Re: VPN recommendations?

[William Herrin]

On Sat, Feb 12, 2022 at 12:26 PM Grant Taylor via NANOG  wrote:
> On 2/11/22 12:35 PM, William Herrin wrote:
> > The thing to understand is that IPSec has two modes: transport and
> > but you can deconstruct it: it's built up from transport mode +
> > a tunnel protocol (gre or ipip I don't remember which) + implicit
> > routing and firewalling which wreaks havoc on dynamic routing.
>
> I question the veracity of that statement.  It may be that's what many
> implementations / administration systems do.  But I really thought that
> IPSec /Tunnel/ Mode was more than just IPSec /Transport/ Mode combined
> with some tunneling protocol.

It's tunnel mode plus a tunneling protocol plus some implicit routing
and firewalling which gets in the way of dynamic routing.

Try it if you don't believe me. Set up tunnel mode ipsec manually on
two nodes (no IKE) and get them talking to each other. Then change one
to transport mode and add I think it's an IPIP tunnel but I don't
remember for certain. And add the appropriate routes into the tunnel
virtual device. You'll find they talk.

What did you think IPSec was doing? Transport mode encrypts the layer
4 and up of the packet between two machines; it doesn't encapsulate
it. When they added tunnel mode, the inner layer 3 had to go
somewhere.

Regards,
Bill Herrin

-- 
William Herrin
b...@herrin.us
https://bill.herrin.us/

Re: VPN recommendations?

[Nathan Angelacos]

On Sat, 2022-02-12 at 13:24 -0700, Grant Taylor via NANOG wrote:
> On 2/11/22 12:35 PM, William Herrin wrote:
> > The thing to understand is that IPSec has two modes: transport and 
> > tunnel. Transport is between exactly two IP addresses while tunnel 
> > expects a broader network to exist on at least one end.
> 
> That is (syntactically) correct.  However, it is possible to NAT many
> LAN IPs (say RFC 1918) to one single Internet IP (say from a SOHO
> ISP) 
> and use IPSec /Transport/ Mode to a single remote IP.  The IPSec sees
> exactly two IPs.
> 
> > "Tunnel" mode is what everyone actually uses
> 
> I may be enough of an outlier that I'm a statistical anomaly.  But
> I'm using IPSec /Transport/ Mode between my home router and my VPSs. 
> I have a tiny full mesh of IPSec /Transport/ Mode connections.
> 

+1 on *cough* enterprise networks.

> Using the aforementioned many-to-one NAT, my home LAN systems access
> the single globally routed IP of each of my VPSs without any problem.
> 

+1

> Aside:  I did have to tweak MTU for LAN traffic going out to the VPS
> IPs.

+1

> 
> So -1 for '"Tunnel" mode is what everyone actually uses', and +1 for 
> /Transport/ Mode 

+1

Re: VPN recommendations?

[Grant Taylor via NANOG]

On 2/11/22 12:35 PM, William Herrin wrote:
The thing to understand is that IPSec has two modes: transport and 
tunnel. Transport is between exactly two IP addresses while tunnel 
expects a broader network to exist on at least one end.


That is (syntactically) correct.  However, it is possible to NAT many 
LAN IPs (say RFC 1918) to one single Internet IP (say from a SOHO ISP) 
and use IPSec /Transport/ Mode to a single remote IP.  The IPSec sees 
exactly two IPs.



"Tunnel" mode is what everyone actually uses


I may be enough of an outlier that I'm a statistical anomaly.  But I'm 
using IPSec /Transport/ Mode between my home router and my VPSs.  I have 
a tiny full mesh of IPSec /Transport/ Mode connections.


Using the aforementioned many-to-one NAT, my home LAN systems access the 
single globally routed IP of each of my VPSs without any problem.


Aside:  I did have to tweak MTU for LAN traffic going out to the VPS IPs.

So -1 for '"Tunnel" mode is what everyone actually uses', and +1 for 
/Transport/ Mode


but you can deconstruct it: it's built up from transport mode + 
a tunnel protocol (gre or ipip I don't remember which) + implicit 
routing and firewalling which wreaks havoc on dynamic routing.


I question the veracity of that statement.  It may be that's what many 
implementations / administration systems do.  But I really thought that 
IPSec /Tunnel/ Mode was more than just IPSec /Transport/ Mode combined 
with some tunneling protocol.


Now, it turns out that you can instead configure IPSec in transport 
mode, configure the tunnel separately and leave out the implicit 
firewalling.


Agreed.  I feel like this speaks to implementation / management systems 
that are built on top of IPSec.


It's not relevant to my situation, no. I need the VPN to establish 
a statically addressed clean layer 3 on top of dynamically addressed 
and natted endpoints to support the next appliance in the chain where 
dynamic addressing is not possible. I don't actually care if it adds 
security; it just needs to establish that statically addressed layer.


It sounds to me like you don't even actually need encryption of a 
typical VPN and might be able to use something like GRE+key or IPSec 
/Tunnel/ Mode with AH without ESP.


Oh yeah, and it has to be listed under "virtual private network" 
on the government NIAP list.

https://www.niap-ccevs.org/product/PCL.cfm?ID624=34


Oh joy.  Layer 8 - politics



--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature

Re: VPN recommendations?

[Christian de Larrinaga via NANOG]

Intriguing. This week I started to look around for new wireguard 
implementation tools and appliances. I've used openvpn and ipsec 
in the main although last month put together a 10x and IPv6 
wireguard net in my home and out to two vps hosts which is 
handy. For my own use this is ok -ish, but I am not so sure about 
keeping track of the configs, managing users and adding configs as 
a network grows. In other words I want help when scaling wg and 
handling change particularly if I am managing nets for other 
projects or delegating. 

Tailscale, ZeroTier and some others are doing a great job I feel 
and no doubt have a handle on that. I've not tried them as yet. 

Because I do like to have options that are not mediated I have 
kept looking as much for my own curiousity and education as for 
deploying a service in anger. But having a toolset that can 
support the latter capability has to be the aim to work towards.


I've found a few potentially interesting more recent projects and 
am intending to start to test deploy some of these in sequence to 
see how I get on. I think I'll start wth
https://github.com/gravitl/netmaker Please note I've only reviewed 
the documentation. I've not yet played with it.  

This seems to  offer at an early stage in its development a 
webappliance (optionally) with CoreDNS if you want  naming support 
and IPv6 and at least some client management features. It claims 
to be fast but that can be tested. It also is deployable as a 
docker/kubernetes k8 which is intriguing when deploying and 
managing containers between multiple hosts across data centres. 
It uses a mongodb licence which may or may not be a problem.


If one plays with IPSEC then I guess one could run wg through 
IPSEC but is there any point unless you already have an IPSEC 
branch and don't want to take it down whilst adding wg for a new 
class of devices/userbase?   

I'd be interested in sharing experiences and advice (offlist) and 
delighted to learn from  wireguard and vpn's clueful folk. 

thank you for an interesting discussion. 



Christian

William Herrin  writes:

On Fri, Feb 11, 2022 at 10:35 AM Dan Sneddon  
wrote:
1) IPSEC does not lend itself to dynamic routing or dynamic 
configuration. It is very much a static set-it-and-forget-it 
technology, but that doesn’t work in a dynamically changing 
environment.


Hi Dan,

Depending on how you configure it, IPSEC can work fine with 
dynamic

routing. The thing to understand is that IPSec has two modes:
transport and tunnel. Transport is between exactly two IP 
addresses
while tunnel expects a broader network to exist on at least one 
end.
"Tunnel" mode is what everyone actually uses but you can 
deconstruct
it: it's built up from transport mode + a tunnel protocol (gre 
or ipip

I don't remember which) + implicit routing and firewalling which
wreaks havoc on dynamic routing. Now, it turns out that you can
instead configure IPSec in transport mode, configure the tunnel
separately and leave out the implicit firewalling.

