 Tell me here from one systems and a question I get a lot is which VPN should I use in PF sense? And because PF sense offers multiple VPNs, there's multiple answers to the question and each one does have a use case. Now, these use cases may overlap a little, but this is where I wanted to explain today is what the use case is and where we use them. There may be other use cases you have, but I'll give the explainer here so you can kind of narrow down your choices of VPNs when you're setting it up and understand why you would or would not use one of these other technologies and what the advantages and disadvantages are of each of them. Before we dive into this video, let's first are you an individual or company looking for support on a network engineering, storage or virtualization project? Is your company or internal IT team looking for someone to proactively monitor your system security or offer strategic guidance to keep your IT systems operating smoothly? Not only would we love to help consult on your project, we also offer fully managed or co-managed IT service plans for businesses in need of IT administration or IT teams in need of additional support. With our expert install team, we can also assist you with all of your structure, cabling and Wi-Fi planning projects. If any of this piques your interest, fill out our Hire Us form at laurancesystems.com so we can start crafting a solution that works for you. If you're not interested in hiring us but you're looking for other ways you want to support this channel, there's affiliate links down below to get your deals and discounts on products and services we talk about on this channel. And now back to our content. Now the first one on our list here is tail scale and I've got videos linked down below on all these different ones for actually setting it up. We're just going to talk about which one to use. I am excited that they put tail scale in PF Sense because it solves so many people's problems when they don't have a public IP address. That's why I have the notes right there above me that says no public IP needed on any device. The tail scale coordination server solves that by figuring out where these devices are because they beacon out to the tail scale server and then from there it coordinates getting them all connected. Even when they're behind double and triple NAT it can do some really clever things including getting around CG NAT but that requires them all, all the devices to talk to the tail scale coordination server. Maybe you don't want to use that server. That is a private server. It is a company and a service that they offer. Alternative to that is using headscale which I have a video on. You have to build a headscale server in the cloud but it can act as a coordination server that you talk to with all your devices and then can coordinate where these devices are. So it still works the same. It's still tail scale because the tail scale client is all completely open source. So is the headscale system. So it's kind of an alternative way to do it but it requires a little bit more techno expertise. So just using the tail scale server for a lot of users is easy enough. Now there is no username or management. You authorize the devices to be on there. You don't authenticate the users. So the coordination server is going to decide which ones are allowed to be on the network when you set them up but the authentication model is not at the device level because it's essentially an always on VPN. I mean you can turn it off but you can just leave it on and whenever a route call goes across the network and matches any of the routes published in the tail scale system it will then redirect those packets over there. Now tail scale is reasonably fast even though it's written in Go and it does use WireGuard on the back end. The advantage of just using WireGuard which we'll get to is going to be that coordination server and it punches through the NAT firewalls and CG NAT firewalls really well. Tail scale can also be used as a site to site device. This is a really cool feature and even if both of these PF sensors don't have public IPs it can still coordinate getting them talking to each other. By having it as a site to site your devices on either side you can set up bi-directional communication between all of them and not have to worry about public IPs or your IP changing. So if your IP roles or changes the coordination server sees that change and updates everything to keep the connections going. And it will scale rather well for more complicated networks when you have multiple PF sensors with multiple routes with multiple subnets that you want published across here. You even have the ability to select an exit node where maybe you want all this traffic to tunnel out and go out of one device. This is really some clever networking that TailScale uses. I've always recommended people read through their documentation because they outline very very well how NAT and how all the things work. They've done a great job on their site for that. Now next we have WireGuard. WireGuard is awesome. It is a kernel level implementation of WireGuard here in PF Sense. But you are going to need a public accessible IP address. It is best not impossible to do if it's not static but best if it's static. I say that because you can use things like dynamic DNS and deal with an updating PF Sense public IP. But some of the other devices may try to hold on for a little while to that other IP you had or the other, you know, entry before they do a DNS look up again. This can cause some disruption in service. But that being said, it's fast. It's effective. It works rather well. You can connect phones and devices that will cut through different firewalls and cut through NAT as long as your PF Sense is accessible and has that static IP. Now once again, there's no username or password. You're dealing with key authentication. So you're going to generate keys for these devices and place them in there for WireGuard. And it works great. But those devices are always going to be on. So you have to have a contingency plan if one of these devices goes rogue. You have to make sure you understand and you'll have to delete them out of the PF Sense. But you're not authenticating them as a user. You're authorizing that device with a key. But it's a good system overall. And there's a broad support for all the different platforms on it. Alternatively, you can use this also as a site to site VPN. And I really feel WireGuard is replacing IPsec, which we'll talk about later, but it works great as a site to site VPN. It's relatively easy to set up. The ease of setup comes in WireGuard from the fact that it does not have a lot of different protocol support. It has a narrower, limited cipher support like a cipher support, but it's been well vetted. It's based on good cryptography. And being that it's a kernel implementation, you can build this. But you have to build all of this. This is all done with all these PF Senses talking to each other and building all the route information in there. It does work rather well. And still, even with multiple on here, only one PF Sense really needs to have a static IP, you can have your other PF Senses that you're doing site to site with completely independent. So someone might be behind the CG NAT, some are just behind whatever dynamic one. As long as when you're setting it up, you leave the site to site to be dynamic and the PF Sense with that one static IP or multiple static IPs, it knows to have those connections coming in. So that can work perfectly fine. Open VPN. Now this one is pretty much a go to for user authentication. And you really should have a PF Sense with public IP dynamic DNS should work, but it works quite well. Now there are some complexities to open VPN. I have tutorials on it. It's a good VPN. But those complexities are because well, there's so many different cypher supports and a lot of options in there. The tutorials I have do cover which ones are good choices. I'll make some new ones coming up soon. But the open VPN does use username and password. So you can track, log and control everyone from a username and password perspective that are logging in. The real advantage in way we use this a lot in businesses is not just having the username and passwords in PF Sense, but you can hand it off to things like radius server or active directory. So you can do different tie ins. That way you can just set the same VPN tool up on many different devices. And you'll know one when that user logged in, because you can log and track it too. If you have to revoke a user username and password, you can simply go and do that. Whether the backend is AD or radius or just the built-in PF Sense, you can go delete that user, lock out that user, and they can't log any more without having to get to the device to deauthorize it. So there's different way you control it there, but open VPN works rather well. Now open VPN does not have a problem with NAT devices. So if the other devices are behind NAT, that generally doesn't present a problem for open VPN. The protocol works getting through different firewalls, getting through different networks, whether the phones are on whatever 4G, 5G, LT networks, or there's devices behind different CG NAT. So long as they can get to that PF Sense on the public IP, open VPN cuts through that quite well. Open VPN shared key deprecation. Open VPN, this is the to do 12 981 on PF Sense. This is a notice they are getting rid of this as an authentication model. So open VPN is really not ideal site to site with this. This is going to be deprecated over time. So switch to one of the other ones. WireGuard would be a good suggestion on that IP sec. This has been around forever. And when would you use this? You can still use this in PF Sense. IP sec is good. It's fast. It's well documented. It's been around for a long time, but it has a real problem when everything doesn't have public IPs. Now someone's going to leave a comment, Tom, there's an easy way to get through that and leave a list of commands. Yes, there's ways to get through that. But occasionally it doesn't go through that because there's just different problems you may run into and different scenarios because the firewalls may behind another firewall that well, just doesn't do the proper port translation to get the NAT through or just disrupts the IP sec connection. So IP sec is good, but can have some issues when it comes to dealing with NAT. But if everything has public IPs, yeah, it'll work. Now, of note, this is the most common use case we have for IP sec when we're setting up site to site for clients. And that's going to be when some other firewall is involved because IP sec, as I said, is an old standard. Therefore, it's going to be pretty interoperable with a lot of different firewalls. So we have a lot of times and a lot of clients that have access to certain medical companies, these little doctors offices have to set up IP sec tunnels, they have a PF sense, and we'll have to set up IP sec tunnels to whatever on-prem equipment there is for the other client. And we've got this working with many different firewalls, many different brands. There's sometimes some nuances because you have to figure out if they're using different nomenclature to do it. But it's something that can be done when you want interoperability. So IP sec is mostly, from my perspective, used when I have a other firewall that's not PF sense. So I hope this video left you the better understanding of the VPN options currently available in October of 2022 with PF Sense. Leave your thoughts and comments down below about which VPN you think you should use or what other VPNs maybe you'd like to see in PF Sense, or if you have some comments or questions about this video, or head over to my forums, forums.laurancesystems.com, for a more in-depth discussion on this topic. Will you find this video a link there? Also check out tutorials I have on things like tail scale, head scale, just in general, also specifically to PF Sense. I've covered a lot of these topics in overtime and it's always just really fascinating diving into all these different VPN options. It's so much different than when I started in this business 25 years ago. But hey, nonetheless, leave your thoughts down below. See you next time and thanks. And thank you for making it all the way to the end of this video. If you've enjoyed the content, please give us a thumbs up. If you would like to see more content from this channel, hit the subscribe button and the bell icon. If you'd like to hire a short project, head over to laurancesystems.com and click the hires button right at the top. To help this channel out in other ways, there's a join button here for YouTube and a Patreon page where your support is greatly appreciated. For deals, discounts and offers, check out our affiliate links in the description of all of our videos, including a link to our shirt store, where we have a wide variety of shirts that we sell and designs come out well randomly. So check back frequently. And finally, our forums. Forums.laurancesystems.com is where you can have a more in-depth discussion about this video and other tech topics covered on this channel. Thanks again for watching and look forward to hearing from you.