VPN recommendations?

Phineas Walton phin at phineas.io
Thu Feb 10 18:34:29 UTC 2022


Wireguard is the way to go. No platform lock-in, encrypted, extremely
lightweight and an easy to configure kernel module. Only drawback being
that there’s no implemented mesh topology, but that doesn’t sound like a
requirement for your use case. We actively push 8Gbit through our WG
tunnels with no issues.

Phin

On Thu, Feb 10, 2022 at 6:26 PM Dave Taht <dave.taht at gmail.com> wrote:

> tailscale
>
> On Thu, Feb 10, 2022 at 10:24 AM Mark Wiater <mark.wiater at greybeam.com>
> wrote:
> >
> > pfsense and opnsense both do fine with natted ipsec in the environmnets
> i've tested.
> >
> > Isn't there an openvpn appliance too?
> >
> > On 2/10/2022 1:17 PM, Shawn L via NANOG wrote:
> >
> > Meraki MX series?
> >
> >
> >
> > I don't like the way they do their licensing (your license runs out, the
> box is a paper-weight) but they do really well at establishing site-to-site
> VPNs in some pretty challenging scenarios.  Dynamic IPs and NATs don't
> really cause them a problem.  Some CGNats do (AT&T I'm looking at you).
> >
> >
> >
> >
> >
> > Shawn
> >
> >
> >
> > -----Original Message-----
> > From: "Keith Stokes" <keiths at salonbiz.com>
> > Sent: Thursday, February 10, 2022 1:11pm
> > To: "William Herrin" <bill at herrin.us>
> > Cc: "nanog at nanog.org" <nanog at nanog.org>
> > Subject: Re: VPN recommendations?
> >
> > Pfsense on Netgate appliances?
> > I’ve used several of them, while not for this exact purpose they have
> done the roles but maybe not the amount of VPN traffic.
> >
> > --
> > Keith Stokes
> > SalonBiz, Inc
> >
> > On Feb 10, 2022, at 12:02 PM, William Herrin <bill at herrin.us> wrote:
> >
> > Hi folks,
> > Do you have any recommendations for VPN appliances? Specifically: I need
> to build a site to site VPNs at speeds between 100mpbs and 1 gbit where all
> but one of the sites are behind an IPv4 NAT gateway with dynamic public IP
> addresses.
> > Normally I'd throw OpenVPN on a couple of Linux boxes and be happy but
> my customer insists on a network appliance. Site to site VPNs using IPSec
> and static IP addresses on the plaintext side are a dime a dozen but
> traversing NAT and dynamic IP addresses (and automatically re-establishing
> when the service goes out and comes back up with different addresses) is a
> hard requirement.
> > Thanks in advance,
> > Bill Herrin
> >
> > --
> > William Herrin
> > bill at herrin.us
> > https://bill.herrin.us/
> >
> >
>
>
> --
> I tried to build a better future, a few times:
> https://wayforward.archive.org/?site=https%3A%2F%2Fwww.icei.org
>
> Dave Täht CEO, TekLibre, LLC
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20220210/d97d6001/attachment.html>


More information about the NANOG mailing list