Operations 24 min read

Comprehensive Guide to Deploying VPNs and Choosing SD‑WAN Solutions

This article shares ten years of ops experience and walks through the full lifecycle of VPN deployment—from OpenVPN, WireGuard, and IPsec/IKEv2 installation on Linux to hardware VPN vendor comparison and an in‑depth SD‑WAN technology overview—helping enterprises select the most suitable solution for their network, security, and cost requirements.

AI Agent Super App
AI Agent Super App
AI Agent Super App
Comprehensive Guide to Deploying VPNs and Choosing SD‑WAN Solutions

Why VPN selection matters

After a decade of operations work, the author has seen production outages caused by poor VPN choices: branch offices unable to reach headquarters ERP, high latency breaking cross‑border trade, and security mis‑configurations leading to data leaks. The guide aims to prevent such incidents by providing a complete, step‑by‑step reference.

1. OpenVPN – the most mature open‑source VPN

OpenVPN uses the OpenSSL library, offers strong SSL/TLS encryption, and runs on virtually every platform. Its strengths are flexibility, an active community, and abundant documentation; its weakness is higher CPU usage because encryption runs in user space.

1.1 CentOS/RHEL installation

Install EPEL, OpenVPN and easy‑rsa, copy the PKI files, and generate certificates:

# Install EPEL repository
yum install -y epel-release
# Install OpenVPN and easy‑rsa
yum install -y openvpn easy-rsa
# Copy easy‑rsa files
cp -r /usr/share/easy-rsa/3/* /etc/openvpn/server/
cd /etc/openvpn/server/

Initialize PKI and create certificates:

# Initialize PKI
./easyrsa init-pki
# Build CA certificate
./easyrsa build-ca nopass
# Build server certificate
./easyrsa build-server-full server nopass
# Build client certificate
./easyrsa build-client-full client1 nopass
# Generate DH parameters
./easyrsa gen-dh
# Generate TLS auth key
openvpn --genkey --secret ta.key

Create /etc/openvpn/server/server.conf with typical settings (port 1194, UDP, AES‑256‑GCM, etc.) and enable IP forwarding and firewall rules:

# Enable IP forwarding
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
sysctl -p
# OpenVPN firewall rules
firewall-cmd --add-service=openvpn --permanent
firewall-cmd --add-masquerade --permanent
firewall-cmd --reload
# Start service
systemctl enable --now openvpn-server@server
systemctl status openvpn-server@server

1.2 Ubuntu/Debian installation

Use apt instead of yum, copy the same PKI files, and configure ufw for the UDP port.

2. WireGuard – next‑generation lightweight VPN

Integrated into the Linux kernel since version 5.6, WireGuard runs in kernel space, delivering 3‑4× higher throughput than OpenVPN, with a codebase of only ~4 000 lines.

2.1 CentOS/RHEL installation

Install the EPEL repository and WireGuard tools, or use ELRepo for older kernels. Upgrade the kernel if necessary.

# CentOS 8 / Stream
dnf install -y epel-release
dnf install -y wireguard-tools
# CentOS 7
yum install -y epel-release
yum install -y https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm
yum install -y kmod-wireguard wireguard-tools

Generate a key pair and create /etc/wireguard/wg0.conf:

# Generate keys
wg genkey | tee privatekey | wg pubkey > publickey
# Example configuration
[Interface]
PrivateKey = <em>server_private_key</em>
Address = 10.0.0.1/24
ListenPort = 51820
SaveConfig = true

[Peer]
PublicKey = <em>client_public_key</em>
AllowedIPs = 10.0.0.2/32

Start the service and enable it at boot, then configure the firewall:

# Start WireGuard
wg-quick up wg0
# Enable at boot
systemctl enable wg-quick@wg0
# Firewall rules
firewall-cmd --add-port=51820/udp --permanent
firewall-cmd --add-masquerade --permanent
firewall-cmd --reload

2.2 Ubuntu/Debian installation

On Ubuntu 20.04+ simply apt install -y wireguard. Older releases need the WireGuard PPA.

3. IPsec/IKEv2 – native high‑performance VPN

IPsec works at the network layer and is supported by most OSes without extra clients. IKEv2 adds fast key exchange and seamless mobile hand‑off.

3.1 One‑click IPsec installation script

The script automatically detects the distro, installs dependencies, generates certificates, configures firewall and kernel parameters, and finishes in minutes.

# Download script
wget https://get.vpnsetup.net -O vpn.sh
# Or Chinese mirror
wget https://gitee.com/Nexus-Aurora/setup-ipsec-vpn/raw/master/vpnsetup.sh -O vpn.sh
chmod +x vpn.sh
./vpn.sh

After installation the script prints the server IP, pre‑shared key, and user credentials.

