I"ll go ahead and get the ugliness out of the way … first of all, I am seriously overdue on changing our VPN, currently Windows RRAS PPTP. I can offer a plethora of excuses on why I haven’t from cost to ease of use to the fact that it simply just worked 99% of the time. The catch is that it is extremely outdated and, to be genersous, of questionable security. But, like I said, it’s worked with very little issues … until recently.
We’re finding more and more often that it’s getting blocked by some public WiFi spots like hotels, restaurants, guest WiFi networks at client sites, even some AirBnB sites. We’ve also been finding that the cell providers (in the US) will block it at high traffic times. Combine this with the fact that I know it’s outdated and less than secure, it’s just time to make a change.
I’m looking for some recommendations, particularly low cost solutions. I have around 30 to 40 users in varying degrees of technical ability. We also tend to have multiple client VPNs installed at the same time (Windows Server RRAS PPTP seemed to be the only one that would work with others installed) like AnyConnect, Fortinet, etc. and it’s not uncommon for a client VPN to have white listed our office IP address which would require my user (assuming they were remote) to first have to VPN to our office with OUR VPN then use the client VPN to connect to the client network.
Thanks in advance for any suggestions you might have.
We’re finding more and more often that it’s getting blocked by some public WiFi spots like hotels, restaurants, guest WiFi networks at client sites, even some AirBnB sites. We’ve also been finding that the cell providers (in the US) will block it at high traffic times.
It seems unexpected for providers to start blocking tcp/1723 in the 2020s if they didn’t do so ten or twenty years earlier.
Wikipedia tells me (reminds me?) that PPTP uses GRE encapsulation for the actual data. GRE doesn’t work over NAT64 or 464XLAT, the process that allows IPv6-only endpoints like many mobile networks, to connect to IPv4-only destinations. Perhaps that’s the issue your users are seeing on mobile networks.
it’s not uncommon for a client VPN to have white listed our office IP address which would require my user (assuming they were remote) to first have to VPN to our office with OUR VPN
That’s one example how VPNs don’t scale, which is why we phased them out a long time ago in favor of SSO in the webapps or HTTP(S) front-ends. You have a big opportunity to do the same, considering that you already have multiple VPN issues.
We’ve just deployed Cisco AnyConnect with a Meraki MX67 for a similar amount of staff. SAML auth to Entra ID so VPN access is MFA protected with Conditional Access, and of course we configure split tunnel DNS so only traffic bound for internal resources goes over the VPN. We also set up Entra ID connect so on prem identities and cloud identity would password sync.
AnyConnect licensing on Meraki is trust based so you can start testing straight away once you have an appliance.
It’s been incredibly smooth, with the only caveat being you need to contact Cisco support to ask them to enable token timeouts if you don’t want Cisco forcing an MFA prompt every single time, regardless of other protections in place. We have our token timeouts set to 8 hours.
”The use of TCP port 443 for traffic transmission allows SSTP to pass through most firewalls and proxy servers seamlessly. SSL makes the operation of an SSTP server highly secure. The protocol encapsulates PPP packets over an SSL channel, enhancing security through the mechanisms of SSL/TLS.”
Sonicwall SMA can run websites through the internal network without a full VPN connection. I set this up for a company that was using Anydesk. You can login using MFA with your active AD account. You can run RDP sessions or open internal sites or even just fully connect to the vpn if you want. It’s a very handy system.
Modern low cost VPN for a few users? Cloudflare One without a doubt. You get a certain amount of users for free so you can just get started right away with a modern SSE type solution. SSE or nothing in 2025.