VPN Services Comparison- How to find the best VPN for your business?

VPNs are a great way to securely connect your private networks. They are even used to mask your public IP, so that you can access a public server without getting traced. There are a number of VPN offerings in the market ranging from open-source to proprietary software, self-managed to VPN-as-a-service, and with a huge range of features.

I recently got an assignment to get the best offering in the market. Best is a vague term. An Open-source VPN covering all the basic functionalities can be best for a simple implementation . Or a proprietary VPN having a lot of simplicity and customisation can be best for a medium or high budget implementation. So, I decided to compare different offerings in the market. Complete open-source VPNs are out of the scope.

Here are the things I kept in my mind before starting:

  • Simplicity: Simple for admins to setup networks, users, SSO etc.
  • Remote Access: Access Private network from any remote location and any Platform.  
  • Strong Encryption: Encrypted  tunnel between VPN clients and VPC. 
  • Site-to-site Implementation: Tunnelling between AWS VPC and a remote network, eg, connection between office network and VPC.
  • Access control: Ie, Certain users can access a certain set of hosts only.
  • Access control for 3rd Party apps: Connection can be established with 3rd party apps from VPN ip only and not directly.

Each VPN can handle the same feature but it may be in a different way. Here we are defining the criteria for comparison:

  • Architecture
  • Pricing
  • Access control
  • High Availability / Replication
  • Protocols
  • Clients
  • Performance
  • GUI
  • Authentication
  • TWO step AUTH
  • Ease of setup and Utilization

Following VPNs have qualified above criteria and has been compared throughly.

  • OpenVPN
  • Pritunl
  • AWS VPN
  • Pulse Secure

Architecture

Pritunl

Pritunl works as a distributed and scalable infrastructure with no master server. So, Pritunl can be easily scaled up based on the requirements. It uses mongodb as its database which can be installed on the same instance as well as on a managed instance in case we need a redundant vpn server.

Basic pritunl cluster architecture. 

Pritunl Remote Access

Site-to-site pritunl implementation

OpenVPN Access Server

OpenVPN works as a standalone OpenVPN access server running in the VPC. It works as primary and secondary nodes as well (cluster with multiple instances), where in case of failure of primary node, secondary/standby node takes up. But the functionality does not works with AWS. 

Remote Access with OpenVPN Access Server.

Site-to-Site Implementation of OpenVPN Access server.

AWS VPN 

AWS implicitly supports both Site-to-Site vpn access and remote access vpn tunnels. These services are fully managed by AWS which means administrators need not worry about failures or high availability.

Below is an architecture diagram for a remote employee to connect to many VPCs.

Site-to-Site VPN in aws

Click here for more information about aws client vpn endpoint

Pulse Secure

Pulse secure simple implementation will be almost the same as openVPN.  A cloudFormation template could be used to provision a PCS instance in aws. And it can be connected through any pcs client software. 
Click here for admin guide

Availability / Replication

Pritunl

Distributed architecture is at the core of pritunl. So, it is easy to have redundancy and handling failovers.  One pritunl host can run multiple instances of OpenVPN server. And each server can be attached to multiple hosts, so that if one of the hosts fail, the server can be started on another host.

OpenVPN Access Server

OpenVPN access server provides backup/standby nodes for failure and recovery. However, this feature does not works with AWS. But we can achieve HA on OpenVPN Access server using Route 53. 

Here is the document reference to achieve the same.

Pulse Secure

Pulse Secure recommends High Availability through active-active cluster of multiple pcs instances with a Virtual Traffic Manager(a pulse product) as a load balancer

Here is the diagram of pcs active-active pair

AWS VPN 

AWS VPN is fully managed by AWS. So, we do not need to worry about replication and redundancy explicitly.

Access control

OpenVPN Access Server

OpenVPN access server has inbuilt rule based access control. Which means, we can define which networks/hosts a user can have access to and rest are blocked.

Pritunl

Pritunl does not provide rule based access control like Openvpnas. But there are groups to achieve access control. However, it does not seems as straightforward as openvpn.

Pulse Secure

Pulse secure supports rule based access control. For example, we can allow or deny tcp://*:80,443 for some specific role. 

AWS VPN 

Access to specific networks can be allowed to specific user groups(Active directory SID or Group ID in IDP). Port or protocol based access control is not supported.