This may not apply to William Herrin’s (OP) use case of a VPN 
appliance


It's not relevant to my situation, no. I need the VPN to 
establish a
statically addressed clean layer 3 on top of dynamically 
addressed and
natted endpoints to support the next appliance in the chain 
where
dynamic addressing is not possible. I don't actually care if it 
adds
security; it just needs to establish that statically addressed 
layer.
Oh yeah, and it has to be listed under "virtual private network" 
on

the government NIAP list.
https://www.niap-ccevs.org/product/PCL.cfm?ID624=34

Regards,
Bill Herrin



--
Christian de Larrinaga 
https://firsthand.net

Re: VPN recommendations?

[Rich Greenwood via NANOG]

The port forwarding only applies to manual NAT traversal.  If you use auto
NAT traversal, it takes care of that.  Because all of the connections are
coordinated through the dashboard, the Auto-VPN will typically work even if
all nodes are behind NAT.  I've used them on the end of Verizon (CG-NAT)
connections and they work fine.  I have had one instance where three of
them were behind the same single IP NAT and the third would fail to
connect.  We had to get one of them moved to a different NAT IP to solve
that.

If you're looking for a simple to use, easy to manage VPN appliance, the MX
(and Z) Meraki products will work.  The config is entirely handled through
the dashboard, so no-touch, drop ship deployments are an option.  You can
provide view only access to users per network, so the customer or a first
level tech could be given the ability to look but not break anything.

All of the MX and Z products will work in a single VPN, so you can pick the
device that best fits the requirements.  For a small office with one or two
people, the Z3 works great, it even has one PoE port for an IP phone.  For
larger sites or the core site, they go up to 6Gb (I think) of throughput
for the MX450, with redundant power and uplinks.

As others have pointed out, they are license based and they don't work
without a license, and they are a Cisco product, so pricing will depend on
how good your relationship is with your Cisco rep. :)  One big caveat: they
are still lacking in the IPv6 realm so if that is a requirement, they won't
work right now.
--Rich


> -- Forwarded message --
> From: William Herrin 
> To: Shawn L 
> Cc: "nanog@nanog.org" 
> Bcc:
> Date: Thu, 10 Feb 2022 10:54:39 -0800
> Subject: Re: VPN recommendations?
> On Thu, Feb 10, 2022 at 10:18 AM Shawn L  wrote:
> > Meraki MX series? Dynamic IPs and NATs don't really cause them a
> problem.  Some CGNats do (AT I'm looking at you).
>
> Thanks Shawn,
>
> The documentation I found at
>
> https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings
> suggests that the NAT firewall has to be explicitly configured to
> deliver UDP 500/4500 to the Meraki behind it. Are you aware of any
> documentation that describes:
>
> LAN - Meraki - NAT (dynaimic IP) - Internet - (static IP) Meraki - LAN
>
> Where the left-side Meraki is responsible for establishing and keeping
> the NAT translations alive without any special configuration on the
> NAT?
>
> Regards,
> Bill
>


-- 
Rich Greenwood
Network Engineer
Shasta County Office of Education

Information Technology

1644 Magnolia Ave.

Redding, CA 96001

Office: 530-225-0161

Hotline: 530-225-0279

rgreenw...@shastacoe.org


smime.p7s
Description: S/MIME Cryptographic Signature

Re: VPN recommendations?

[William Herrin]

On Fri, Feb 11, 2022 at 10:35 AM Dan Sneddon  wrote:
> 1) IPSEC does not lend itself to dynamic routing or dynamic configuration. It 
> is very much a static set-it-and-forget-it technology, but that doesn’t work 
> in a dynamically changing environment.

Hi Dan,

Depending on how you configure it, IPSEC can work fine with dynamic
routing. The thing to understand is that IPSec has two modes:
transport and tunnel. Transport is between exactly two IP addresses
while tunnel expects a broader network to exist on at least one end.
"Tunnel" mode is what everyone actually uses but you can deconstruct
it: it's built up from transport mode + a tunnel protocol (gre or ipip
I don't remember which) + implicit routing and firewalling which
wreaks havoc on dynamic routing. Now, it turns out that you can
instead configure IPSec in transport mode, configure the tunnel
separately and leave out the implicit firewalling.

> This may not apply to William Herrin’s (OP) use case of a VPN appliance

It's not relevant to my situation, no. I need the VPN to establish a
statically addressed clean layer 3 on top of dynamically addressed and
natted endpoints to support the next appliance in the chain where
dynamic addressing is not possible. I don't actually care if it adds
security; it just needs to establish that statically addressed layer.
Oh yeah, and it has to be listed under "virtual private network" on
the government NIAP list.
https://www.niap-ccevs.org/product/PCL.cfm?ID624=34

Regards,
Bill Herrin

-- 
William Herrin
b...@herrin.us
https://bill.herrin.us/

Re: VPN recommendations?

[Mel Beckman]

Dan,

One point you didn’t touch on is that IPSec is integrated into IPv6, typically 
hardware-accelerated on the NIC, enabling device-to-device VPNs, mitigates most 
of the dynamic issues associated with network-to-network IPSec over IPv4.

Yes, I realize IPv4 is hanging around longer than most expect, but in some 
cases I think you can make a case for deploying IPv6 just on the VPN benefits 
alone. With no public-facing services, IPv6 is already deployed in most LANs as 
a direct result of its use by modern OSes for inter-LAN communication. All you 
typically need to do is enable IPv6 at the gateway.

 -mel


On Feb 11, 2022, at 10:33 AM, Dan Sneddon 
mailto:sned...@gmail.com>> wrote:

Thank you Joy for de-lurking. I actually was not familiar with ZeroTier, and 
this is a space that I thought I was quite familiar with, so I’m glad you 
brought it to everyone’s attention. I will look further at ZeroTier, it looks 
very interesting.

I am also a very long-time lurker (although I was a NANOG list admin ~10 years 
ago) who is emerging to join this conversation.

I have recently been doing some work to evaluate and develop VPN solutions for 
connecting multiple data center cloud environments, including low-power small 
edge sites, and I have some thoughts about the current state of the art to 
share.

Until recently a very strong proponent of IPSEC. I liked the way IPSEC was 
placed within the OSI model directly at layer 3, unlike some of the VPN 
technologies which operate above or below layer 3. However I do not believe 
that IPSEC is future-proof, for the following two reasons:

1) IPSEC does not lend itself to dynamic routing or dynamic configuration. It 
is very much a static set-it-and-forget-it technology, but that doesn’t work in 
a dynamically changing environment.

2) IPSEC does not always lend itself to hardware offloading in the way some 
other technologies do. Some NICs do support hardware acceleration for IPSEC, 
but this does not always integrate well with kernel or user space when you are 
integrating virtual network functions (VNFs) like 
routers/firewalls/load-balancers.

Wireguard works well in dynamic environments. TLS using something like OpenSSL 
does as well. Both provide key advantages, particularly on top of Linux.

* Support for hardware offloads such as TCP segmentation provide vast 
improvements in performance on higher-end x86 hardware. Some recent testing I 
have been shown proves that TCP segmentation offload can provide more than a 5X 
speedup compared to other HW offloads without TCP segmentation (from 5Gb/s to 
above 25Gb/s in some tests).

* With the right encryption algorithm CPU acceleration for cryptography reduces 
CPU load and increases performance.

* Integration with kernel routing provides the ability to integrate with 
dynamic routing such as BGP daemons (e.g. FRRouting, etc.).

* In recent Linux kernels eBPF/XDP provide a hardware interface to the kernel 
which accelerates network throughput to near line-rate, while minimizing CPU 
impact.

