We have a large scale project that will require a VPN connection to each site with connectivity being provided by the customer. In previous rollouts, we have been able to utilize OVPN or an IPSEC tunnel from the customer’s corporate network to our AWS VPC Gateway. OVPN requires some significant configuration to get a static priave network IP endpoint (which is not ideal when having to configure 1k sites), and a single IPSEC tunnel is not an option for the client.
Is there a hardware based solution that can be scaled out quickly that might be able to provide the same VPN connectivity to the sites? We are willing to change our hardware deployed to these sites if the price is enough to offset the time to configure our current setup.
What kind of hardware do you have on-site? General-purpose machines with Linux, or Juniper SRX’es, or what?
Configuring openvpn for 10 or 10.000 nodes is the same work, if you use configuration management to configure all nodes. If you already have Linux hardware, that would be a walk in the park. In that case I’d set up a netbox instance as a single source of truth and documentation, and then write some code to push configuration to all devices using puppet or ansible, and something like checkmk/nagios/zabbix to monitor everything. I’m available for hire
Depending on your requirements, an open source product like vyos might also fit the bill perfectly. You could also consider protocols like WireGuard, building multiple redundant paths and doing ospf over them…
But I don’t know if you want the build-it-yourself style and save tens of thousands of dollars, or if you want to go for the commercial side of things, with enterprise grade stuff like juniper routers for example.
If you want ultimate resilience, robustness and great management, an sd-wan solution like silver-peak would also fit the bill, but it will cost you, especially if you need a lot of bandwidth. Their solution is really great.
OpenVPN would only require one static IP(or just a dns entry). The IP on the server. You can host that centrally.
VPN connection to each site with connectivity
You’d have to provide more details on what exactly you need for connectivity. Getting 1000 endpoints to connect back to a central server is a much different project than getting 1k sites all talking to each other…
Reading your comments, you want to eliminate the task of identifying which site is which to make sure they always get the same private IP on the OpenVPN interface.
No matter what solution you roll, you’ll need to map clients to IP. If you need to actually save that in a searchable list, it’ll be mostly manual (or scripted) but still a YOU job. If you just want to make sure the same router gets the same IP, then you might be able to achieve this with RADIUS and a unique identifier in a radius attrib.
I’ve not used openVPN with RADIUS so not sure what attribs it will realistically pass through, but there might be a unique identifier in there to list and maybe even a hostname being the routers /system identity which will help a lot.
You should look at an SD-WAN solution. Look at VeloCloud and SilverPeak. Easy setup, scalable, and supported by a vendor. A little expensive but worth it in my opinion.
hardware on site is going to be comprised of just a Mikrotik WAP to provide wireless connectivity to a couple of devices. Currently we can configure the mikrotik with OVPN and have most of the configuration automated. The kicker is the private addressing mentioned. These are remote access connections so each site gets an private IP address that is NAT’ed to the end devices communication. Due to the limitation of the application, the addresses for each site must be a static address. From my understanding, in order to provide the static VPN addresses for each WAP, a unique identifier (cert or username) is used to distinguish the client and push the config override. I was curious if there were VPN providers that provided this type of service that might take away from the need to configure each site and tie the identifier to the hardware deployed.
That’s not what op is asking for. Sure, spending $800.000 on silver peak devices will get you a great setup, but you still need to preconfigured each device/site. Every solution requires configuration, but okay
I read your comment a few times, and I think you’re not going to find a solution that can do what you want out of the box. I think every vpn solution expects two-way traffic, and thus will require you to configure endpoints on the concentrator. You need some system to configure which endpoint gets what address.
In your case, I’d use some scripts to generate both server and client vpn config, and think of some kind of method to easily get those unique configs on a thousand new devices. Mikrotik doesn’t seem to have factory-default zero touch configuration, but you might find some solutions with dhcp options that might make it easier to deploy configs to the devices when you preconfigure them in your lab.
But first of all something to consider: why do you need a vpn? Do you need to access the application from headquarters, or does the application just need data from hq? In the latter case, retrieving stuff over https from the internet might suffice. If you want to do configuration mankement, you application could run the puppet agent and connect to your puppet server over the internet. No tunnels required. Tools like salt also build up and encrypted tunnel from your endpoint to your salt server, also allowing two-way communication. A vpn is a nice tool, but not always the best tool for every job.
If you’re terminating on WAPs then you might look into Aruba . They have remote access points that connect via IPSec tunnels back to a controller and provide connectivity to small/micro branches. Downsides include long lead times for hardware and the amount of stuff you’d have to learn to familiarize yourself with their architecture.
that’s not exactly a ton of extra context but i’d look at running openvpn or wireguard personally. About all i can recommend without proper requirements.
We currently use openvpn as our endpoint but in order for us to get static addressing on the site side, we need to use an identifier (cert or credentials) to be able to client specific overrides to push a static address. This is a manual process so you can see why we are looking for an alternative.
I think it’s entirely reasonable to ship each client with a unique cert? Generating those certs can be scripted. Which part of the manual process are you trying to automate?
There’s certainly no magic wand that’s going to allow you to persistently identify unique clients without SOME configuration change?
Understandable. I was more trying to get an idea if there was a service/hardware provider that can do this endpoint VPN without the need for individual site configuration. Either identify at the hardware level or provide some other identifier that then can translate to an assigned VPN IP address.
