Recommendation
We recommend deploying NetBird (self-hosted, community edition) with Entra ID OIDC authentication — Option A: Azure B2s management server + on-prem Hyper-V routing peers at both sites. GlobalProtect stays running throughout, making this a zero-risk, additive deployment.
Three independent factors make this both urgent and obvious:
- The PA-2020 has been unsupported for 6 years — no security patches are possible, and cyber insurers may void coverage for EOSL hardware
- An active credential-spraying campaign is targeting our GlobalProtect portal with millions of attempts
- Cyber insurers report 11x ransomware likelihood for organizations using self-managed VPNs
Requested approval: Proceed with Phase 1 (Azure VM provisioning) to begin the weekend migration. See Implementation Plan for the weekend deployment timeline.
Why NetBird Over OpenVPN?
Section titled “Why NetBird Over OpenVPN?”The most common objection is: “Why not just install OpenVPN with LDAP on the Boulder pfSense? It is free and we already have the hardware.”
NetBird wins on every dimension. See OpenVPN vs NetBird for the detailed technical comparison. The summary:
Architecture: Mesh vs Hub-and-Spoke
Section titled “Architecture: Mesh vs Hub-and-Spoke”OpenVPN on the Boulder pfSense forces hub-and-spoke. A Hawaii remote worker accessing the Honolulu Sage server routes across the Pacific to Boulder, then back across the Pacific to Honolulu — 7,600 miles round trip for a server 20 miles away. NetBird connects Hawaii directly to the Honolulu routing peer. Single hop, stays local.
Security: Formally Verified vs Actively Exploited
Section titled “Security: Formally Verified vs Actively Exploited”| Aspect | WireGuard (NetBird) | OpenVPN |
|---|---|---|
| Codebase | ~4,000 lines | ~100,000+ lines |
| Formal verifications | 5 independent proofs (Tamarin, CryptoVerif, ProVerif, eCK, NDSS 2024) | 0 |
| Critical CVEs (2023-2026) | 0 | CVE-2023-46850 (CVSS 9.8, RCE), CVE-2024-5594 (CVSS 9.1) |
| Attack chains demonstrated | None | OVPNX (Black Hat 2024): 3 chained CVEs for RCE + LPE |
| CVE trend | Low-medium severity only | 82.5% growth rate 2020-2025 (Zscaler) |
| Crypto dependency | Linux kernel crypto API | OpenSSL (~500,000+ lines) |
Operational Burden: 1 Script vs 100 Configurations
Section titled “Operational Burden: 1 Script vs 100 Configurations”OpenVPN requires a full PKI (CA, per-user certs, CRL management), LDAP configuration (13+ fields), and 200 unique deployment profiles — one per user. Annual maintenance: ~118 hours/year.
NetBird requires zero PKI, zero LDAP. One universal TRMM script deploys to all ~200 machines. User provisioning is automatic via Entra ID SSO. Annual maintenance: ~38 hours/year.
Cost: “Free” OpenVPN Costs ~$25K More
Section titled “Cost: “Free” OpenVPN Costs ~$25K More”Infrastructure is less than 20% of TCO; labor is ~80% (Gartner). OpenVPN’s $0 infrastructure hides $41K in 5-year labor costs.
| OpenVPN+LDAP (5yr) | NetBird Option A (5yr) | |
|---|---|---|
| Infrastructure | $0 | $2,088-$3,064 |
| Labor | $40,950 (650 hrs) | $13,293 (211 hrs) |
| Total | $40,950 | $15,381-$16,357 |
| Savings | — | ~$25,000 |
See Cost Analysis for the full four-option comparison, sensitivity analysis, and breakeven calculations.
Industry Direction
Section titled “Industry Direction”The industry is not debating whether to move away from traditional VPN; it is debating how fast.
| Data Point | Source |
|---|---|
| 65% of organizations plan to replace VPN services within the year | Zscaler ThreatLabz 2025 |
| 81% plan to implement zero trust strategies within 12 months | Zscaler 2025 |
| 70% of new remote access deployments use ZTNA instead of VPN | Gartner 2025 |
| Azure adopted WireGuard natively for AKS in-transit encryption | Azure Feeds (Sept 2025) |
| NordVPN, Mullvad, ProtonVPN, Surfshark, PIA all adopted WireGuard as primary | Multiple sources |
| Multiple 2025-2026 sources describe OpenVPN as “legacy” technology | NetworkWorld, CIO.com |
Deploying a new OpenVPN instance in 2026 is investing in technology the industry is actively abandoning.
Architecture Options
Section titled “Architecture Options”Three fully costed options are detailed in Cost Analysis. The summary:
| Option A (Recommended) | Option B | Option C | |
|---|---|---|---|
| Description | Azure VM mgmt + on-prem routing | Full on-prem (Boulder Hyper-V) | Azure primary + DR standby |
| Monthly cost | $35-51 | ~$3 | ~$85 |
| 5-year TCO | $15,381-$16,357 | ~$15,048 | ~$18,393 |
| Single site of failure | No | Yes (Boulder) | No |
Option A is recommended because it provides cloud-grade availability without single-site risk at a moderate monthly cost.
Summary
Section titled “Summary”| Dimension | OpenVPN+LDAP on pfSense | NetBird (self-hosted) | Winner |
|---|---|---|---|
| Throughput | 350-780 Mbps | 920-960 Mbps | NetBird (2-4x) |
| Connection time | 3-8 seconds | ~100 ms | NetBird (30-80x) |
| Architecture | Hub-and-spoke (Hawaii→Honolulu hairpins through Boulder) | P2P mesh (direct tunnels) | NetBird |
| Security | 0 formal proofs, CVSS 9.8 RCE in 2023 | 5 formal proofs, 0 critical CVEs | NetBird |
| Deployment | 200 unique configs, 8-12 steps/user | 1 universal script, 3 steps total | NetBird |
| Setup labor | ~60 hours | ~21 hours | NetBird (65% less) |
| Annual maintenance | ~118 hours/year | ~38 hours/year | NetBird (68% less) |
| 5-year TCO | ~$41,000 | ~$16,000 | NetBird (~$25K saved) |
| Auth failure mode | LDAP down = total outage | Entra down = tunnels survive | NetBird |
| Industry direction | 65% of orgs replacing VPNs | WireGuard-based, zero-trust aligned | NetBird |
There is no dimension in which OpenVPN+LDAP on pfSense is the better choice. The “free” option costs $25,000 more, takes longer to deploy, is harder to maintain, performs worse, and is less secure. The recommendation is NetBird Option A, deployed over a single weekend.