This may not apply to William Herrin’s (OP) use case of a VPN appliance for 
100mbps to 1gbps speeds, but it is something to keep in mind for building 
higher performance solutions or for planning for increasing bandwidth in the 
future. For the 100mbps+ use case I have had success building appliances using 
OpenVPN on top of certain ARM based platforms like Marvell Armada, or 
single-board computers with Intel CPUs with AES-NI acceleration. I am currently 
looking at implementing Wireguard on the same platforms. For a simple low-power 
ARM router appliance the Turris Omnia has been a great fully open platform 
running a custom LEDE/OpenWRT OS. The Turris Mox provides a modular hardware 
platform for expandability, albeit with slightly less performance. Both of 
these platforms are developed by the engineers at CZ.nic, the TLD registrar for 
the Czech Republic.

https://secure.nic.cz/files/Turris-web/Omnia/Omnia2020_datasheet.pdf

https://www.turris.com/en/mox/overview/

-Dan Sneddon

On Feb 10, 2022, at 10:51 AM, j...@cleverhack.com 
wrote:

Hello NANOG,

My name is Joy Larkin and I'm actually a long-time years-long lurker on the 
NANOG list (I have v odd hobbies) and I am also ZeroTier's Head of Marketing. I 
know I'm not supposed to be too promotional on here, but I'd love to see some 
of you pick up ZT.

Our founder, Adam Ierymenko just did a talk at Networking Field Day 27, here 
are two of the recordings from that session:

* ZeroTier The Planetary Data Center
   * https://www.youtube.com/watch?v=T2BbrqpnMAE

* ZeroTier Technical Deep Dive
   * https://www.youtube.com/watch?v=VhQ30bVF3_s

If you have questions, let me know - you can reach me at 
joy.lar...@zerotier.com

Best,
-Joy

On 2022-02-10 10:12, Mike Lyon wrote:
How about running ZeroTier on those Linux boxes and call it a day?
https://www.zerotier.com/
-Mike
On Feb 10, 2022, at 10:07, David Guo via NANOG 

Re: VPN recommendations?

[Dan Sneddon]

Thank you Joy for de-lurking. I actually was not familiar with ZeroTier, and 
this is a space that I thought I was quite familiar with, so I’m glad you 
brought it to everyone’s attention. I will look further at ZeroTier, it looks 
very interesting.

I am also a very long-time lurker (although I was a NANOG list admin ~10 years 
ago) who is emerging to join this conversation.

I have recently been doing some work to evaluate and develop VPN solutions for 
connecting multiple data center cloud environments, including low-power small 
edge sites, and I have some thoughts about the current state of the art to 
share.

Until recently a very strong proponent of IPSEC. I liked the way IPSEC was 
placed within the OSI model directly at layer 3, unlike some of the VPN 
technologies which operate above or below layer 3. However I do not believe 
that IPSEC is future-proof, for the following two reasons:

1) IPSEC does not lend itself to dynamic routing or dynamic configuration. It 
is very much a static set-it-and-forget-it technology, but that doesn’t work in 
a dynamically changing environment.

2) IPSEC does not always lend itself to hardware offloading in the way some 
other technologies do. Some NICs do support hardware acceleration for IPSEC, 
but this does not always integrate well with kernel or user space when you are 
integrating virtual network functions (VNFs) like 
routers/firewalls/load-balancers.

Wireguard works well in dynamic environments. TLS using something like OpenSSL 
does as well. Both provide key advantages, particularly on top of Linux.

* Support for hardware offloads such as TCP segmentation provide vast 
improvements in performance on higher-end x86 hardware. Some recent testing I 
have been shown proves that TCP segmentation offload can provide more than a 5X 
speedup compared to other HW offloads without TCP segmentation (from 5Gb/s to 
above 25Gb/s in some tests).

* With the right encryption algorithm CPU acceleration for cryptography reduces 
CPU load and increases performance.

* Integration with kernel routing provides the ability to integrate with 
dynamic routing such as BGP daemons (e.g. FRRouting, etc.).

* In recent Linux kernels eBPF/XDP provide a hardware interface to the kernel 
which accelerates network throughput to near line-rate, while minimizing CPU 
impact.

This may not apply to William Herrin’s (OP) use case of a VPN appliance for 
100mbps to 1gbps speeds, but it is something to keep in mind for building 
higher performance solutions or for planning for increasing bandwidth in the 
future. For the 100mbps+ use case I have had success building appliances using 
OpenVPN on top of certain ARM based platforms like Marvell Armada, or 
single-board computers with Intel CPUs with AES-NI acceleration. I am currently 
looking at implementing Wireguard on the same platforms. For a simple low-power 
ARM router appliance the Turris Omnia has been a great fully open platform 
running a custom LEDE/OpenWRT OS. The Turris Mox provides a modular hardware 
platform for expandability, albeit with slightly less performance. Both of 
these platforms are developed by the engineers at CZ.nic, the TLD registrar for 
the Czech Republic.

https://secure.nic.cz/files/Turris-web/Omnia/Omnia2020_datasheet.pdf

https://www.turris.com/en/mox/overview/

-Dan Sneddon

> On Feb 10, 2022, at 10:51 AM, j...@cleverhack.com wrote:
> 
> Hello NANOG,
> 
> My name is Joy Larkin and I'm actually a long-time years-long lurker on the 
> NANOG list (I have v odd hobbies) and I am also ZeroTier's Head of Marketing. 
> I know I'm not supposed to be too promotional on here, but I'd love to see 
> some of you pick up ZT.
> 
> Our founder, Adam Ierymenko just did a talk at Networking Field Day 27, here 
> are two of the recordings from that session:
> 
> * ZeroTier The Planetary Data Center
>* https://www.youtube.com/watch?v=T2BbrqpnMAE
> 
> * ZeroTier Technical Deep Dive
>* https://www.youtube.com/watch?v=VhQ30bVF3_s
> 
> If you have questions, let me know - you can reach me at 
> joy.lar...@zerotier.com
> 
> Best,
> -Joy
> 
>> On 2022-02-10 10:12, Mike Lyon wrote:
>> How about running ZeroTier on those Linux boxes and call it a day?
>> https://www.zerotier.com/
>> -Mike
>>> On Feb 10, 2022, at 10:07, David Guo via NANOG 
>>> wrote:
>>> 
>>> You may try WireGuard and use ddns
>>> From: NANOG  On Behalf Of
>>> William Herrin
>>> Sent: Friday, February 11, 2022 2:02 AM
>>> To: nanog@nanog.org
>>> Subject: VPN recommendations?
>>> Hi folks,
>>> Do you have any recommendations for VPN appliances? Specifically: I
>>> need to build a site to site VPNs at speeds between 100mpbs and 1
>>> gbit where all but one of the sites are behind an IPv4 NAT gateway
>>> with dynamic public IP addresses.
>>> Normally I'd throw OpenVPN on a couple of Linux boxes and be happy
>>> but my customer insists on a network appliance. Site to site VPNs
>>> using IPSec and static IP addresses on the plaintext side are a dime
>>> a 

Re: VPN recommendations?

[Mike Hammett]

Mikrotik with RouterOS v7 with WireGuard or ZeroTier were the first things I 
thought of, but it might be a a bit premature for a production environment. In 
a year, I'd have no problem recommending that. 




- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 

- Original Message -

From: "Ander Punnar"  
Cc: nanog@nanog.org 
Sent: Thursday, February 10, 2022 2:04:57 PM 
Subject: Re: VPN recommendations? 

On Thu, 10 Feb 2022 10:55:40 -0800, William Herrin wrote: 
> My understanding is that Wireguard is software available for general 
> purpose operating systems. I specifically need a set of hardware 
> network appliances. 

MikroTik (hardware) RouterOS (software) version 7 has WireGuard: 

https://help.mikrotik.com/docs/display/ROS/WireGuard 

Re: VPN recommendations?

[Bjørn Mork]

Sabri Berisha  writes:

> I read on some mailing list that Meraki likes to ping 8.8.8.8 every
> second... :)

That's probably to be fair with the quad-x dns providers since they
alrady were abusing 1.1.1.1.

Makes me wonder what Meraki uses 9.9.9.9 for :-)


Bjørn

Re: VPN recommendations?

[Mark Tinka]

On 2/11/22 06:49, David Andrzejewski wrote:


I don't know how people around here feel about Mikrotik, but they have included 
Wireguard support in their latest operating system.


I know some Tik heads here that are happy about this.

I am running ROS 7.1.2 on my home router, but I don't use it.

Mark.

Re: VPN recommendations?