Protocols

OpenVPN Access Server

As the name suggests, OpenVPN Access server is built upon the open source vpn protocol openvpn. 

Pritunl

Pritunl also uses OpenVPN protocol at its core by default. But it implements wireguard protocol as well. It uses IPSec for site-to-site links. 

Pulse Secure

Not revealed by the vendor

AWS VPN 

AWS VPN uses OpenVPN protocol for remote access tunneling.  And IPsec for site-to-site vpn

Clients

OpenVPN Access Server

OpenVPN client supports almost all the major platforms. Here is the list: 

  • LinuxOpenVPN client supports almost all the major platforms. Here is the list
  • Windows
  • IOS
  • macOS
  • Android. 

AWS VPN 

AWS VPN has clients supported on following Platforms 

  • Windows
  • MacOS

Since AWS VPN uses OpenVPN protocol, third party OpenVPN clients are also supported. But if you are using a federated authentication method, third party openvpn clients will not work. 

Pulse Secure

Pulse clients are available for below OS

  • Windows 10
  • Windows 8.1
  • Windows 7+
  • macOS 10.15
  • macOS 10.11
  • Ubuntu 17.x
  • Ubuntu 16.x
  • Debian 9.x
  • Debian 8.x
  • Cent OS 7.x
  • Cent OS 6.x
  • RHEL 7.x
  • Fedora 26
  • Android
  • IOS

Apart of that, pulse secure clients can also be launched from web browser. 

Pritunl

Here is the list of Pritunl clients supported platforms: 

  • Ubuntu-18,20
  • Fedora-33
  • Debian-10
  • Centos-8
  • arch linux
  • oracle linux-8
  • macOS Intel
  • macOS Apple Silicon
  • windows. 

However, pritunl supports clients of OpenVPN as well but openVPN clients lag some features like automatic sync of VPN profiles. So it makes it supportable for all major platforms.

Performance

Bandwidth of below vpns are the one that they claim. Actual performance may vary and can be determined with iperf. 

OpenVPN Access Server

Performance of an openVPN server is dependent on how much bandwidth we want to route through the vpn server.

A modern CPU with an AES-NI chipset uses 12MHz of CPU to process each Mbps transferred in one direction. So, for example, a 4 core system at 3GHz would count as 12,000MHz. Which equates to 1000 Mbps maximum throughput.  For memory, It’s a rough estimation of 1 GB of memory for every 150 connected devices. Around 16GB of disk space should be more than enough as only data that are necessary to store on disk are connection and program logs, and user certificates and settings.

OpenVPN recommends not to use more than 1000 connections from a single instance. The default limit is however 2048.

Pritunl

As we know pritunl uses OpenVPN protocol at its core, so the hardware requirements would be almost the same. However, Pritunl claims a 100mbps maximum bandwidth per connection with fast Intel CPU with AES-NI on both client and server side. 

A wireguard implementation on pritunl would be faster as wireguard protocol is comparatively faster than OpenVPN.

AWS VPN 

AWS Recommends to use iperf to measure bandwidth for its vpn connections. According to aws, bandwidth depends on a number of factors.
AWS allows maximum of 2000 concurrent connections. And this can be increased through limit increase requests.

Pulse Secure

PSA has 3 types of virtual appliances. The data sheet is below. 

ApplicanceMax Concurrent Users (SSL)Max TunnelThroughput(ESP Mode)Max TunnelThroughput(SSL Mode)CPU
PSA3000-V200408Mbps268 Mbps 2
PSA5000-V2500514 Mbps484 Mbps4
PSA7000-V100002.4 Gbps 1 Gbps8

MFA

OpenVPN Access Server

OpenVPN supports multi factor authentication with google authenticator as well as some third party apps like DUO. 

Pritunl

Pritunl offers 4 methods of Two factor authentication:

  • Yubico YubiKey
  • Duo Hardware Token
  • Duo, OneLogin and Okta Push
  • Google Authenticator

AWS VPN 
Multi Factor Authentication is supported here with AWS Managed Active Directory.
Reference URL: Enable multi-factor authentication for AWS Managed Microsoft AD – AWS Directory Service

Pulse Secure

Pulse Connect Secure supports different 2FA methods for PCs and mobile devices including RSA SecurID, Google Authenticator, okta and Duo.

