Business network VPN architecture question

TL;DR

Is there a cheap and easy-to-use user-management solution to connect remote workers to a VPN server running in pfSense, falling back to a backup VPN server when the first one becomes unreachable?

issue description

I am currently developing a network architecture for a multi-site business that comprises remote employees working from home.

The situation at hand is as follows:

I have a primary office designated as the VPN exit point for all employees.
Furthermore, I require a backup VPN to ensure uninterrupted connectivity in case the primary office goes down.
This backup VPN can be hosted on a cloud Virtual Private Server (VPS).

I have several remote offices in different countries, which will tunnel their traffic over the VPN. This will automatically connect all employees working on the remote office networks to the VPN via the main office/VPS.

I plan to use WireGuard in pfSense to connect the remote offices to the main office and the fallback VPS.

This seems convenient and straightforward to me. Additionally, since a new remote office is not added every day, I am willing to manually add WireGuard keys for connectivity.
Moreover, with pfSense, I can create gateway groups for automatic failover using tiers if the main office experiences an outage.

However, I have a concern: I would like to know how to include remote workers in this scheme without significant user management overhead.
The person that will have to manage users is not particularly tech-savvy.

Tailscale

Managing remote workers in Tailscale appears relatively straightforward to me.
Every remote worker has their own Tailscale account centrally managed.
According to Tailscale ACLs, each remote worker is permitted to access the exit nodes.

It is clear that in the event of the main office going down, all remote workers must manually switch over to the VPS exit node.

I prefer not to use a self-hosted Headscale instance since I experimented with it recently for private purposes, and I did not regard it as production-ready.

OpenVPN + RADIUS

I also considered using OpenVPN, as this could easily be hosted on the VPS / main office without the additional subscription cost to Tailscale.
This would be fairly straightforward, except for user management: How can user credentials be managed by a non-technical person in a central place that both the VPS and the main office can read?

This question led me to the idea of hosting a RADIUS server to manage user credentials (please tell me if this is stupid).
I had two problems with this approach:

  1. How do I make this easy for a non-technical person to manage?
  2. How do I get both VPNs (main office + VPS) to access the same RADIUS server to authenticate connection requests?
    RADIUS is a (partially) unencrypted protocol, so I cannot just access it over the Internet.

I do not have an answer to the first question yet.

The best I can come up with for the second question is to host the RADIUS server on the VPS and access it via a WireGuard tunnel from the main office.
A disadvantage of this approach is that no remote worker could use any VPN if the VPS went down, as the RADIUS server would then be unreachable. This could be solved by hosting a second VPS dedicated to RADIUS, but then this second VPS is the single point of failure. Replicating the RADIUS Postgres database across multiple servers is probably a bit overkill, although it would remove the single point of failure.

At this point I am leaning towards using Tailscale for ease of use.

I have also looked at OpenVPN Access Server, but it does not seem to be any cheaper than Tailscale.

Have I missed an obvious option?

I would love to hear from experiences with such setups and more advantages / disadvantages of different approaches.

What do you mean if the first one goes down? Because if your pfsense goes down then both VPN solutions go down and if your main office has all of your severs and service ran out of it then tailscale wouldn’t do you any good if the internet is down completely anyway. Also adding complexity and training to the end users to use 2 VPN solutions.

Thank you for your reply.

To clarify: I am only interested in full-tunneling my remote offices’ / remote workers’ traffic through the main office / VPS.

By “going down” I refer to an event in which the main office does not have any internet access anymore.
In this case, I would like to fall back to a VPN hosted on a VPS.

The fact that remote workers need to switch connections in their VPN app is ok for me as I do not really see another way.

I (currently) do not have any servers in the main office.
The sole purpose is full-tunneling all traffic over one of the VPNs (preferably the main office).

Could you route all traffic to your VPS server running wireguard, and then route traffic to your primary office (gateway) with your secondary route being the VPS itself? Not the prettiest setup, but it might fit your needs.

I suppose you could config each client office to route to the primary office first and VPS second. I’m sure that is possible but haven’t done that myself.

My fault, I misunderstood the situation. Is there a reason you want to have your remote users use pfsense first and then have a fallback? I’d say for the remote users you would have tailscale and users in the office use pfsense with a tunnel back to your VPS. I’m not sure what you are gaining by having an extra hop and extra complexity to get remote users to the VPS.

I misunderstood this setup too. Sounds like he already has his answer for remote workers and remote offices but doesn’t like the friction his prerequisites cause. With no on-prem services why he wants to have this choke point is a mystery. IP geolocation maybe? Then just setup a VPS in the country you want and be done with it. Right?

It is possible, using “gateway groups” with appropriate tiers in pfSense.

Christian McDonald made a video about this a while back.

That is exactly my current plan.
However, I am wondering if there is a solution with comparable ease of use, avoiding the Tailscale cost?

You can always just bang it out yourself in wireguard. You gotta pay for it somehow. Either pay for knowledge and a little bit of labor, or point and click easy.

This config would be simple and you could probably get it down to a few minutes per user in the cli. Wireguard costs can add up if things aren’t changing that much.

You could run your own headscale but then you have the cost of a VPS.