[Dave Taht]

On Thu, Feb 10, 2022 at 8:51 PM David Andrzejewski
 wrote:
>
> I don't know how people around here feel about Mikrotik, but they have 
> included Wireguard support in their latest operating system.

They've also included fq_codel and sch_cake:
https://forum.mikrotik.com/viewtopic.php?t=179307

For a site to site, kernel mode vpn such as ipsec or wireguard (but
not openvpn), we successfully FQ+AQM packets entering the tunnel.

If that's the bottleneck link, for a mixture of, say low rate voip and
high rate file transfer traffic, the results are a pretty marvellous
reduction of jitter and latency through the tunnel.

Before: http://www.taht.net/~d/ipsec_fq_codel/oldqos.png
After: http://www.taht.net/~d/ipsec_fq_codel/newqos.png




> dave
>
> -Original Message-
> From: NANOG  On Behalf 
> Of William Herrin
> Sent: Thursday, February 10, 2022 13:56
> Cc: nanog@nanog.org
> Subject: Re: VPN recommendations?
>
> On Thu, Feb 10, 2022 at 10:04 AM David Guo  wrote:
> > You may try WireGuard and use ddns
>
> Hi David,
>
> My understanding is that Wireguard is software available for general purpose 
> operating systems. I specifically need a set of hardware network appliances. 
> I don't overly care which protocol they're running as long as an initiator 
> stuck behind a nat box I don't control can maintain a connection with a hub 
> and handle speeds in the100mbps to 10gbps.
>
> On Thu, Feb 10, 2022 at 10:12 AM Mike Lyon  wrote:
> > How about running ZeroTier on those Linux boxes and call it a day?
> > https://www.zerotier.com/
>
> I specifically cannot use general purpose Linux machines for this. I need 
> network appliances.
>
>
> On Thu, Feb 10, 2022 at 10:26 AM Dave Taht  wrote:
> > tailscale
>
> I specifically need an integrated network appliance, not software I add to 
> something.
>
> I love my Linux-based VPN servers but my customer very specifically said no. 
> I can't publicly explain why but trust me when I say it's a "hard no" and 
> it's not a question of persuasion or education. My customer understands and 
> likes Linux but he simply cannot use it this time.
>
> Regards,
> Bill Herrin
>
>
> --
> William Herrin
> b...@herrin.us
> https://bill.herrin.us/



-- 
I tried to build a better future, a few times:
https://wayforward.archive.org/?site=https%3A%2F%2Fwww.icei.org

Dave Täht CEO, TekLibre, LLC

RE: VPN recommendations?

[David Andrzejewski]

I don't know how people around here feel about Mikrotik, but they have included 
Wireguard support in their latest operating system.

dave

-Original Message-
From: NANOG  On Behalf Of 
William Herrin
Sent: Thursday, February 10, 2022 13:56
Cc: nanog@nanog.org
Subject: Re: VPN recommendations?

On Thu, Feb 10, 2022 at 10:04 AM David Guo  wrote:
> You may try WireGuard and use ddns

Hi David,

My understanding is that Wireguard is software available for general purpose 
operating systems. I specifically need a set of hardware network appliances. I 
don't overly care which protocol they're running as long as an initiator stuck 
behind a nat box I don't control can maintain a connection with a hub and 
handle speeds in the100mbps to 10gbps.

On Thu, Feb 10, 2022 at 10:12 AM Mike Lyon  wrote:
> How about running ZeroTier on those Linux boxes and call it a day?
> https://www.zerotier.com/

I specifically cannot use general purpose Linux machines for this. I need 
network appliances.


On Thu, Feb 10, 2022 at 10:26 AM Dave Taht  wrote:
> tailscale

I specifically need an integrated network appliance, not software I add to 
something.

I love my Linux-based VPN servers but my customer very specifically said no. I 
can't publicly explain why but trust me when I say it's a "hard no" and it's 
not a question of persuasion or education. My customer understands and likes 
Linux but he simply cannot use it this time.

Regards,
Bill Herrin


--
William Herrin
b...@herrin.us
https://bill.herrin.us/

Re: VPN recommendations?

[Valdis Klētnieks]

On Thu, 10 Feb 2022 10:55:40 -0800, William Herrin said:

> My understanding is that Wireguard is software available for general
> purpose operating systems. I specifically need a set of hardware
> network appliances. 

Take a general purpose OS, strip down the userspace a bit,
stick the whole thing in a box, and call it an appliance. They'll never
know the difference. :)

Re: VPN recommendations?

[Mark Tinka]

On 2/10/22 20:02, William Herrin wrote:


Hi folks,

Do you have any recommendations for VPN appliances? Specifically: I 
need to build a site to site VPNs at speeds between 100mpbs and 1 gbit 
where all but one of the sites are behind an IPv4 NAT gateway with 
dynamic public IP addresses.


Normally I'd throw OpenVPN on a couple of Linux boxes and be happy but 
my customer insists on a network appliance. Site to site VPNs using 
IPSec and static IP addresses on the plaintext side are a dime a dozen 
but traversing NAT and dynamic IP addresses (and automatically 
re-establishing when the service goes out and comes back up with 
different addresses) is a hard requirement.


We like pfSense.

I believe they sell Netgate appliances.

Mark.

Re: VPN recommendations?

[William Herrin]

Howdy,

I just want to say thank you to everyone who responded. It was very
helpful and I now have a bunch of leads to chase. I'll let you know
what I end up doing. Given the lead times on some of the equipment it
may be a while...

Warm regards,
Bill Herrin


On Thu, Feb 10, 2022 at 10:02 AM William Herrin  wrote:
> Do you have any recommendations for VPN appliances? Specifically: I need to 
> build a site to site VPNs at speeds between 100mpbs and 1 gbit where all but 
> one of the sites are behind an IPv4 NAT gateway with dynamic public IP 
> addresses.
>
> Normally I'd throw OpenVPN on a couple of Linux boxes and be happy but my 
> customer insists on a network appliance. Site to site VPNs using IPSec and 
> static IP addresses on the plaintext side are a dime a dozen but traversing 
> NAT and dynamic IP addresses (and automatically re-establishing when the 
> service goes out and comes back up with different addresses) is a hard 
> requirement.
>
> Thanks in advance,
> Bill Herrin



-- 
William Herrin
b...@herrin.us
https://bill.herrin.us/

Re: VPN recommendations?

[Sean Kelly]

I work in a large oil company and we have S2S VPNs every where. Any modern 
Cisco or Juniper router will meet your requirements. An off the shelf security 
appliance will do the job to i.e ASA, Palo Alto, Fortinet or Juniper. Meraki is 
great if you want to manage from the cloud or vpn as a service. Good luck.

Sean P Kelly

> On Feb 10, 2022, at 6:51 PM, Dave Taht  wrote:
> 
> tailscale is 3-clause BSD.
> 
> there is a reverse engineered version of the rendezvous protocol also.
> 
> 
> 
>> On Thu, Feb 10, 2022 at 3:41 PM John Gilmore  wrote:
>> 
>> Mike Lyon  wrote:
>>> How about running ZeroTier on those Linux boxes and call it a day?
>>> https://www.zerotier.com/
>> 
>> ZeroTier is not a free-as-in-freedom project.  Running it in Linux boxes
>> or network appliances to provide a VPN to paying customers may be
>> prohibited (at least for some customers, and before 2025) by its
>> convoluted license:
>> 
>>  https://github.com/zerotier/ZeroTierOne/blob/master/LICENSE.txt
>> 
>> I recommend using something that doesn't have litigious companies
>> nitpicking about what you can and can't use it for.
>> 
>>John Gilmore
> 
> 
> 
> -- 
> I tried to build a better future, a few times:
> https://wayforward.archive.org/?site=https%3A%2F%2Fwww.icei.org
> 
> Dave Täht CEO, TekLibre, LLC

Re: VPN recommendations?

[Dave Taht]

tailscale is 3-clause BSD.

there is a reverse engineered version of the rendezvous protocol also.