3.2 IKEv2 client configuration

Add a client with ./vpn.sh --add-client, export a .p12 certificate for macOS/iOS, and configure Windows via PowerShell. iOS/macOS users simply import the certificate and enable IKEv2 in the system VPN settings.

4. Side‑by‑side comparison of the three open‑source solutions

WireGuard : best performance, simplest configuration, lowest maintenance; ecosystem less mature than OpenVPN.

OpenVPN : most feature‑rich and compatible, suitable for complex legacy environments; lower performance.

IPsec/IKEv2 : ideal for mobile devices and site‑to‑site links; native OS support, fast reconnection.

The author recommends a hybrid deployment: IPsec for site‑to‑site, IKEv2 for mobile users, and WireGuard for internal dev‑ops traffic.

5. Hardware VPN vendor analysis (China market)

Open‑source solutions are not always sufficient for large enterprises with strict SLA and compliance requirements. Hardware VPNs provide dedicated ASIC acceleration, integrated firewall/IDS, vendor support, and compliance with standards such as China’s “等保2.0”.

5.1 Vendor snapshots

DeepSec (深信服) : market leader (~20% share), strong SSL‑VPN UI, high price, complex licensing.

Hillstone (山石网科) : high‑performance multi‑core architecture, stable, CLI‑friendly, slightly cheaper than DeepSec.

Venustech / Topsec (启明星辰/天融信) : strong compliance, broad product line, slower innovation.

Fortinet (飞塔) : international brand, ASIC‑accelerated IPsec, rich security features, expensive, US‑China supply‑chain risk.

Huawei (华为) : self‑developed chips, full‑stack solution, best for existing Huawei customers, high price, bundled sales.

5.2 Hardware selection checklist

Plan capacity with 2‑3× headroom for encryption overhead.

Validate concurrent user limits; real‑world throughput is often half of advertised.

Require high‑availability (dual‑node, cross‑datacenter).

Prioritize 24/7 support with rapid on‑site response.

Consider cost‑effective second‑tier vendors (e.g., DipTech, Dongruan) when budget is tight.

6. SD‑WAN technology deep dive and selection guide

SD‑WAN replaces traditional MPLS and VPN for many enterprises, cutting WAN costs by 30‑60% and reducing deployment time from weeks to hours.

6.1 Core SD‑WAN capabilities

Intelligent routing : real‑time link quality monitoring (latency, loss, jitter) and automatic path selection per application SLA.

Application identification : deep packet inspection to apply QoS per app (e.g., Zoom vs. file transfer).

Zero‑touch provisioning : CPE auto‑registers to the controller, downloads config, and becomes operational within minutes.

Hybrid networking : combine MPLS, broadband, 4G/5G; support link aggregation for cost‑effective bandwidth.

6.2 Vendor landscape

Three main categories:

Traditional network vendors (DeepSec, Hillstone, Huawei, H3C, Ruijie): mature, integrated with existing firewalls, higher price, limited SD‑WAN‑specific optimization.

Carrier‑provided SD‑WAN (China Telecom, China Mobile, China Unicom): bundled with backbone, convenient, but slower feature updates and weaker customization.

Pure‑play SD‑WAN specialists (e.g., JieSai, YunJie, Netease‑Kong): fast innovation, strong link optimization, flexible pricing, but smaller brand and potential financial risk.

6.3 Selection pitfalls

Conduct a two‑week POC with real business traffic (video, ERP, file transfer) before buying.

Verify POP (point‑of‑presence) coverage in all required regions; inadequate POPs nullify performance gains.

Ensure built‑in next‑generation firewall, zero‑trust controls, strong encryption, and hardened management UI.

Test the management console for usability, monitoring, reporting, and API completeness for automation.

Assess vendor financial health and long‑term support commitments.

6.4 When SD‑WAN makes sense

Adopt SD‑WAN if any of the following apply: more than five branch sites with heavy inter‑site traffic; cross‑border latency problems; MPLS spend exceeds ¥500 k annually; heavy cloud/VPC integration; large mobile workforce; limited WAN ops staff.

For small teams, a simple WireGuard or hardware SSL‑VPN is sufficient.

Conclusion

VPN and WAN technologies have evolved from PPTP to IPsec, OpenVPN, WireGuard, and now SD‑WAN. The core requirements remain security, speed, stability, and cost‑effectiveness. Choose the solution that best matches your business scenario, team expertise, and budget rather than chasing the “latest” label.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

Network OperationsVPNIPsecOpenVPNWireGuardHardware VPNSDWAN
AI Agent Super App
Written by

AI Agent Super App

AI agent applications, installation, large-model testing, computer fundamentals, IT operations and maintenance exchange, network technology exchange, Linux learning

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.