Replacement for IPsec VPN for accessing local network

I have a couple of users that need to connect to local network, as of right now they connect using IPsec, but the performance isn’t great, so I’ve tested self-hosted Netbird, the ability to set ACLs it’s great, and it’s pretty fast but the problem that I’ve is I can’t approve which devices can connect.
Is there any open source and free solution available that I could replace the IPsec VPN?

Thank you

OpenVPN is a good option with connexa. I don’t see a price anywhere though.

+1 Tailscale MESH VPN

I think this is on top of OpenVPN Access Server which isn’t free

I’ve checked the Tailescale (not self-hostable and not free), Netbird (device approval feature isn’t free) and Headscale (I don’t know how much secure it is, and I don’t know if even support device approval feature) unfortunately I don’t have a budget right now

What is your firewall, and what vpn does it support ?

What functions do you require of the firewall ?

As not all vpn’s are the same - zerotier (wireguard, netbird and headscale) do not have user management (username and password)

Openvpn you can have username / password , 2FA depending on the endpoint and logging

My firewall only supports IPsec, but the performance isn’t very good now I want to replace with different solution
I want to give access to a couple of people to have access to local network different ports and protocols with good performance and with devices that I’ve approved

I don’t know of any free software that will do approved devices. With the free version of openVPN a you can set it to where they need a TLS key and a username and password. So only devices that have the TLS key can connect. But if you want to get into it, someone can go find the keys and place them on a different device. But company owned devices should block normal users from getting to those directories.

Tailscale is an overlay network. Wireguard is a self hosted VPN solution. I use Wireguard lots for clients.

Right now with IPsec I set up Pre-shared key, so I have some control on which device can connect
If I could have a better control or even same as Pre-shared key would be good enough

Do you have any control over your clients devices?

  • Tailscale is free for up to 3 users and 100 devices
  • You can self host using open source Headscale

I do, but these are windows devices, as well. That can make a difference. People also have iOS and Android clients as well. I’ve been very pleased with how lightweight Wireguard is and how well it preforms.

It might benefit you to just set up a little test Wireguard tunnel and play around yourself.

Wireguard? Dont know how many users you have so that may be a limitation. To be clear not a technical limitation rather administrative as you have to set up each client. But you will be able to control access via firewall rules.

Tailscale i wouldn’t recommend at all unless you are happy with the default permit any/any option they give you out the box. You will need to use their dashboard to create JSON rules for users/groups.

OpenVPN is really the only scalable and reasonable option you have for remote access.

What firewall appliance are you using?

The problem I’ve with Wireguard is the user can easily export the config and move to an unapproved device and connect to network
Is there any way to control that?

As I told, mattsowders the problem I’ve with Wireguard is the user can easily export the config and move to an unapproved device and connect to network
I have been using FortiGate (for now)

Each Wireguard enabled device has its own private key. Wouldn’t be as easy to simply export and import into another device if its all set up correctly.

What do you mean “if it’s all set up correctly”? the Wireguard client on Windows have an export option, and you can import that config file to another PC

I mean, if I export my config from one device and import it into another. yeah it’ll import but it will not connect. At least not on my setup. Public keys are mismatched if config is imported from another device and public keys can’t be changed within the windows client (to my knowledge). I’m running my Wireguard instance from pfSense and using mainly Windows clients. This is all assuming you have set up the correct config to begin with. Hoping you get the info you need.