Do you have any recommendations for VPN appliances? Specifically: I need to build a site to site VPNs at speeds between 100mpbs and 1 gbit where all but one of the sites are behind an IPv4 NAT gateway with dynamic public IP addresses.
Normally I’d throw OpenVPN on a couple of Linux boxes and be happy but my customer insists on a network appliance. Site to site VPNs using IPSec and static IP addresses on the plaintext side are a dime a dozen but traversing NAT and dynamic IP addresses (and automatically re-establishing when the service goes out and comes back up with different addresses) is a hard requirement.
I don’t like the way they do their licensing (your license runs out, the box is a paper-weight) but they do really well at establishing site-to-site VPNs in some pretty challenging scenarios. Dynamic IPs and NATs don’t really cause them a problem. Some CGNats do (AT&T I’m looking at you).
Wireguard is the way to go. No platform lock-in, encrypted, extremely lightweight and an easy to configure kernel module. Only drawback being that there’s no implemented mesh topology, but that doesn’t sound like a requirement for your use case. We actively push 8Gbit through our WG tunnels with no issues.
If you want something gui driven I’d do something like Meraki…you can do the same with just regular old Cisco routers using DMVPN as well. It’s a pretty common use case and well established.
My name is Joy Larkin and I'm actually a long-time years-long lurker on the NANOG list (I have v odd hobbies) and I am also ZeroTier's Head of Marketing. I know I'm not supposed to be too promotional on here, but I'd love to see some of you pick up ZT.
Our founder, Adam Ierymenko just did a talk at Networking Field Day 27, here are two of the recordings from that session:
suggests that the NAT firewall has to be explicitly configured to
deliver UDP 500/4500 to the Meraki behind it. Are you aware of any
documentation that describes:
LAN - Meraki - NAT (dynaimic IP) - Internet - (static IP) Meraki - LAN
Where the left-side Meraki is responsible for establishing and keeping
the NAT translations alive without any special configuration on the
NAT?
Opnsense looks like it might work. I dug through some of the
documentation but didn't find something entirely on point for my use
case. Are you aware of any documentation which describes:
LAN - OPNSense Appliance - (rfc1918) NAT Appliance (dynamic IP) -
Internet - (static IP) OPNSense appliance - LAN
Where the left-side OPNSense is responsible for establishing and
keeping the NAT translations alive without any special configuration
on the NAT?
My understanding is that Wireguard is software available for general
purpose operating systems. I specifically need a set of hardware
network appliances. I don't overly care which protocol they're running
as long as an initiator stuck behind a nat box I don't control can
maintain a connection with a hub and handle speeds in the100mbps to
10gbps.
I specifically cannot use general purpose Linux machines for this. I
need network appliances.
tailscale
I specifically need an integrated network appliance, not software I
add to something.
I love my Linux-based VPN servers but my customer very specifically
said no. I can't publicly explain why but trust me when I say it's a
"hard no" and it's not a question of persuasion or education. My
customer understands and likes Linux but he simply cannot use it this
time.
I’ll second PFsense, done quite a bit of this in hub and spoke topologies, spokes being behind NAT (permitted the upstream fw allows udp 500,4500), on a dynamic. The hub or hubs are ideally on a static. Set the hub site up as responder only, the remotes initiate the tunnel. Peers are validated either by dynamic name or you simply allow peers sourcing from 0.0.0.0 at the hub site.
This is not limited to PF, I’ve gotten this to work on Cisco firewalls, routers, and other Linux based firewalls.
