VPN for ISPs

Uncontrolled remote access is an open door. A VPN thrown together in a hurry, without MFA, without easy credential revocation, without logs — a problem waiting to happen. Security is not just encryption; it is who accesses what and when.

What VPN is in an ISP context

In the ISP, VPN covers two distinct scenarios: site-to-site tunnels between PoPs (securely interconnecting the management network) and remote access for technical staff (NOC, on-call, external integrations). Each scenario has different requirements for protocol, latency, and auditing.

What RASYS does

  • WireGuard site-to-site between PoPs — simple, fast, easy to operate and audit.
  • OpenVPN with MFA (TOTP or YubiKey) for technical staff remote access.
  • IPsec when the other side requires it (carrier equipment, enterprise customer).
  • LDAP/AD integration for centralized authentication — when a technician leaves the company, revoke in one place.
  • Role-based segmentation — NOC sees the management network, billing does not see the router; each group accesses only what it needs.
  • Centralized access logging — who connected, from where, when, and what was accessed.
  • High availability — VPN gateway failover without dropping active sessions.
  • PKI hardening — own CA, per-device certificates, revocation via CRL/OCSP.

Technologies we work with

WireGuard, OpenVPN, IPsec (strongSwan, Mikrotik), Tailscale for smaller environments. LDAP/AD, FreeOTP, YubiKey for MFA. Linux, Mikrotik RouterOS, pfSense/OPNsense.

When it makes sense to talk to us

Technical staff accesses production equipment without a VPN or with shared credentials; an incident occurred and you do not know who accessed what; opening a new PoP and need to interconnect the management network; audit or LGPD compliance requires access logging; IPsec tunnel with a carrier is unstable.

Talk to us — initial conversation, no commitment. See also: BGP, Infrastructure Documentation.

FREQUENTLY ASKED QUESTIONS

WireGuard or OpenVPN for staff remote access?

For remote access with MFA and LDAP integration, OpenVPN is still more mature — authentication plugin support, certificate revocation via CRL, client available on any OS. WireGuard is simpler and faster, but the MFA ecosystem still relies on external solutions. We use both; the choice depends on the team's profile and the required integrations.

Can you integrate with the office Active Directory?

Yes. OpenVPN with the LDAP plugin authenticates directly against AD — the technician uses their Windows password. When the technician leaves the company, you disable the account in AD and VPN access disappears with it. We add MFA (TOTP) on top of LDAP for an extra factor.

IPsec with our carrier keeps dropping — can you stabilize it?

Yes. Most unstable IPsec cases have their root cause in: misconfigured MTU/PMTUD, overly aggressive dead peer detection, or a cryptographic proposal mismatch. We capture the negotiation, identify the divergence, and adjust both sides when possible.

How does the access log work?

The VPN gateway sends structured logs (user, source IP, timestamp, bytes transferred) to a centralized syslog. We maintain configurable retention (90 days by default) and index by user to make incident investigation easier.