nanog mailing list archives

Re: VPN recommendations?

From: Phineas Walton <phin () phineas io>
Date: Thu, 10 Feb 2022 18:34:29 +0000

Wireguard is the way to go. No platform lock-in, encrypted, extremely
lightweight and an easy to configure kernel module. Only drawback being
that there’s no implemented mesh topology, but that doesn’t sound like a
requirement for your use case. We actively push 8Gbit through our WG
tunnels with no issues.

Phin

On Thu, Feb 10, 2022 at 6:26 PM Dave Taht <dave.taht () gmail com> wrote:

tailscale

On Thu, Feb 10, 2022 at 10:24 AM Mark Wiater <mark.wiater () greybeam com>
wrote:


pfsense and opnsense both do fine with natted ipsec in the environmnets

i've tested.


Isn't there an openvpn appliance too?

On 2/10/2022 1:17 PM, Shawn L via NANOG wrote:

Meraki MX series?



I don't like the way they do their licensing (your license runs out, the

box is a paper-weight) but they do really well at establishing site-to-site
VPNs in some pretty challenging scenarios.  Dynamic IPs and NATs don't
really cause them a problem.  Some CGNats do (AT&T I'm looking at you).






Shawn



-----Original Message-----
From: "Keith Stokes" <keiths () salonbiz com>
Sent: Thursday, February 10, 2022 1:11pm
To: "William Herrin" <bill () herrin us>
Cc: "nanog () nanog org" <nanog () nanog org>
Subject: Re: VPN recommendations?

Pfsense on Netgate appliances?
I’ve used several of them, while not for this exact purpose they have

done the roles but maybe not the amount of VPN traffic.


--
Keith Stokes
SalonBiz, Inc

On Feb 10, 2022, at 12:02 PM, William Herrin <bill () herrin us> wrote:

Hi folks,
Do you have any recommendations for VPN appliances? Specifically: I need

to build a site to site VPNs at speeds between 100mpbs and 1 gbit where all
but one of the sites are behind an IPv4 NAT gateway with dynamic public IP
addresses.

Normally I'd throw OpenVPN on a couple of Linux boxes and be happy but

my customer insists on a network appliance. Site to site VPNs using IPSec
and static IP addresses on the plaintext side are a dime a dozen but
traversing NAT and dynamic IP addresses (and automatically re-establishing
when the service goes out and comes back up with different addresses) is a
hard requirement.

Thanks in advance,
Bill Herrin

--
William Herrin
bill () herrin us
https://bill.herrin.us/



--
I tried to build a better future, a few times:
https://wayforward.archive.org/?site=https%3A%2F%2Fwww.icei.org

Dave Täht CEO, TekLibre, LLC

Current thread:

Re: VPN recommendations?, (continued)
- - - Re: VPN recommendations? Ander Punnar (Feb 10)
    - Re: VPN recommendations? Mike Hammett (Feb 11)
    - Re: VPN recommendations? Valdis Klētnieks (Feb 10)
    - RE: VPN recommendations? David Andrzejewski (Feb 10)
    - Re: VPN recommendations? Dave Taht (Feb 10)
    - Re: VPN recommendations? Mark Tinka (Feb 10)
- Re: VPN recommendations? Keith Stokes (Feb 10)
  - Re: VPN recommendations? Shawn L via NANOG (Feb 10)
    - Re: VPN recommendations? Mark Wiater (Feb 10)
    - Re: VPN recommendations? Dave Taht (Feb 10)
    - Re: VPN recommendations? Phineas Walton (Feb 10)
    - Re: VPN recommendations? William Herrin (Feb 10)
    - Re: VPN recommendations? Tom Beecher (Feb 10)
    - Re: VPN recommendations? Sabri Berisha (Feb 10)
    - Re: VPN recommendations? Bjørn Mork (Feb 11)
- Re: VPN recommendations? David Bass (Feb 10)
- Message not available
  - Re: VPN recommendations? William Herrin (Feb 10)
- Message not available
  - Re: VPN recommendations? William Herrin (Feb 10)
    - Re: VPN recommendations? Mark Wiater (Feb 10)
- RE: VPN recommendations? James R. Price (Feb 10)
- Re: VPN recommendations? Matt Harris (Feb 10)

(Thread continues...)