VPN recommendations?

Hi folks,

Do you have any recommendations for VPN appliances? Specifically: I need to build a site to site VPNs at speeds between 100mpbs and 1 gbit where all but one of the sites are behind an IPv4 NAT gateway with dynamic public IP addresses.

Normally I’d throw OpenVPN on a couple of Linux boxes and be happy but my customer insists on a network appliance. Site to site VPNs using IPSec and static IP addresses on the plaintext side are a dime a dozen but traversing NAT and dynamic IP addresses (and automatically re-establishing when the service goes out and comes back up with different addresses) is a hard requirement.

Thanks in advance,
Bill Herrin

You may try WireGuard and use ddns

Pfsense on Netgate appliances?

I’ve used several of them, while not for this exact purpose they have done the roles but maybe not the amount of VPN traffic.

You may try WireGuard and use ddns

Meraki MX series?

I don’t like the way they do their licensing (your license runs out, the box is a paper-weight) but they do really well at establishing site-to-site VPNs in some pretty challenging scenarios. Dynamic IPs and NATs don’t really cause them a problem. Some CGNats do (AT&T I’m looking at you).


pfsense and opnsense both do fine with natted ipsec in the environmnets i’ve tested.

Isn’t there an openvpn appliance too?


Wireguard is the way to go. No platform lock-in, encrypted, extremely lightweight and an easy to configure kernel module. Only drawback being that there’s no implemented mesh topology, but that doesn’t sound like a requirement for your use case. We actively push 8Gbit through our WG tunnels with no issues.


If you want something gui driven I’d do something like Meraki…you can do the same with just regular old Cisco routers using DMVPN as well. It’s a pretty common use case and well established.

Hello NANOG,

My name is Joy Larkin and I'm actually a long-time years-long lurker on the NANOG list (I have v odd hobbies) and I am also ZeroTier's Head of Marketing. I know I'm not supposed to be too promotional on here, but I'd love to see some of you pick up ZT.

Our founder, Adam Ierymenko just did a talk at Networking Field Day 27, here are two of the recordings from that session:

* ZeroTier The Planetary Data Center
     * ZeroTier The Planetary Data Center - YouTube

* ZeroTier Technical Deep Dive
     * ZeroTier Technical Deep Dive - YouTube

If you have questions, let me know - you can reach me at joy.larkin@zerotier.com


Thanks Guillaume,

I found this Technical Tip: IPsec VPN between static and dynami... - Fortinet Community
but it suggests that the dynamic IP fortigate expects to have a public
dynamic IP directly on the Fortigate, not be stuck behind a NAT.

Are you aware of any documentation that describes:

LAN - Fortigate - NAT (dynaimic IP) - Internet - (static IP) Fortigate - LAN

Where the Meraki is responsible for keeping the NAT translations alive
without any programming on the NAT?


Thanks Shawn,

The documentation I found at

suggests that the NAT firewall has to be explicitly configured to
deliver UDP 500/4500 to the Meraki behind it. Are you aware of any
documentation that describes:

LAN - Meraki - NAT (dynaimic IP) - Internet - (static IP) Meraki - LAN

Where the left-side Meraki is responsible for establishing and keeping
the NAT translations alive without any special configuration on the



Opnsense looks like it might work. I dug through some of the
documentation but didn't find something entirely on point for my use
case. Are you aware of any documentation which describes:

LAN - OPNSense Appliance - (rfc1918) NAT Appliance (dynamic IP) -
Internet - (static IP) OPNSense appliance - LAN

Where the left-side OPNSense is responsible for establishing and
keeping the NAT translations alive without any special configuration
on the NAT?


You may try WireGuard and use ddns

Hi David,

My understanding is that Wireguard is software available for general
purpose operating systems. I specifically need a set of hardware
network appliances. I don't overly care which protocol they're running
as long as an initiator stuck behind a nat box I don't control can
maintain a connection with a hub and handle speeds in the100mbps to

How about running ZeroTier on those Linux boxes and call it a day?

I specifically cannot use general purpose Linux machines for this. I
need network appliances.


I specifically need an integrated network appliance, not software I
add to something.

I love my Linux-based VPN servers but my customer very specifically
said no. I can't publicly explain why but trust me when I say it's a
"hard no" and it's not a question of persuasion or education. My
customer understands and likes Linux but he simply cannot use it this

Bill Herrin

That was supposed to be 1gbps. I don't need over 1gbps for this use case.

Bill Herrin

I’ll second PFsense, done quite a bit of this in hub and spoke topologies, spokes being behind NAT (permitted the upstream fw allows udp 500,4500), on a dynamic. The hub or hubs are ideally on a static. Set the hub site up as responder only, the remotes initiate the tunnel. Peers are validated either by dynamic name or you simply allow peers sourcing from at the hub site.

This is not limited to PF, I’ve gotten this to work on Cisco firewalls, routers, and other Linux based firewalls.

I don't know of a specific document speaking to this, but this doc i think describes it right.

in section 2.3 is where you change My Identifer to be the natted non RFC1918 ip that the right side will see.

MikroTik (hardware) RouterOS (software) version 7 has WireGuard:


(your license runs out, the box is a paper-weight)

Should be a hard no for anyone purchasing network equipment anyways, but people have reasons I guess.


Meraki MX series?

I read on some mailing list that Meraki likes to ping every
second... :slight_smile: