Connected Mesh

Virtual private networks (VPNs) connect remote offices over the Internet. However, when the number of offices increases, so does the number of VPN tunnels. Scaling becomes important when connecting more than 10 offices, because many single tunnels result in a long and confusing configuration. Dynamic multipoint VPN (DMVPN) is a well-known Cisco solution that solves the scalability issue when building large VPNs.

Luckily, all DMVPN components have been open sourced. In this article, I show you how to set up a DMVPN with the VyOS Linux router distribution, which also can be used to improve, secure, or reduce the cost of an existing DMVPN network.

Intro to VPN

The collection of VPN software is large, and many implementations are open source, free of charge, and available for virtually every operating system. Usable bandwidth is much higher compared with a leased line or a multiprotocol label switching (MPLS) link at the same price, and big keys or certificates can achieve a high level of security.

This setup sounds great until it comes to scalability. Every VPN tunnel has two endpoints that need configuration – and don't forget the backup tunnel, which also needs to be prepared and tested.

When talking about six remote offices, the level of hands-on activity is acceptable. If every office needs direct communication with every other office, you would need 15 tunnels. If the business has many smaller sites (e.g., sales offices or warehouses), the configuration becomes complex, with the number of tunnels increasing exponentially with the number of locations. A full mesh of 30 sites requires 435 tunnels and, most likely, some kind of automation or intelligent VPN solution.

Partly Meshed

In a full mesh network, every site can communicate directly with any other site. Voice over IP is a good example of a full mesh wide-area network (WAN), without which, the packets would travel through a transit site, increasing delay time, which is precisely what degrades speech quality.

DMVPN

To cut a long story short, Cisco understood the challenge and implemented DMVPN in its products years ago. The designers use generic routing encapsulation (GRE) as the tunnel mechanism and IPsec for the security aspect. The idea is to define a central site (hub) – usually the corporate headquarters – that knows all included VPN gateways in the remote sites (spokes).

Imagine that site A wants to reach site B: Router A will ask the central router for router B; with that information in hand, router A sets up a new VPN tunnel between A and B, so traffic can start flowing (Figure 1), automatically and without conf term.

Figure 1: In a multipoint VPN, every router creates a tunnel connection with every other router.

Cisco invented the Next Hop Resolution Protocol (NHRP) as a way for the router to get details about its peer and published it as RFC 2332 [1]. Finally, the open source community has built its own implementation, OpenNHRP, and provides the code on SourceForge [2].

Now all parts of the puzzle are freely available and usable on Linux. The Vyatta router distribution combines all pieces into the formula:

DMVPN=GRE+OpenNHRP+IPsec

The developers have even added a command-line interface (CLI) with the feel of a commercial router, completing the free DMVPN router. Unfortunately, Brocade acquired Vyatta in 2012 and put it under a commercial license. Vyatta quickly became Brocade Vyatta 5400 vRouter and is now available for a price.