Photo by Damon Lam on Unsplash

Photo by Damon Lam on Unsplash

Open source multipoint VPN with VyOS

Connected Mesh

Article from ADMIN 48/2018
By
The VyOS Linux distribution puts network routing, firewall, and VPN functionality together and presents a fully working dynamic multipoint VPN router as an alternative or addition to a Cisco DMVPN mesh.

Virtual private networks (VPNs) connect remote offices over the Internet. However, when the number of offices increases, so does the number of VPN tunnels. Scaling becomes important when connecting more than 10 offices, because many single tunnels result in a long and confusing configuration. Dynamic multipoint VPN (DMVPN) is a well-known Cisco solution that solves the scalability issue when building large VPNs.

Luckily, all DMVPN components have been open sourced. In this article, I show you how to set up a DMVPN with the VyOS Linux router distribution, which also can be used to improve, secure, or reduce the cost of an existing DMVPN network.

Intro to VPN

The collection of VPN software is large, and many implementations are open source, free of charge, and available for virtually every operating system. Usable bandwidth is much higher compared with a leased line or a multiprotocol label switching (MPLS) link at the same price, and big keys or certificates can achieve a high level of security.

This setup sounds great until it comes to scalability. Every VPN tunnel has two endpoints that need configuration – and don't forget the backup tunnel, which also needs to be prepared and tested.

When talking about six remote offices, the level of hands-on activity is acceptable. If every office needs direct communication with every other office, you would need 15 tunnels. If the business has many smaller sites (e.g., sales offices or warehouses), the configuration becomes complex, with the number of tunnels increasing exponentially with the number of locations. A full mesh of 30 sites requires 435 tunnels and, most likely, some kind of automation or intelligent VPN solution.

Partly Meshed

In a full mesh network, every site can communicate directly with any other site. Voice over IP is a good example of a full

...
Use Express-Checkout link below to read the full article (PDF).

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
Print Issues
Digital Issues
 
SUBSCRIPTIONS
Print Subs
Digisubs
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Routing with Quagga

    Cisco and Juniper have implemented routing protocols to help your router find the optimum path. On Linux, you can use software like Quagga, with its Zebra daemon, to help automate this process.

    more »
  • Photo by Sahand Babali on Unsplash
    Flexible software routing with open source FRR
    The FRR open routing stack can be integrated into many networks because it supports a large number of routing protocols, though its strong dependence on the underlying kernel means it requires some manual configuration.
    more »
  • © Tramper2, fotolia.com
    IPv6 tunnel technologies
    Now that IPv6 is the official Internet protocol, all that remains is the simple task of migrating all the machines on the Internet. Until that happens, tunnel technologies provide an interim solution.
    more »
  • Lead Image © Rachael Arnott, 123RF.com
    Border Gateway Protocol
    We look at the Border Gateway Protocol, how it routes packets through the Internet, its weaknesses, and some hardening strategies.
    more »
  • Photo by Eugene Zhyvchik on Unsplash
    GENEVE network tunneling protocol
    LAN data transmission has evolved from the original IEEE 802.3 standard to virtual extensible LAN (VXLAN) technology and finally to today's Generic Network Virtualization Encapsulation (GENEVE) tunneling protocol, which offers improved flexibility and scalability, although it still faces some issues. We look at the three technologies and their areas of application.
    more »
comments powered by Disqus