Is there a cheap and easy-to-use user-management solution to connect remote workers to a VPN server running in pfSense, falling back to a backup VPN server when the first one becomes unreachable?
I am currently developing a network architecture for a multi-site business that comprises remote employees working from home.
The situation at hand is as follows:
I have a primary office designated as the VPN exit point for all employees.
Furthermore, I require a backup VPN to ensure uninterrupted connectivity in case the primary office goes down.
This backup VPN can be hosted on a cloud Virtual Private Server (VPS).
I have several remote offices in different countries, which will tunnel their traffic over the VPN. This will automatically connect all employees working on the remote office networks to the VPN via the main office/VPS.
I plan to use WireGuard in pfSense to connect the remote offices to the main office and the fallback VPS.
This seems convenient and straightforward to me. Additionally, since a new remote office is not added every day, I am willing to manually add WireGuard keys for connectivity.
Moreover, with pfSense, I can create gateway groups for automatic failover using tiers if the main office experiences an outage.
However, I have a concern: I would like to know how to include remote workers in this scheme without significant user management overhead.
The person that will have to manage users is not particularly tech-savvy.
Managing remote workers in Tailscale appears relatively straightforward to me.
Every remote worker has their own Tailscale account centrally managed.
According to Tailscale ACLs, each remote worker is permitted to access the exit nodes.
It is clear that in the event of the main office going down, all remote workers must manually switch over to the VPS exit node.
I prefer not to use a self-hosted Headscale instance since I experimented with it recently for private purposes, and I did not regard it as production-ready.
I also considered using OpenVPN, as this could easily be hosted on the VPS / main office without the additional subscription cost to Tailscale.
This would be fairly straightforward, except for user management: How can user credentials be managed by a non-technical person in a central place that both the VPS and the main office can read?
This question led me to the idea of hosting a RADIUS server to manage user credentials (please tell me if this is stupid).
I had two problems with this approach:
- How do I make this easy for a non-technical person to manage?
- How do I get both VPNs (main office + VPS) to access the same RADIUS server to authenticate connection requests?
RADIUS is a (partially) unencrypted protocol, so I cannot just access it over the Internet.
I do not have an answer to the first question yet.
The best I can come up with for the second question is to host the RADIUS server on the VPS and access it via a WireGuard tunnel from the main office.
A disadvantage of this approach is that no remote worker could use any VPN if the VPS went down, as the RADIUS server would then be unreachable. This could be solved by hosting a second VPS dedicated to RADIUS, but then this second VPS is the single point of failure. Replicating the RADIUS Postgres database across multiple servers is probably a bit overkill, although it would remove the single point of failure.
At this point I am leaning towards using Tailscale for ease of use.
I have also looked at OpenVPN Access Server, but it does not seem to be any cheaper than Tailscale.
Have I missed an obvious option?
I would love to hear from experiences with such setups and more advantages / disadvantages of different approaches.