Comprehensive Guide to Deploying VPNs and Choosing SD‑WAN Solutions
This article shares ten years of ops experience and walks through the full lifecycle of VPN deployment—from OpenVPN, WireGuard, and IPsec/IKEv2 installation on Linux to hardware VPN vendor comparison and an in‑depth SD‑WAN technology overview—helping enterprises select the most suitable solution for their network, security, and cost requirements.
Why VPN selection matters
After a decade of operations work, the author has seen production outages caused by poor VPN choices: branch offices unable to reach headquarters ERP, high latency breaking cross‑border trade, and security mis‑configurations leading to data leaks. The guide aims to prevent such incidents by providing a complete, step‑by‑step reference.
1. OpenVPN – the most mature open‑source VPN
OpenVPN uses the OpenSSL library, offers strong SSL/TLS encryption, and runs on virtually every platform. Its strengths are flexibility, an active community, and abundant documentation; its weakness is higher CPU usage because encryption runs in user space.
1.1 CentOS/RHEL installation
Install EPEL, OpenVPN and easy‑rsa, copy the PKI files, and generate certificates:
# Install EPEL repository
yum install -y epel-release
# Install OpenVPN and easy‑rsa
yum install -y openvpn easy-rsa
# Copy easy‑rsa files
cp -r /usr/share/easy-rsa/3/* /etc/openvpn/server/
cd /etc/openvpn/server/Initialize PKI and create certificates:
# Initialize PKI
./easyrsa init-pki
# Build CA certificate
./easyrsa build-ca nopass
# Build server certificate
./easyrsa build-server-full server nopass
# Build client certificate
./easyrsa build-client-full client1 nopass
# Generate DH parameters
./easyrsa gen-dh
# Generate TLS auth key
openvpn --genkey --secret ta.keyCreate /etc/openvpn/server/server.conf with typical settings (port 1194, UDP, AES‑256‑GCM, etc.) and enable IP forwarding and firewall rules:
# Enable IP forwarding
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
sysctl -p
# OpenVPN firewall rules
firewall-cmd --add-service=openvpn --permanent
firewall-cmd --add-masquerade --permanent
firewall-cmd --reload
# Start service
systemctl enable --now openvpn-server@server
systemctl status openvpn-server@server1.2 Ubuntu/Debian installation
Use apt instead of yum, copy the same PKI files, and configure ufw for the UDP port.
2. WireGuard – next‑generation lightweight VPN
Integrated into the Linux kernel since version 5.6, WireGuard runs in kernel space, delivering 3‑4× higher throughput than OpenVPN, with a codebase of only ~4 000 lines.
2.1 CentOS/RHEL installation
Install the EPEL repository and WireGuard tools, or use ELRepo for older kernels. Upgrade the kernel if necessary.
# CentOS 8 / Stream
dnf install -y epel-release
dnf install -y wireguard-tools
# CentOS 7
yum install -y epel-release
yum install -y https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm
yum install -y kmod-wireguard wireguard-toolsGenerate a key pair and create /etc/wireguard/wg0.conf:
# Generate keys
wg genkey | tee privatekey | wg pubkey > publickey
# Example configuration
[Interface]
PrivateKey = <em>server_private_key</em>
Address = 10.0.0.1/24
ListenPort = 51820
SaveConfig = true
[Peer]
PublicKey = <em>client_public_key</em>
AllowedIPs = 10.0.0.2/32Start the service and enable it at boot, then configure the firewall:
# Start WireGuard
wg-quick up wg0
# Enable at boot
systemctl enable wg-quick@wg0
# Firewall rules
firewall-cmd --add-port=51820/udp --permanent
firewall-cmd --add-masquerade --permanent
firewall-cmd --reload2.2 Ubuntu/Debian installation
On Ubuntu 20.04+ simply apt install -y wireguard. Older releases need the WireGuard PPA.
3. IPsec/IKEv2 – native high‑performance VPN
IPsec works at the network layer and is supported by most OSes without extra clients. IKEv2 adds fast key exchange and seamless mobile hand‑off.
3.1 One‑click IPsec installation script
The script automatically detects the distro, installs dependencies, generates certificates, configures firewall and kernel parameters, and finishes in minutes.
# Download script
wget https://get.vpnsetup.net -O vpn.sh
# Or Chinese mirror
wget https://gitee.com/Nexus-Aurora/setup-ipsec-vpn/raw/master/vpnsetup.sh -O vpn.sh
chmod +x vpn.sh
./vpn.shAfter installation the script prints the server IP, pre‑shared key, and user credentials.
