Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Author Topic: Thoughts on Dynamic Mesh VPNs  (Read 1060 times)

factorial

  • Just arrived
  • *
  • Posts: 5
Thoughts on Dynamic Mesh VPNs
« on: May 05, 2021, 02:54:11 PM »

I have 3 sites and 2 dedicated servers, but want to create a centralised DMVPN-style set up. The question is how to achieve it:

Each site:
- has 2 internet connections: FTTC and 5G. Connections should failover instantly at the very least, but bonded is ideal.
- future-proofed to be capable handle full 1gbps connections at wire speed.
- independently access the Internet, so the default route is via the ISP
- Be part of a dynamic routing set up to allow anything in the DMZ VPN to be routable over an encrypted network
- Each site has a rack with a Proxmox server, with spare capacity

Dedicated Servers:
- 2 networks, one public, one DMZ that allows all management via the DMZ VPN. I do not want to route general traffic through them.
- They are proxmox servers, with spare capacity

My question
I'm at a crossroads - I want to create a dynamic routing solution over a mesh of VPNs between the sites, so each site is accessible to eachother, but not a single broadcast domain. I can think of 3 solutions, but open to ideas:

1. Tinc. Tinc is super easy to configure, but performance leaves me a bit wanting. Also, it can't seem to handle asymmetrical bonded connections and failover is based on STP which isn't fast enough.

2. DMVPN. This can only be used by Teltonika, Cisco and VyOS routers, but seems pretty good, using NHRP, iBGP and mGRE. Given the requirement for using the router on the dedicated servers, needing to be a VM (which would probably be the hubs), I'd probably lean towards the VyOS side as Cisco virtual routers are $$$. However, VyOS while great for routing capability, isn't particularly good as a firewall - is there something that is? This will make use of ECMP for the bonding which also works.

3. Wireguard and OSPF. A more modern solution, but Wireguard while it has a mesh configurator, is still a little 'beta' like for managing a mesh VPN. But much faster than tinc. OSPF will failover easily, and I can also used my preferred solution, OPNsense, although I'm not entirely sure how to ensure the ECMP bonding between the WANs, as both WG and OSPF are plugins.

4. Mikrotik CHR and routers with EoIP/IPSec and whatever underneath or VyOS and EdgeRouters. While this vendor-locks into Mikrotik or EdgeRouter, this is also an option.

It doesn't have to be 100% open source, but if commercial 'reasonably priced'. However, I just wanted to ask what would you choose? And is the solution capable of transferring at gigabit wirespeed? Can it handle multiple WANs? Is it easy to manage?
Logged
 

anything