On Thu, Feb 10, 2022 at 3:41 PM John Gilmore  wrote:
>
> Mike Lyon  wrote:
> > How about running ZeroTier on those Linux boxes and call it a day?
> > https://www.zerotier.com/
>
> ZeroTier is not a free-as-in-freedom project.  Running it in Linux boxes
> or network appliances to provide a VPN to paying customers may be
> prohibited (at least for some customers, and before 2025) by its
> convoluted license:
>
>   https://github.com/zerotier/ZeroTierOne/blob/master/LICENSE.txt
>
> I recommend using something that doesn't have litigious companies
> nitpicking about what you can and can't use it for.
>
> John Gilmore



-- 
I tried to build a better future, a few times:
https://wayforward.archive.org/?site=https%3A%2F%2Fwww.icei.org

Dave Täht CEO, TekLibre, LLC

Re: VPN recommendations?

[John Gilmore]

Mike Lyon  wrote:
> How about running ZeroTier on those Linux boxes and call it a day?
> https://www.zerotier.com/

ZeroTier is not a free-as-in-freedom project.  Running it in Linux boxes
or network appliances to provide a VPN to paying customers may be
prohibited (at least for some customers, and before 2025) by its
convoluted license:

  https://github.com/zerotier/ZeroTierOne/blob/master/LICENSE.txt

I recommend using something that doesn't have litigious companies
nitpicking about what you can and can't use it for.

John Gilmore

RE: VPN recommendations?

[Ryland Kremeier]

I think my experience is unique, but wanted to put it out there anyway. I’ve 
actually had quite a few problems with Meraki equipment during the one instance 
I worked with them. After a few hours to days, the switches would stop 
functioning. You could still access them through the webgui and issue a reboot 
to resolve the issue, but the problem persisted even after many resets and 
calls with Cisco.

Again, likely some bonk hardware, but in case anyone else has had a similar 
experience I wanted this to be known.

Thank you,
-- Ryland


From: NANOG  on behalf of 
Brandon Svec via NANOG 
Sent: Thursday, February 10, 2022 3:50:49 PM
To: William Herrin 
Cc: nanog@nanog.org 
Subject: Re: VPN recommendations?

Meraki may be considered expensive, requires perpetual license to operate and 
is difficult to get currently (very long lead times) but is dead.stupid.simple 
to install and maintain.  I have yet to find a business or home network that it 
does not work on out of the box, but if you find one it would be an issue to 
overcome for any solution, right? i.e. open some ports on the up stream device 
one time.

https://documentation.meraki.com/MX/Site-to-site_VPN/Meraki_Auto_VPN_-_Configuration_and_Troubleshooting


Brandon Svec



On Thu, Feb 10, 2022 at 10:05 AM William Herrin 
mailto:b...@herrin.us>> wrote:
Hi folks,

Do you have any recommendations for VPN appliances? Specifically: I need to 
build a site to site VPNs at speeds between 100mpbs and 1 gbit where all but 
one of the sites are behind an IPv4 NAT gateway with dynamic public IP 
addresses.

Normally I'd throw OpenVPN on a couple of Linux boxes and be happy but my 
customer insists on a network appliance. Site to site VPNs using IPSec and 
static IP addresses on the plaintext side are a dime a dozen but traversing NAT 
and dynamic IP addresses (and automatically re-establishing when the service 
goes out and comes back up with different addresses) is a hard requirement.

Thanks in advance,
Bill Herrin

--
William Herrin
b...@herrin.us<mailto:b...@herrin.us>
<https://bill.herrin.us/>
https://bill.herrin.us/

Re: VPN recommendations?

[Brandon Svec via NANOG]

Meraki may be considered expensive, requires perpetual license to operate
and is difficult to get currently (very long lead times) but is
dead.stupid.simple to install and maintain.  I have yet to find a business
or home network that it does not work on out of the box, but if you find
one it would be an issue to overcome for any solution, right? i.e. open
some ports on the up stream device one time.

https://documentation.meraki.com/MX/Site-to-site_VPN/Meraki_Auto_VPN_-_Configuration_and_Troubleshooting


*Brandon Svec*



On Thu, Feb 10, 2022 at 10:05 AM William Herrin  wrote:

> Hi folks,
>
> Do you have any recommendations for VPN appliances? Specifically: I need
> to build a site to site VPNs at speeds between 100mpbs and 1 gbit where all
> but one of the sites are behind an IPv4 NAT gateway with dynamic public IP
> addresses.
>
> Normally I'd throw OpenVPN on a couple of Linux boxes and be happy but my
> customer insists on a network appliance. Site to site VPNs using IPSec and
> static IP addresses on the plaintext side are a dime a dozen but traversing
> NAT and dynamic IP addresses (and automatically re-establishing when the
> service goes out and comes back up with different addresses) is a hard
> requirement.
>
> Thanks in advance,
> Bill Herrin
>
> --
> William Herrin
> b...@herrin.us
> 
> https://bill.herrin.us/
>

Re: VPN recommendations?

[Mel Beckman]

We use SonicWall TZ series for just this purpose. The IPSec VPN endpoints can 
be behind NAT, and we just use DYNDNS to map whatever is current to a FQDN. 
Each side thus has the public IP of the other side and can connect as long as 
you pass through GRE.

-mel via cell

On Feb 10, 2022, at 1:05 PM, Matt Harris  wrote:


[cid:image200517.png@6CD88F22.1B50C51A]
Matt Harris​
|
Infrastructure Lead
816‑256‑5446
|
Direct
Looking for help?
Helpdesk
|
Email Support
[https://netfire.net/Flag-United-States-of-America.jpg]
We build customized end‑to‑end technology solutions powered by NetFire Cloud.
On Thu, Feb 10, 2022 at 12:03 PM William Herrin 
mailto:b...@herrin.us>> wrote:
Hi folks,

Do you have any recommendations for VPN appliances? Specifically: I need to 
build a site to site VPNs at speeds between 100mpbs and 1 gbit where all but 
one of the sites are behind an IPv4 NAT gateway with dynamic public IP 
addresses.

Normally I'd throw OpenVPN on a couple of Linux boxes and be happy but my 
customer insists on a network appliance. Site to site VPNs using IPSec and 
static IP addresses on the plaintext side are a dime a dozen but traversing NAT 
and dynamic IP addresses (and automatically re-establishing when the service 
goes out and comes back up with different addresses) is a hard requirement.

For OpenVPN, I like the Netgate boxes running pfsense. Works great, super easy 
integrations with stuff like AC/LDAP/radius/etc for auth, frr and others for 
your routing, etc. This is probably your best bet.

For IPSec I tend to stick to Juniper SRX boxes.

Good luck!

Re: VPN recommendations?

[Matt Harris]

Matt Harris|Infrastructure Lead
816-256-5446|Direct
Looking for help?
Helpdesk|Email Support
We build customized end-to-end technology solutions powered by NetFire Cloud.
On Thu, Feb 10, 2022 at 12:03 PM William Herrin  wrote:

> Hi folks,
>
> Do you have any recommendations for VPN appliances? Specifically: I need
> to build a site to site VPNs at speeds between 100mpbs and 1 gbit where all
> but one of the sites are behind an IPv4 NAT gateway with dynamic public IP
> addresses.
>
> Normally I'd throw OpenVPN on a couple of Linux boxes and be happy but my
> customer insists on a network appliance. Site to site VPNs using IPSec and
> static IP addresses on the plaintext side are a dime a dozen but traversing
> NAT and dynamic IP addresses (and automatically re-establishing when the
> service goes out and comes back up with different addresses) is a hard
> requirement.
>

For OpenVPN, I like the Netgate boxes running pfsense. Works great, super
easy integrations with stuff like AC/LDAP/radius/etc for auth, frr and
others for your routing, etc. This is probably your best bet.

For IPSec I tend to stick to Juniper SRX boxes.

Good luck!

Re: VPN recommendations?

[Sabri Berisha]

- On Feb 10, 2022, at 10:17 AM, nanog nanog@nanog.org wrote:

Hi,

> Meraki MX series?

