Open source multipoint VPN with VyOS

Connected Mesh

Graphical Interface?

The chances for a VyOS web interface are low. Brocade does offer a Vyatta web UI for paying customers, and Ubiquiti ships its EdgeOS with a wonderful web-based interface that includes most areas of configuration; however, it binds the web UI to their own hardware by license.

From a technical perspective, a browser front end can communicate through web sockets with the back end (Ubiquiti EdgeRouter). The daemon /usr/sbin/ubnt-util receives the queries and performs the reconfiguration. Unfortunately, this Ubiquiti element is closed source. The software is a MIPS64 binary, which won't run on Intel architecture without an emulator and many dirty tricks.

Conclusions

When the number of remote offices grow faster than the IT team can set them up, it is time for a dynamic VPN mesh. Dynamic multipoint VPN is Cisco's all-purpose solution for scalability in VPN clouds that allows every participating router to establish a direct connection to every other router without additional configuration. This solution truly saves setup effort and reduces delay times.

The free VyOS Linux distribution offers all the required protocols needed to create a new DMVPN landscape or to extend the existing Cisco world. VyOS does a pretty good job at hiding the many complicated Linux tools and routing daemons behind well-know CLI commands. Before deploying, however, pay attention to the limitations that crop up when playing together with Cisco, IPv6, or network address translation. Finally, your DMVPN can reside on hardware or a virtual infrastructure.

Infos

  1. RFC 2332: NBMA Next Hop Resolution Protocol: https://tools.ietf.org/html/rfc2332
  2. OpenNHRP: https://sourceforge.net/projects/opennhrp/
  3. VyOS: https://vyos.io/
  4. WANem: http://wanem.sourceforge.net/
  5. apu1d by PC Engines: http://www.pcengines.ch/apu1d.htm
  6. Forwarding performance lab of a PC Engines APU: http://bsdrp.net/documentation/examples/forwarding_performance_lab_of_a_pc_engines_apu
  7. RFC 7868: Cisco's Enhanced Interior Gateway Routing Protocol: https://datatracker.ietf.org/doc/rfc7868/
  8. Encapsulation overhead calculator: http://baturin.org/tools/encapcalc/

The Author

Markus Stubbig is a networking engineer who has worked in the IT industry for 15 years. His strong focus is on design and implementation of campus networks around the world.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Routing with Quagga

    Cisco and Juniper have implemented routing protocols to help your router find the optimum path. On Linux, you can use software like Quagga, with its Zebra daemon, to help automate this process.

  • Flexible software routing with open source FRR
    The FRR open routing stack can be integrated into many networks because it supports a large number of routing protocols, though its strong dependence on the underlying kernel means it requires some manual configuration.
  • IPv6 tunnel technologies
    Now that IPv6 is the official Internet protocol, all that remains is the simple task of migrating all the machines on the Internet. Until that happens, tunnel technologies provide an interim solution.
  • GENEVE network tunneling protocol
    LAN data transmission has evolved from the original IEEE 802.3 standard to virtual extensible LAN (VXLAN) technology and finally to today's Generic Network Virtualization Encapsulation (GENEVE) tunneling protocol, which offers improved flexibility and scalability, although it still faces some issues. We look at the three technologies and their areas of application.
  • Border Gateway Protocol
    We look at the Border Gateway Protocol, how it routes packets through the Internet, its weaknesses, and some hardening strategies.
comments powered by Disqus