3.2 IKEv2 client configuration
Add a client with ./vpn.sh --add-client, export a .p12 certificate for macOS/iOS, and configure Windows via PowerShell. iOS/macOS users simply import the certificate and enable IKEv2 in the system VPN settings.
4. Side‑by‑side comparison of the three open‑source solutions
WireGuard : best performance, simplest configuration, lowest maintenance; ecosystem less mature than OpenVPN.
OpenVPN : most feature‑rich and compatible, suitable for complex legacy environments; lower performance.
IPsec/IKEv2 : ideal for mobile devices and site‑to‑site links; native OS support, fast reconnection.
The author recommends a hybrid deployment: IPsec for site‑to‑site, IKEv2 for mobile users, and WireGuard for internal dev‑ops traffic.
5. Hardware VPN vendor analysis (China market)
Open‑source solutions are not always sufficient for large enterprises with strict SLA and compliance requirements. Hardware VPNs provide dedicated ASIC acceleration, integrated firewall/IDS, vendor support, and compliance with standards such as China’s “等保2.0”.
5.1 Vendor snapshots
DeepSec (深信服) : market leader (~20% share), strong SSL‑VPN UI, high price, complex licensing.
Hillstone (山石网科) : high‑performance multi‑core architecture, stable, CLI‑friendly, slightly cheaper than DeepSec.
Venustech / Topsec (启明星辰/天融信) : strong compliance, broad product line, slower innovation.
Fortinet (飞塔) : international brand, ASIC‑accelerated IPsec, rich security features, expensive, US‑China supply‑chain risk.
Huawei (华为) : self‑developed chips, full‑stack solution, best for existing Huawei customers, high price, bundled sales.
5.2 Hardware selection checklist
Plan capacity with 2‑3× headroom for encryption overhead.
Validate concurrent user limits; real‑world throughput is often half of advertised.
Require high‑availability (dual‑node, cross‑datacenter).
Prioritize 24/7 support with rapid on‑site response.
Consider cost‑effective second‑tier vendors (e.g., DipTech, Dongruan) when budget is tight.
6. SD‑WAN technology deep dive and selection guide
SD‑WAN replaces traditional MPLS and VPN for many enterprises, cutting WAN costs by 30‑60% and reducing deployment time from weeks to hours.
6.1 Core SD‑WAN capabilities
Intelligent routing : real‑time link quality monitoring (latency, loss, jitter) and automatic path selection per application SLA.
Application identification : deep packet inspection to apply QoS per app (e.g., Zoom vs. file transfer).
Zero‑touch provisioning : CPE auto‑registers to the controller, downloads config, and becomes operational within minutes.
Hybrid networking : combine MPLS, broadband, 4G/5G; support link aggregation for cost‑effective bandwidth.
6.2 Vendor landscape
Three main categories:
Traditional network vendors (DeepSec, Hillstone, Huawei, H3C, Ruijie): mature, integrated with existing firewalls, higher price, limited SD‑WAN‑specific optimization.
Carrier‑provided SD‑WAN (China Telecom, China Mobile, China Unicom): bundled with backbone, convenient, but slower feature updates and weaker customization.
Pure‑play SD‑WAN specialists (e.g., JieSai, YunJie, Netease‑Kong): fast innovation, strong link optimization, flexible pricing, but smaller brand and potential financial risk.
6.3 Selection pitfalls
Conduct a two‑week POC with real business traffic (video, ERP, file transfer) before buying.
Verify POP (point‑of‑presence) coverage in all required regions; inadequate POPs nullify performance gains.
Ensure built‑in next‑generation firewall, zero‑trust controls, strong encryption, and hardened management UI.
Test the management console for usability, monitoring, reporting, and API completeness for automation.
Assess vendor financial health and long‑term support commitments.
6.4 When SD‑WAN makes sense
Adopt SD‑WAN if any of the following apply: more than five branch sites with heavy inter‑site traffic; cross‑border latency problems; MPLS spend exceeds ¥500 k annually; heavy cloud/VPC integration; large mobile workforce; limited WAN ops staff.
For small teams, a simple WireGuard or hardware SSL‑VPN is sufficient.
Conclusion
VPN and WAN technologies have evolved from PPTP to IPsec, OpenVPN, WireGuard, and now SD‑WAN. The core requirements remain security, speed, stability, and cost‑effectiveness. Choose the solution that best matches your business scenario, team expertise, and budget rather than chasing the “latest” label.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
AI Agent Super App
AI agent applications, installation, large-model testing, computer fundamentals, IT operations and maintenance exchange, network technology exchange, Linux learning
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.