I read on some mailing list that Meraki likes to ping 8.8.8.8 every
second... :)

Thanks,

Sabri

Re: VPN recommendations?

[Tom Beecher]

>
> (your license runs out, the box is a paper-weight)


Should be a hard no for anyone purchasing network equipment anyways, but
people have reasons I guess.

On Thu, Feb 10, 2022 at 1:19 PM Shawn L via NANOG  wrote:

> Meraki MX series?
>
>
>
> I don't like the way they do their licensing (your license runs out, the
> box is a paper-weight) but they do really well at establishing site-to-site
> VPNs in some pretty challenging scenarios.  Dynamic IPs and NATs don't
> really cause them a problem.  Some CGNats do (AT I'm looking at you).
>
>
>
>
>
> Shawn
>
>
>
> -Original Message-
> From: "Keith Stokes" 
> Sent: Thursday, February 10, 2022 1:11pm
> To: "William Herrin" 
> Cc: "nanog@nanog.org" 
> Subject: Re: VPN recommendations?
>
> Pfsense on Netgate appliances?
> I’ve used several of them, while not for this exact purpose they have done
> the roles but maybe not the amount of VPN traffic.
>
> --
> Keith Stokes
> SalonBiz, Inc
>
> On Feb 10, 2022, at 12:02 PM, William Herrin  wrote:
>
> Hi folks,
> Do you have any recommendations for VPN appliances? Specifically: I need
> to build a site to site VPNs at speeds between 100mpbs and 1 gbit where all
> but one of the sites are behind an IPv4 NAT gateway with dynamic public IP
> addresses.
> Normally I'd throw OpenVPN on a couple of Linux boxes and be happy but my
> customer insists on a network appliance. Site to site VPNs using IPSec and
> static IP addresses on the plaintext side are a dime a dozen but traversing
> NAT and dynamic IP addresses (and automatically re-establishing when the
> service goes out and comes back up with different addresses) is a hard
> requirement.
> Thanks in advance,
> Bill Herrin
>
> --
> William Herrin
> b...@herrin.us
> <https://bill.herrin.us/>
> https://bill.herrin.us/
>
>

Re: VPN recommendations?

[Ander Punnar]

On Thu, 10 Feb 2022 10:55:40 -0800, William Herrin wrote:
> My understanding is that Wireguard is software available for general
> purpose operating systems. I specifically need a set of hardware
> network appliances.

MikroTik (hardware) RouterOS (software) version 7 has WireGuard:

https://help.mikrotik.com/docs/display/ROS/WireGuard


signature.asc
Description: PGP signature

Re: VPN recommendations?

[Mark Wiater]

I don't know of a specific document speaking to this, but this doc i 
think describes it right.


https://securitynetworkinglinux.wordpress.com/2019/04/19/how-create-a-site-to-site-ipsec-vpn-from-an-opnsense-to-a-fortigate-behind-a-nat-router/

in section 2.3 is where you change My Identifer to be the natted non 
RFC1918 ip that the right side will see.


On 2/10/2022 1:55 PM, William Herrin wrote:

On Thu, Feb 10, 2022 at 10:47 AM Juri Grabowski  wrote:

Or buy official supported hardware from https://shop.opnsense.com/

Howdy,

Opnsense looks like it might work. I dug through some of the
documentation but didn't find something entirely on point for my use
case. Are you aware of any documentation which describes:

LAN - OPNSense Appliance - (rfc1918) NAT Appliance (dynamic IP) -
Internet - (static IP) OPNSense appliance - LAN

Where the left-side OPNSense is responsible for establishing and
keeping the NAT translations alive without any special configuration
on the NAT?

Thanks,
Bill

RE: VPN recommendations?

[James R. Price]

I’ll second PFsense, done quite a bit of this in hub and spoke topologies, 
spokes being behind NAT (permitted the upstream fw allows udp 500,4500), on a 
dynamic.  The hub or hubs are ideally on a static. Set the hub site up as 
responder only, the remotes initiate the tunnel.  Peers are validated either by 
dynamic name or you simply allow peers sourcing from 0.0.0.0 at the hub site.

This is not limited to PF, I’ve gotten this to work on Cisco firewalls, 
routers, and other Linux based firewalls.

From: NANOG  On Behalf Of 
William Herrin
Sent: Thursday, February 10, 2022 12:02 PM
To: nanog@nanog.org
Subject: VPN recommendations?

Hi folks,

Do you have any recommendations for VPN appliances? Specifically: I need to 
build a site to site VPNs at speeds between 100mpbs and 1 gbit where all but 
one of the sites are behind an IPv4 NAT gateway with dynamic public IP 
addresses.

Normally I'd throw OpenVPN on a couple of Linux boxes and be happy but my 
customer insists on a network appliance. Site to site VPNs using IPSec and 
static IP addresses on the plaintext side are a dime a dozen but traversing NAT 
and dynamic IP addresses (and automatically re-establishing when the service 
goes out and comes back up with different addresses) is a hard requirement.

Thanks in advance,
Bill Herrin

--
William Herrin
b...@herrin.us

https://bill.herrin.us/

Re: VPN recommendations?

[William Herrin]

On Thu, Feb 10, 2022 at 10:55 AM William Herrin  wrote:
> My understanding is that Wireguard is software available for general
> purpose operating systems. I specifically need a set of hardware
> network appliances. I don't overly care which protocol they're running
> as long as an initiator stuck behind a nat box I don't control can
> maintain a connection with a hub and handle speeds in the100mbps to
> 10gbps.

That was supposed to be 1gbps. I don't need over 1gbps for this use case.

Regards,
Bill Herrin


-- 
William Herrin
b...@herrin.us
https://bill.herrin.us/

Re: VPN recommendations?

[William Herrin]

On Thu, Feb 10, 2022 at 10:04 AM David Guo  wrote:
> You may try WireGuard and use ddns

Hi David,

My understanding is that Wireguard is software available for general
purpose operating systems. I specifically need a set of hardware
network appliances. I don't overly care which protocol they're running
as long as an initiator stuck behind a nat box I don't control can
maintain a connection with a hub and handle speeds in the100mbps to
10gbps.

On Thu, Feb 10, 2022 at 10:12 AM Mike Lyon  wrote:
> How about running ZeroTier on those Linux boxes and call it a day?
> https://www.zerotier.com/

I specifically cannot use general purpose Linux machines for this. I
need network appliances.


On Thu, Feb 10, 2022 at 10:26 AM Dave Taht  wrote:
> tailscale

I specifically need an integrated network appliance, not software I
add to something.

I love my Linux-based VPN servers but my customer very specifically
said no. I can't publicly explain why but trust me when I say it's a
"hard no" and it's not a question of persuasion or education. My
customer understands and likes Linux but he simply cannot use it this
time.

Regards,
Bill Herrin


-- 
William Herrin
b...@herrin.us
https://bill.herrin.us/

Re: VPN recommendations?

[William Herrin]

On Thu, Feb 10, 2022 at 10:47 AM Juri Grabowski  wrote:
> Or buy official supported hardware from https://shop.opnsense.com/

Howdy,

Opnsense looks like it might work. I dug through some of the
documentation but didn't find something entirely on point for my use
case. Are you aware of any documentation which describes:

LAN - OPNSense Appliance - (rfc1918) NAT Appliance (dynamic IP) -
Internet - (static IP) OPNSense appliance - LAN

Where the left-side OPNSense is responsible for establishing and
keeping the NAT translations alive without any special configuration
on the NAT?

Thanks,
Bill


-- 
William Herrin
b...@herrin.us
https://bill.herrin.us/

Re: VPN recommendations?

[William Herrin]

On Thu, Feb 10, 2022 at 10:18 AM Shawn L  wrote:
> Meraki MX series? Dynamic IPs and NATs don't really cause them a problem.  
> Some CGNats do (AT I'm looking at you).

Thanks Shawn,

The documentation I found at
https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings
suggests that the NAT firewall has to be explicitly configured to
deliver UDP 500/4500 to the Meraki behind it. Are you aware of any
documentation that describes:

LAN - Meraki - NAT (dynaimic IP) - Internet - (static IP) Meraki - LAN

Where the left-side Meraki is responsible for establishing and keeping
the NAT translations alive without any special configuration on the
NAT?

Regards,
Bill


-- 
William Herrin
b...@herrin.us
https://bill.herrin.us/

Re: VPN recommendations?

[William Herrin]

On Thu, Feb 10, 2022 at 10:06 AM Guillaume Tournat  wrote:
> Fortinet firewalls (FortiGate) are a great deal

Thanks Guillaume,

I found this 
https://community.fortinet.com/t5/FortiGate/Technical-Tip-IPsec-VPN-between-static-and-dynamic-IP-FQDN/ta-p/191815
but it suggests that the dynamic IP fortigate expects to have a public
dynamic IP directly on the Fortigate, not be stuck behind a NAT.

Are you aware of any documentation that describes:

LAN - Fortigate - NAT (dynaimic IP) - Internet - (static IP) Fortigate - LAN

Where the Meraki is responsible for keeping the NAT translations alive
without any programming on the NAT?

Regards,
Bill


-- 
William Herrin
b...@herrin.us
https://bill.herrin.us/

Re: VPN recommendations?

[joy]

Hello NANOG,

My name is Joy Larkin and I'm actually a long-time years-long lurker on 
the NANOG list (I have v odd hobbies) and I am also ZeroTier's Head of 
Marketing. I know I'm not supposed to be too promotional on here, but 
I'd love to see some of you pick up ZT.


Our founder, Adam Ierymenko just did a talk at Networking Field Day 27, 
here are two of the recordings from that session:


* ZeroTier The Planetary Data Center
* https://www.youtube.com/watch?v=T2BbrqpnMAE

* ZeroTier Technical Deep Dive
* https://www.youtube.com/watch?v=VhQ30bVF3_s

If you have questions, let me know - you can reach me at 
joy.lar...@zerotier.com


Best,
-Joy

On 2022-02-10 10:12, Mike Lyon wrote:

How about running ZeroTier on those Linux boxes and call it a day?

https://www.zerotier.com/

-Mike


On Feb 10, 2022, at 10:07, David Guo via NANOG 
wrote:





You may try WireGuard and use ddns

From: NANOG  On Behalf Of
William Herrin
Sent: Friday, February 11, 2022 2:02 AM
To: nanog@nanog.org
Subject: VPN recommendations?

Hi folks,

Do you have any recommendations for VPN appliances? Specifically: I
need to build a site to site VPNs at speeds between 100mpbs and 1
gbit where all but one of the sites are behind an IPv4 NAT gateway
with dynamic public IP addresses.

Normally I'd throw OpenVPN on a couple of Linux boxes and be happy
but my customer insists on a network appliance. Site to site VPNs
using IPSec and static IP addresses on the plaintext side are a dime
a dozen but traversing NAT and dynamic IP addresses (and
automatically re-establishing when the service goes out and comes
back up with different addresses) is a hard requirement.

Thanks in advance,

Bill Herrin

--

William Herrin

b...@herrin.us

https://bill.herrin.us/

Re: VPN recommendations?

[David Bass]

If you want something gui driven I’d do something like Meraki…you can do
the same with just regular old Cisco routers using DMVPN as well.  It’s a
pretty common use case and well established.

On Thu, Feb 10, 2022 at 1:03 PM William Herrin  wrote:

> Hi folks,
>
> Do you have any recommendations for VPN appliances? Specifically: I need
> to build a site to site VPNs at speeds between 100mpbs and 1 gbit where all
> but one of the sites are behind an IPv4 NAT gateway with dynamic public IP
> addresses.
>
> Normally I'd throw OpenVPN on a couple of Linux boxes and be happy but my
> customer insists on a network appliance. Site to site VPNs using IPSec and
> static IP addresses on the plaintext side are a dime a dozen but traversing
> NAT and dynamic IP addresses (and automatically re-establishing when the
> service goes out and comes back up with different addresses) is a hard
> requirement.
>
> Thanks in advance,
> Bill Herrin
>
>
> --
> William Herrin
> b...@herrin.us
> 
> https://bill.herrin.us/
>

Re: VPN recommendations?

[Phineas Walton]

Wireguard is the way to go. No platform lock-in, encrypted, extremely
lightweight and an easy to configure kernel module. Only drawback being
that there’s no implemented mesh topology, but that doesn’t sound like a
requirement for your use case. We actively push 8Gbit through our WG
tunnels with no issues.

Phin

On Thu, Feb 10, 2022 at 6:26 PM Dave Taht  wrote:

> tailscale
>
> On Thu, Feb 10, 2022 at 10:24 AM Mark Wiater 
> wrote:
> >
> > pfsense and opnsense both do fine with natted ipsec in the environmnets
> i've tested.
> >
> > Isn't there an openvpn appliance too?
> >
> > On 2/10/2022 1:17 PM, Shawn L via NANOG wrote:
> >
> > Meraki MX series?
> >
> >
> >
> > I don't like the way they do their licensing (your license runs out, the
> box is a paper-weight) but they do really well at establishing site-to-site
> VPNs in some pretty challenging scenarios.  Dynamic IPs and NATs don't
> really cause them a problem.  Some CGNats do (AT I'm looking at you).
> >
> >
> >
> >
> >
> > Shawn
> >
> >
> >
> > -Original Message-
> > From: "Keith Stokes" 
> > Sent: Thursday, February 10, 2022 1:11pm
> > To: "William Herrin" 
> > Cc: "nanog@nanog.org" 
> > Subject: Re: VPN recommendations?
> >
> > Pfsense on Netgate appliances?
> > I’ve used several of them, while not for this exact purpose they have
> done the roles but maybe not the amount of VPN traffic.
> >
> > --
> > Keith Stokes
> > SalonBiz, Inc
> >
> > On Feb 10, 2022, at 12:02 PM, William Herrin  wrote:
> >
> > Hi folks,
> > Do you have any recommendations for VPN appliances? Specifically: I need
> to build a site to site VPNs at speeds between 100mpbs and 1 gbit where all
> but one of the sites are behind an IPv4 NAT gateway with dynamic public IP
> addresses.
> > Normally I'd throw OpenVPN on a couple of Linux boxes and be happy but
> my customer insists on a network appliance. Site to site VPNs using IPSec
> and static IP addresses on the plaintext side are a dime a dozen but
> traversing NAT and dynamic IP addresses (and automatically re-establishing
> when the service goes out and comes back up with different addresses) is a
> hard requirement.
> > Thanks in advance,
> > Bill Herrin
> >
> > --
> > William Herrin
> > b...@herrin.us
> > https://bill.herrin.us/
> >
> >
>
>
> --
> I tried to build a better future, a few times:
> https://wayforward.archive.org/?site=https%3A%2F%2Fwww.icei.org
>
> Dave Täht CEO, TekLibre, LLC
>

Re: VPN recommendations?

