As a result of the social distancing measures companies are taking to reduce the spread of the coronavirus disease (COVID-19), the typical ratio of local-to-remote workers has flipped on its head. Now, only a fraction of the workforce is going to the corporate office to support the rest of the workforce, who are suddenly working from home. This massive increase in remote workers requiring continuous VPN connections is creating a bottleneck on some org

anizations’ WANs and VPNs, even causing VPN servers to fall over.

Deploying or increasing VPN capacity overnight can be daunting, regardless of your expertise or financial resources. There are many factors to consider. At the most basic level, VPN capacity comes down to:

  • Technologies deployed including servers, clients, and encryption protocols
  • Number of concurrent connections
  • Bandwidth per connection

In our last blog (Social Distancing from Work? Scalable VPN Ensures Your Business Goes On), we shared some resources to help organizations install a free VPN server using pfSense® software to provide new “work from home” employees with secure remote access to corporate networks. This approach will often cover the needs of small to medium-sized businesses, depending on the number of remote workers (concurrent connections).

VPN Congestion

Most organizations deploy VPN access to support “road warriors” and full-time remote workers—typically a sliver of their workforce. Even at peak usage, these connections should only account for a small percentage of ingress and egress traffic across a corporate-wide area network (WAN). With organizations now scrambling to provide remote access to nearly their entire workforce, traffic across the WAN can increase by orders of magnitude, resulting in bottlenecks.

In some cases, bottlenecks can be resolved by upgrading the VPN server to increase concurrent connection capacity. If the VPN server isn’t an issue, the bottleneck may be due to limited bandwidth across the corporate WAN. The fix to that is simple, right? Just call your ISP and ask them to increase bandwidth. They’ll be happy to oblige - 30, 60, or 90 days later.

Relocate the data

In early March, a healthcare communications company with offices in the U.S. and U.K. made the decision to immediately transition 200+ employees to work from home - to help slow COVID-19 spread.

Their global IT manager immediately started looking for ways to increase VPN capacity. When he found out their ISP needed 90 days to upgrade the internet to a 1 Gbps connection, he had to come up with plan B.

After some analysis, he realized their remote workers primarily needed access to static data, not internal services or applications. Armed with this insight, he decided to replicate the required data in Microsoft® Azure®, and enable remote workers direct access via an encrypted connection, thus reducing the number of connections to the corporate WAN.

Accessing the data

Once the data was replicated into Azure, options to access the data were evaluated. Using Azure Gateway to manage access was considered until it was found to be limited to 100 VPN connections. Increasing the number of VPN connections beyond 100 incurs additional fees, bringing the annual cost of the VPN gateway service to approximately $10,000. This cost is in addition to ingress and egress charges for network traffic.

To avoid incurring additional fees for all VPN connections, he chose Netgate® pfSense® software for remote access to Azure-based data. He launched a pfSense software instance (Azure F4SV2: 4 core CPU, 8Gb RAM, 32Gb of disk space) from the Azure Marketplace.

He used pfSense software’s OpenVPN Client Wizard to streamline VPN access provisioning for each remote worker. The wizard creates a pre-packaged installer and configuration files for Windows, iOS, and Android clients. This can both reduce significant configuration time, and eliminate configuration errors relative to configuring user connections one by one. Once configured, each remote worker’s VPN connection automatically and securely connects to Azure, the corporate network, or the internet.

Long-term solution

The above approach can be done in a day or less - helping companies quickly enact COVID-19 social distancing. Further, given that COVID-19 is likely not the last epidemic or pandemic we will face, this approach can serve as a long-term solution to reduce congestion, costs, and security issues associated with routing all remote user traffic through corporate networks.

Free trials of pfSense software are available to anyone by visiting the Microsoft Azure or AWS marketplaces. Supporting technical documentation for both can be found here. Useful deployment information about OpenVPN and IPsec can be found here and here respectively.

We are here to help

Wherever your organization is in these challenging times, Netgate is happy to address questions and provide guidance on how to update your IT infrastructure for fast, scalable work at home needs. Email or call us at +1 (512) 646-4100.