Photo by Damon Lam on Unsplash

Photo by Damon Lam on Unsplash

Open source multipoint VPN with VyOS

Connected Mesh

Article from ADMIN 48/2018
By
The VyOS Linux distribution puts network routing, firewall, and VPN functionality together and presents a fully working dynamic multipoint VPN router as an alternative or addition to a Cisco DMVPN mesh.

Virtual private networks (VPNs) connect remote offices over the Internet. However, when the number of offices increases, so does the number of VPN tunnels. Scaling becomes important when connecting more than 10 offices, because many single tunnels result in a long and confusing configuration. Dynamic multipoint VPN (DMVPN) is a well-known Cisco solution that solves the scalability issue when building large VPNs.

Luckily, all DMVPN components have been open sourced. In this article, I show you how to set up a DMVPN with the VyOS Linux router distribution, which also can be used to improve, secure, or reduce the cost of an existing DMVPN network.

Intro to VPN

The collection of VPN software is large, and many implementations are open source, free of charge, and available for virtually every operating system. Usable bandwidth is much higher compared with a leased line or a multiprotocol label switching (MPLS) link at the same price, and big keys or certificates can achieve a high level of security.

This setup sounds great until it comes to scalability. Every VPN tunnel has two endpoints that need configuration – and don't forget the backup tunnel, which also needs to be prepared and tested.

When talking about six remote offices, the level of hands-on activity is acceptable. If every office needs direct communication with every other office, you would need 15 tunnels. If the business has many smaller sites (e.g., sales offices or warehouses), the configuration becomes complex, with the number of tunnels increasing exponentially with the number of locations. A full mesh of 30 sites requires 435 tunnels and, most likely, some kind of automation or intelligent VPN solution.

Partly Meshed

In a full mesh network, every site can communicate directly with any other site. Voice over IP is a good example of a full mesh wide-area network (WAN), without which, the packets would travel through a transit site, increasing delay time, which is precisely what degrades speech quality.

DMVPN

To cut a long story short, Cisco understood the challenge and implemented DMVPN in its products years ago. The designers use generic routing encapsulation (GRE) as the tunnel mechanism and IPsec for the security aspect. The idea is to define a central site (hub) – usually the corporate headquarters – that knows all included VPN gateways in the remote sites (spokes).

Imagine that site A wants to reach site B: Router A will ask the central router for router B; with that information in hand, router A sets up a new VPN tunnel between A and B, so traffic can start flowing (Figure 1), automatically and without conf term.

Figure 1: In a multipoint VPN, every router creates a tunnel connection with every other router.

Cisco invented the Next Hop Resolution Protocol (NHRP) as a way for the router to get details about its peer and published it as RFC 2332 [1]. Finally, the open source community has built its own implementation, OpenNHRP, and provides the code on SourceForge [2].

Now all parts of the puzzle are freely available and usable on Linux. The Vyatta router distribution combines all pieces into the formula:

DMVPN=GRE+OpenNHRP+IPsec

The developers have even added a command-line interface (CLI) with the feel of a commercial router, completing the free DMVPN router. Unfortunately, Brocade acquired Vyatta in 2012 and put it under a commercial license. Vyatta quickly became Brocade Vyatta 5400 vRouter and is now available for a price.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Routing with Quagga

    Cisco and Juniper have implemented routing protocols to help your router find the optimum path. On Linux, you can use software like Quagga, with its Zebra daemon, to help automate this process.

  • Flexible software routing with open source FRR
    The FRR open routing stack can be integrated into many networks because it supports a large number of routing protocols, though its strong dependence on the underlying kernel means it requires some manual configuration.
  • IPv6 tunnel technologies
    Now that IPv6 is the official Internet protocol, all that remains is the simple task of migrating all the machines on the Internet. Until that happens, tunnel technologies provide an interim solution.
  • GENEVE network tunneling protocol
    LAN data transmission has evolved from the original IEEE 802.3 standard to virtual extensible LAN (VXLAN) technology and finally to today's Generic Network Virtualization Encapsulation (GENEVE) tunneling protocol, which offers improved flexibility and scalability, although it still faces some issues. We look at the three technologies and their areas of application.
  • Border Gateway Protocol
    We look at the Border Gateway Protocol, how it routes packets through the Internet, its weaknesses, and some hardening strategies.
comments powered by Disqus