[Dave Taht]

tailscale

On Thu, Feb 10, 2022 at 10:24 AM Mark Wiater  wrote:
>
> pfsense and opnsense both do fine with natted ipsec in the environmnets i've 
> tested.
>
> Isn't there an openvpn appliance too?
>
> On 2/10/2022 1:17 PM, Shawn L via NANOG wrote:
>
> Meraki MX series?
>
>
>
> I don't like the way they do their licensing (your license runs out, the box 
> is a paper-weight) but they do really well at establishing site-to-site VPNs 
> in some pretty challenging scenarios.  Dynamic IPs and NATs don't really 
> cause them a problem.  Some CGNats do (AT I'm looking at you).
>
>
>
>
>
> Shawn
>
>
>
> -Original Message-
> From: "Keith Stokes" 
> Sent: Thursday, February 10, 2022 1:11pm
> To: "William Herrin" 
> Cc: "nanog@nanog.org" 
> Subject: Re: VPN recommendations?
>
> Pfsense on Netgate appliances?
> I’ve used several of them, while not for this exact purpose they have done 
> the roles but maybe not the amount of VPN traffic.
>
> --
> Keith Stokes
> SalonBiz, Inc
>
> On Feb 10, 2022, at 12:02 PM, William Herrin  wrote:
>
> Hi folks,
> Do you have any recommendations for VPN appliances? Specifically: I need to 
> build a site to site VPNs at speeds between 100mpbs and 1 gbit where all but 
> one of the sites are behind an IPv4 NAT gateway with dynamic public IP 
> addresses.
> Normally I'd throw OpenVPN on a couple of Linux boxes and be happy but my 
> customer insists on a network appliance. Site to site VPNs using IPSec and 
> static IP addresses on the plaintext side are a dime a dozen but traversing 
> NAT and dynamic IP addresses (and automatically re-establishing when the 
> service goes out and comes back up with different addresses) is a hard 
> requirement.
> Thanks in advance,
> Bill Herrin
>
> --
> William Herrin
> b...@herrin.us
> https://bill.herrin.us/
>
>


-- 
I tried to build a better future, a few times:
https://wayforward.archive.org/?site=https%3A%2F%2Fwww.icei.org

Dave Täht CEO, TekLibre, LLC

Re: VPN recommendations?

[Mark Wiater]

pfsense and opnsense both do fine with natted ipsec in the environmnets 
i've tested.


Isn't there an openvpn appliance too?

On 2/10/2022 1:17 PM, Shawn L via NANOG wrote:


Meraki MX series?

I don't like the way they do their licensing (your license runs out, 
the box is a paper-weight) but they do really well at establishing 
site-to-site VPNs in some pretty challenging scenarios. Dynamic IPs 
and NATs don't really cause them a problem.  Some CGNats do (AT I'm 
looking at you).


Shawn

-Original Message-
From: "Keith Stokes" 
Sent: Thursday, February 10, 2022 1:11pm
To: "William Herrin" 
Cc: "nanog@nanog.org" 
Subject: Re: VPN recommendations?

Pfsense on Netgate appliances?
I’ve used several of them, while not for this exact purpose they have 
done the roles but maybe not the amount of VPN traffic.


--
Keith Stokes
SalonBiz, Inc

On Feb 10, 2022, at 12:02 PM, William Herrin  wrote:

Hi folks,
Do you have any recommendations for VPN appliances? Specifically:
I need to build a site to site VPNs at speeds between 100mpbs and
1 gbit where all but one of the sites are behind an IPv4 NAT
gateway with dynamic public IP addresses.
Normally I'd throw OpenVPN on a couple of Linux boxes and be happy
but my customer insists on a network appliance. Site to site VPNs
using IPSec and static IP addresses on the plaintext side are a
dime a dozen but traversing NAT and dynamic IP addresses (and
automatically re-establishing when the service goes out and comes
back up with different addresses) is a hard requirement.
Thanks in advance,
Bill Herrin

-- 
William Herrin

b...@herrin.us
<https://bill.herrin.us/>
https://bill.herrin.us/

Re: VPN recommendations?

[Shawn L via NANOG]

Meraki MX series?
 
I don't like the way they do their licensing (your license runs out, the box is 
a paper-weight) but they do really well at establishing site-to-site VPNs in 
some pretty challenging scenarios.  Dynamic IPs and NATs don't really cause 
them a problem.  Some CGNats do (AT I'm looking at you).
 
 
Shawn
 
-Original Message-
From: "Keith Stokes" 
Sent: Thursday, February 10, 2022 1:11pm
To: "William Herrin" 
Cc: "nanog@nanog.org" 
Subject: Re: VPN recommendations?


Pfsense on Netgate appliances?
I’ve used several of them, while not for this exact purpose they have done the 
roles but maybe not the amount of VPN traffic. 


--
Keith Stokes
SalonBiz, Inc

 On Feb 10, 2022, at 12:02 PM, William Herrin <[ b...@herrin.us ]( 
mailto:b...@herrin.us )> wrote:




Hi folks,
Do you have any recommendations for VPN appliances? Specifically: I need to 
build a site to site VPNs at speeds between 100mpbs and 1 gbit where all but 
one of the sites are behind an IPv4 NAT gateway with dynamic public IP 
addresses.
Normally I'd throw OpenVPN on a couple of Linux boxes and be happy but my 
customer insists on a network appliance. Site to site VPNs using IPSec and 
static IP addresses on the plaintext side are a dime a dozen but traversing NAT 
and dynamic IP addresses (and automatically re-establishing when the service 
goes out and comes back up with different addresses) is a hard requirement.
Thanks in advance,
Bill Herrin
 -- 







William Herrin
[ b...@herrin.us ]( mailto:b...@herrin.us )[ 
 ]( https://bill.herrin.us/ )
[ https://bill.herrin.us/ ]( https://bill.herrin.us/ )

Re: VPN recommendations?

[Mike Lyon]

How about running ZeroTier on those Linux boxes and call it a day?

https://www.zerotier.com/

-Mike


> On Feb 10, 2022, at 10:07, David Guo via NANOG  wrote:
> 
> 
> You may try WireGuard and use ddns
>  
> From: NANOG  On Behalf Of William 
> Herrin
> Sent: Friday, February 11, 2022 2:02 AM
> To: nanog@nanog.org
> Subject: VPN recommendations?
>  
> Hi folks,
>  
> Do you have any recommendations for VPN appliances? Specifically: I need to 
> build a site to site VPNs at speeds between 100mpbs and 1 gbit where all but 
> one of the sites are behind an IPv4 NAT gateway with dynamic public IP 
> addresses.
>  
> Normally I'd throw OpenVPN on a couple of Linux boxes and be happy but my 
> customer insists on a network appliance. Site to site VPNs using IPSec and 
> static IP addresses on the plaintext side are a dime a dozen but traversing 
> NAT and dynamic IP addresses (and automatically re-establishing when the 
> service goes out and comes back up with different addresses) is a hard 
> requirement.
>  
> Thanks in advance,
> Bill Herrin
> 
> --
> William Herrin
> b...@herrin.us
> https://bill.herrin.us/

Re: VPN recommendations?

[Keith Stokes]

Pfsense on Netgate appliances?

I’ve used several of them, while not for this exact purpose they have done the 
roles but maybe not the amount of VPN traffic.


--

Keith Stokes
SalonBiz, Inc



On Feb 10, 2022, at 12:02 PM, William Herrin 
mailto:b...@herrin.us>> wrote:

Hi folks,

Do you have any recommendations for VPN appliances? Specifically: I need to 
build a site to site VPNs at speeds between 100mpbs and 1 gbit where all but 
one of the sites are behind an IPv4 NAT gateway with dynamic public IP 
addresses.

Normally I'd throw OpenVPN on a couple of Linux boxes and be happy but my 
customer insists on a network appliance. Site to site VPNs using IPSec and 
static IP addresses on the plaintext side are a dime a dozen but traversing NAT 
and dynamic IP addresses (and automatically re-establishing when the service 
goes out and comes back up with different addresses) is a hard requirement.

Thanks in advance,
Bill Herrin

--
William Herrin
b...@herrin.us

https://bill.herrin.us/

RE: VPN recommendations?

[David Guo via NANOG]

You may try WireGuard and use ddns

From: NANOG  On Behalf Of William Herrin
Sent: Friday, February 11, 2022 2:02 AM
To: nanog@nanog.org
Subject: VPN recommendations?

Hi folks,

Do you have any recommendations for VPN appliances? Specifically: I need to 
build a site to site VPNs at speeds between 100mpbs and 1 gbit where all but 
one of the sites are behind an IPv4 NAT gateway with dynamic public IP 
addresses.

Normally I'd throw OpenVPN on a couple of Linux boxes and be happy but my 
customer insists on a network appliance. Site to site VPNs using IPSec and 
static IP addresses on the plaintext side are a dime a dozen but traversing NAT 
and dynamic IP addresses (and automatically re-establishing when the service 
goes out and comes back up with different addresses) is a hard requirement.

Thanks in advance,
Bill Herrin

--
William Herrin
b...@herrin.us

https://bill.herrin.us/