN clients are also supported. But if you are using a federated authentication method, third party openvpn clients will not work.

Pulse clients are available for below OS

Apart of that, pulse secure clients can also be launched from web browser.

Here is the list of Pritunl clients supported platforms:

However, pritunl supports clients of OpenVPN as well but openVPN clients lag some features like automatic sync of VPN profiles. So it makes it supportable for all major platforms.

Performance

Bandwidth of below vpns are the one that they claim. Actual performance may vary and can be determined with iperf.

Performance of an openVPN server is dependent on how much bandwidth we want to route through the vpn server.

A modern CPU with an AES-NI chipset uses 12MHz of CPU to process each Mbps transferred in one direction. So, for example, a 4 core system at 3GHz would count as 12,000MHz. Which equates to 1000 Mbps maximum throughput. For memory, It’s a rough estimation of 1 GB of memory for every 150 connected devices. Around 16GB of disk space should be more than enough as only data that are necessary to store on disk are connection and program logs, and user certificates and settings.

OpenVPN recommends not to use more than 1000 connections from a single instance. The default limit is however 2048.

Pritunl

As we know pritunl uses OpenVPN protocol at its core, so the hardware requirements would be almost the same. However, Pritunl claims a 100mbps maximum bandwidth per connection with fast Intel CPU with AES-NI on both client and server side.

A wireguard implementation on pritunl would be faster as wireguard protocol is comparatively faster than OpenVPN.

AWS Recommends to use iperf to measure bandwidth for its vpn connections. According to aws, bandwidth depends on a number of factors.
AWS allows maximum of 2000 concurrent connections. And this can be increased through limit increase requests.

PSA has 3 types of virtual appliances. The data sheet is below.

MFA

OpenVPN supports multi factor authentication with google authenticator as well as some third party apps like DUO.

Pritunl offers 4 methods of Two factor authentication:

  • Yubico YubiKey
  • Duo Hardware Token
  • Duo, OneLogin and Okta Push
  • Google Authenticator

AWS VPN
Multi Factor Authentication is supported here with AWS Managed Active Directory.
Reference URL: Enable multi-factor authentication for AWS Managed Microsoft AD — AWS Directory Service

Pulse Connect Secure supports different 2FA methods for PCs and mobile devices including RSA SecurID, Google Authenticator, okta and Duo.

Pricing

OpenVPN Provides all the basic tunnelling features in its open source version. So, for a simple use case, where we do not need GUI and ease of installation and management, OpenVPN community edition can be used. A comparison of OpenVPN Community Edition and OpenVPN Enterprise is available

For Enterprise edition, cost is dependent upon number of concurrent users. Cost estimation of can be estimated

Pritunl is an open source software built upon openvpn protocol, so it also supports all the basic vpn tunnelling in its free version. However for more features it will require an enterprise edition. Which costs 70$ per cluster.. A cluster is defined as a single Mongodb database and any number of pritunl servers.

AWS Client VPN charges for the number of active client connections per hour and the number of subnets that are associated to Client VPN per hour.

AWS Client VPN endpoint association: — $0.10 per hour
AWS Client VPN connection: — $0.05 per hour

The prices may vary a little in some regions. Click for more information

There is no straight forward pricing for pulse secure. The pricing here works on quotation basis. I had approached sales team, but there is no callback yet.
Pulse secure gives a cost estimation portal which can be found

According to above, the cost for 500 users, 1020 devices and 20 applications, the price comes as $86,688 annually

Ease of Setup And Utilization

OpenVPN access server is quite easy to install. Following popular ways can be used to get OpenVPN Access Server installation.

There are detailed guides for installation and configuration. There is good community support as well. There is no on call support. Instead, we can create tickets on support system which is available 24/7

As it is also OpenSource, Installation is quite easy here. Following are popular ways to install it.

Online documentation is quite good. Open Source community is not as mature as openvpn but common issues can be found there. Setup and use is a little different than OpenVPN, but once architecture is understood, its easy to use.

No On call support or a dedicated ticketing system, there is email support and slack channel.

There is no need of installing anything, You just need to create the client VPN endpoint from AWS VPC GUI. Which makes it super easy to use.

To contact support, there are standard support plans which comes with AWS Account.

Pcs houses too many features and configurations apart for a simple vpn tunnelling. So it makes it difficult to understand. However everything can be done from GUI Itself. But still it makes it complex than all the above alternatives.

Its online documentation was not easy to understand, according to me.

For Installation, CloudFormation template can be used in AWS or similar templates in other cloud providers like gcp and azure as well. It also distributes the package as a hardware device with preloaded software.

PCS has on-call support 24/7. It has even a platinum support for mission critical deployments with faster SLAs.

Bottom Line

Selection of the right VPN can be hectic and time consuming. Hope this blog may help you cut through your precious time. Happy Virtual Private Networking. 🙂

Reference links for used images

Link 1, Link 2, Link 3 and link 4

Originally published at http://blog.opstree.com on July 20, 2021.

VPN
Openvpn
Pulse Secure
Aws Vpn
Vpn Service Providers

--

--

Gyanendra Veeru
Opstree

Written by Gyanendra Veeru

0 Followers
Writer for

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams