While consumers are waking up to the necessity of using virtual private network (VPN) services, businesses have long deployed this technology. IT has simply done it for slightly different reasons. While keeping traffic secure is certainly still the overall goal, business IT also likes to deploy VPNs as a way to securely link entire sites with one another, not just individual users. They have also historically deployed solutions that combine software clients with dedicated hardware solutions. That’s changing, however, as more businesses are moving to an all-software VPN fabric. That’s because an all-software solution is intrinsically more flexible, and now more than ever, users are asking for more and different remote connection access. Not just from one location using one device, but from anywhere and using multiple devices interchangeably. Keeping your network secure means tightening up your remote connection process. The best way to do that is to ensure that all systems connecting from outside are authenticated with an identity management suite and use VPNs to secure the connection and data.
Editors’ Note: IPVanish is owned by j2 Global, the parent company of PCMag’s publisher, Ziff Davis.
The biggest issues you’ll encounter with VPN server and client setup and configuration won’t be about the available options. They’ll be about getting the server and client set up the same way. Users often find the process impenetrable, involving long strings of letters and numbers for the cryptographic keys, as well as ensuring that all of the many options are set the same way on both the server and client sides. Unless they’re identical, you won’t be able to establish a connection. For this reason, most IT professionals prefer to deploy VPNs to a pre-configured client with an install file that automatically configures the software and installs the keys. This is especially true for remote and mobile clients, which are becoming more commonplace today. A favored method is to use a client that can be emailed or installed from a USB key or CD/DVD. Users receive this physical token, insert it into their devices, and everything else is automatic; this can go a long way towards ensuring user satisfaction.
Why Not Just Use Microsoft?
Microsoft Windows 7, Windows 8, and Windows 10 all have a VPN client included as part of the base operating system (OS). Microsoft has gone to some trouble to give its IT professional customers tools that can, albeit laboriously, be set up to install this client automatically and to specific configuration specifications, with all of the features a user might need. Given that Windows is a hugely popular OS in the business world, one might wonder about the point of using separate, third-party VPN clients such as the ones we’re looking at in this roundup. The answer is three-fold: cross-platform compatibility, management, and ease of use.
On the cross-platform front, the Microsoft VPN Client for Windows, as the name implies, is only available for Windows. Other platforms such as Apple iOS or OS X, Android, and all of the various flavors of Linux, have built-in or free (or paid) VPN clients of their own. But each tends to be different. Plus, having to support half a dozen different clients, even on just a midsize network with a few hundred users, can be a support nightmare. Moving to a single VPN client that works across multiple platforms can make administration and support a much simpler task.
Readers may wonder why the Cisco VPN Client or their Cisco AnyConnect product are not reviewed here since the clients are pervasive, readily available for a wide variety of OSes, and easily downloaded. The reason: their licensing scheme requires the Cisco software client connect only to Cisco hardware (the server part of the VPN). Licensing is not available for any other server, and the products we’re looking at here are server-agnostic (aside from the Microsoft VPN Client for Windows, which we’re using as a baseline).
How We Tested
To test these business VPN clients, we set up a simulated wide area network (WAN) link using Shunra software running on a PC with two network cards. The system allows a simulated connection operating at selectable speeds from 128Kbps to 1Gbps. For our testing, we tested at 1.5Mbps, 10Mbps, 60Mbps, and 100Mbps. The simulated WAN link was used to connect two subnets. Each subnet had a router and several PCs, including a Microsoft Windows 2012 R2 Server with files and test scripts. The PCs and VPN clients were used to connect to the opposite subnet via several VPN options, including PPTP, L2TP, and IKEv2 (if supported). Given the vast number of possible combinations of protocol, key, certificate, and encryption strength, no attempt was made to test every possible combination. Instead, each test scenario was set to use the maximum length of key or encryption bit depth in order to place the maximum possible load on the VPN client. In every case, the VPN connections were within a percentage point of each other, running as fast as the WAN link allowed, with minimal impact on the client system.
Once installed on a test machine, the VPN client was connected through the WAN simulator to an OpenVPN gateway on a Linksys LRT224 firewall. None of the clients had any problem connecting to the OpenVPN gateway and pre-shared certificates worked as they should have. Some additional testing with the Linksys IPSec VPN server also showed no connection issues.
Managing Your VPNs
A small organization will have no problem maintaining information on clients, keys, and other configuration details in a spreadsheet via cut-and-paste or simply saving the data in the VPN server’s configuration utility. But that’s only viable for small groups of VPNs. Organizations that have more than 20 or so VPN clients will need tools such as the NCP Secure Entry Client for Win32/64, which automates initial configuration and deployment and even has tools to help troubleshoot them in the field.
The security afforded by VPN solutions is good, even using just the basic settings. Sure, if the NSA wants your data, then they can probably get it no matter which solution or degree of encryption you’re using. But lesser hackers and digital ne’er-do-wells will likely be stymied by a VPN and move on for easier prey if there’s an unpatched vulnerability on either side of the connection they can exploit. Many of the recent ransomware and other widespread malware infestations would not have been possible if OSes and applications had been kept patched. A good VPN solution should have the option to download and install patches automatically, or after patches have been cleared by IT, for both the client and server portions. TheGreenbow IPSec VPN Client and the NCP Secure Entry Client for Win32/64 provide automatic update functionality, while the Microsoft VPN Client for Windows typically gets updated as the OS does.
All of the clients have the ability to install silently and from a pre-configuration file so users don’t need to understand or enter data to get the client up and running. Even the Microsoft client can do this, although the process for the administrator to get everything set up is manual and will require some testing to ensure a smooth installation. Once that’s done, the admin can email the user an installation executable file (or send them a CD or USB drive), including the configuration file and the certificate or pre-shared key file (in a separate message for security). The user simply double-clicks the installer and, after a short period, the VPN connection is available to them.
The four vendors we review here offer clear documentation on how to set all this up. TheGreenbow, NCP Secure Communications, and to a lesser extent OpenVPN, offer some management utilities to help the admin set things up without having to write scripts. Microsoft does, too, although you’ll need to do some searching on TechNet, its IT professional knowledge base.
These aftermarket VPN client utilities offer substantial benefits beyond the simple built-in capabilities of the Windows 10 VPN client, and cross-platform support to make it easier for an organization to supply VPN services to a diverse group of devices. With prices ranging from free to $79 per client, they’re not all cheap. However, the savings in setup and support costs could quickly amortize the costs while keeping an organization secure, despite the best efforts of their increasingly mobile users.