Pricing

OpenVPN Access Server

OpenVPN Provides all the basic tunnelling features in its open source version. So, for a simple use case, where we do not need GUI and ease of installation and management, OpenVPN community edition can be used.  A comparison of OpenVPN Community Edition and OpenVPN Enterprise is available here

For Enterprise edition, cost is dependent upon number of concurrent users. Cost estimation of can be estimated here

Pritunl

Pritunl is an open source software built upon openvpn protocol, so it also supports all the basic vpn tunnelling in its free version. However for more features it will require an enterprise edition. Which costs 70$ per cluster.. A cluster is defined as a single Mongodb database and any number of pritunl servers. 

AWS VPN 

AWS Client VPN charges for the number of active client connections per hour and the number of subnets that are associated to Client VPN per hour.

AWS Client VPN endpoint association: – $0.10 per hour
AWS Client VPN connection: – $0.05 per hour

The prices may vary a little in some regions. Click here for more information

Pulse Secure

There is no straight forward pricing for pulse secure. The pricing here works on quotation basis. I had approached sales team, but there is no callback yet.
Pulse secure gives a cost estimation portal which can be found here.

According to above, the cost for 500 users, 1020 devices and 20 applications, the price comes as $86,688 annually

Ease of Setup And Utilization

OpenVPN Access Server

OpenVPN access server is quite easy to install. Following popular ways can be used to get OpenVPN Access Server installation. 

  • Command line
  • Ansible Roles
  • Amazon AMI

There are detailed guides for installation and configuration. There is good community support as well. There is no on call support. Instead, we can create tickets on support system which is available 24/7

Pritunl

As it is also OpenSource, Installation is quite easy here. Following are popular ways to install it. 

  • Command line
  • Ansible Roles
  • Amazon AMI

Online documentation is quite good. Open Source community is not as mature as openvpn but common issues can be found there. Setup and use is a little different than OpenVPN, but once architecture is understood, its easy to use. 

No On call support or a dedicated ticketing system, there is email support and slack channel.

AWS VPN 

There is no need of installing anything, You just need to create the client VPN endpoint from AWS VPC GUI. Which makes it super easy to use. 

To contact support, there are standard support plans which comes with AWS Account. 

Pulse Secure

Pcs houses too many features and configurations apart for a simple vpn tunnelling. So it makes it difficult to understand. However everything can be done from GUI Itself. But still it makes it complex than all the above alternatives. 

Its online documentation was not easy to understand, according to me.

For Installation, CloudFormation template can be used in AWS or similar templates in other cloud providers like gcp and azure as well. It also distributes the package as a hardware device with preloaded software. 

PCS has on-call support 24/7. It has even a platinum support for mission critical deployments with faster SLAs.

Bottom Line

OpenVPNPritunlPulseSecureAWS
Access ControlRule BasedGroup based.Rule BasedGroup Based
AuthenticationLocal + thidparty (see details above)Local + thidparty (see details above)Local + thidparty (see details above)Local + thidparty (see details above)
Availability/ReplicationReplication with Route53In-Built. (just need to add hosts)Cluster with Pulse traffic managerAWS Managed.
ClientsAll major OSAll major OS(including ovpn clients)All major OSAll major OS(including ovpn clients)
Ease 4/53/52/55/5
GUI5/54/53/55/5
MFAYesYesYesYes (Active Directory)
Performance1000 mbps max100 mbps514 mbps with 4 CPUNot given. Assuming 1000 as ovpn
Pricing for 500 connections (Assuming all 500 connections active for whole mnth)1095 / month70$ / monthQuotation not yet confirmed18144$ / month
ProtocolsOpenVPNOpenVPN, Wireguard, IPsecNot RevealedOpenVPN, IPsec. 
The ratings above are based on my personal experiences.

Selection of the right VPN can be hectic and time consuming. Hope this blog may help you cut through your precious time. Happy Virtual Private Networking. 🙂

Reference links for used images

Link 1, Link 2, Link 3 and link 4

Blog Pundit:  Naveen Verma

Opstree is an End to End DevOps solution provider

Connect Us

2 thoughts on “VPN Services Comparison- How to find the best VPN for your business?”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s