On Thu, 13 Jun 2024 at 11:08, BD dzidek23@gmail.com wrote:
An example that I have seen working was a ZTNA configuration with Fortinet hardware and SDN for network separation.
That sort of thing will be out of my budget!
I suspect the same thing could be achieved using pfSense and network management (with a nice GUI to control it). Quick search on the Internet for "pfSense zero trust" returned a few interesting sites. Additionally pfSense can serve as a VPN concentrator too.
I spent a bit of time looking into this. The biggest issue for me is that it's FreeBSD and most of our stuff is hosted at DigitalOcean, and they no longer offer FreeBSD as an option. I can of-course look elsewhere, but DO combine the bandwidth of all your services and we're nowhere close to using it all, so putting a VPN which could potentially be fairly heavy traffic somewhere it can use that bandwidth makes sense if I can.
I spent ages playing with Wireguard - there are some useful tools for building the config ([1], [2]) but I never got a configuration which worked properly with my phone over mobile data (or my laptop using mobile data over a hotspot) and as that's one of the main things I needed to achieve I ended up walking away from my attempts (in part because I managed to get the old SSL-based VPN working over those connections by turning off "FastSSL".
I'd like to get this working at some point but a day and half of experimenting and getting nowhere useful was as much (more if I'm honest) as I could afford to allocate to it.
[1] https://www.wireguardconfig.com/ - Configuration builder [2] https://github.com/mvpsnet/wireguard4vps - PHP-based manager