Recommend a router for site to site VPN

L

ltickett

[H]ard|Gawd
Joined
Jul 27, 2000
Messages
1,125
I have a new client who needs their offices linked (initially just 2 but hopefully more going forward).

Both sites currently connect to the internet using ADSL (over POTS) so I think it would be a bonus of the device is a combined modem/router. It would also be beneficial if it also acts as a wireless access point however, this is not essential, we could use separate devices.

There are only around 20 users at each site and the %age of traffic going over the VPN should be minimal.

I have been looking at something like the Cisco 887VA, but maybe this is overkill and something with a more user-friendly interface (maybe dd-wrt based?) would be more suitable?

Ideally i'd like to spend around £100 ($170) per unit, but whatever is needed to get the job done.

Any suggestions? Thanks!
 
Where I last worked before retiring, we used Netscreen/Juniper devices to do our VPNs. Very reliable. When I left, many of the devices in use were the older Netscreen 5XP. The SSG5 is available on the aftermarket for about $100 last time I checked. They are not a combo modem-router but if you put the modem in bridge mode it works fine. Recommend you keep wireless as a separate function. If you ever suspect a security breach via wireless, easy to disconnect the AP from power. You can locate the AP in the best place for coverage. Also, the SSG5 has enough ports so you can put the wireless on its own network zone if you need the additional security. Or you can easily provide guest wireless that only has access to the internet, not the local network.

You didn't mention but does at least one of the sites have a fixed IP address? If both are dynamic, your VPN will drop if both happen to change at about the same time.
 
Since you're in the UK...

TP-Link TL-WDR3600 running OpenWRT (does about 10-15mbit over OpenVPN)
TP-Link TL-WDR4900 would be a much better choice but it seems to be discontinued in the UK, Pixmania and some etailers in .de still have in it stock. It has about 50% more powerful CPU than the WDR4900.

TL-WR1043ND v2 might be a better since it features a faster CPU than the WDR3600 but its only 2.4Ghz and a bit more untested than the WDR3600. It also has 64Mbyte of RAM instead of 128Mb but I've never seen my 3600 go pass ~40Mbyte when running the usual services.

I have a few WDR3600 running as VPN gateways/routers and they work very reliable.

As you're in UK I should mention that I've only used connections without PPPoE.

The EdgeRouter Lite might be an option, no idea how the original vendor provided firmware works on it as I run FreeBSD on those boxes, downside is the shaping doesn't work.
//Danne
 
Last edited:
Mikrotik RouterBoard RB2011UiAS-2HnD-IN About £85, Will do about 18mbps IPSEC vpn site to site, has wifi and will do everything you need and more.

You could also get by with the Mikrotik RouterBoard RB951G-2HnD for about £53. Same CPU as the 2011 series, same wifi card inside just no LCD, no SFP and a plastic case. It is a different board, but both are equally as reliable. In a SMB setting I prefer to have metal products, just more sturdy.

If you need rackmount you could also check out their RouterBoard RB2011UiAS-RM. No wifi on that model.

Many people will say that setup is a pain, which if you are scared to learn it could be. Greg Sowell has some really great RouterOS training videos. MikroTik has also improved their WebUI significantly in the past year or so. All the newer firmware has a really good QuickSET feature that'll get you up and running (and routing) quickly. From there you'll have to set up the firewall and the Site-to-Site VPN, which is easy with the guides you will find on the internet.
 
Last edited:
Should be mentioned that its the same SoC in the Mikrotiks as in the WDR3600, just 40Mhz faster.
The WDR4900 and WR1043ND v2 both have faster CPUs.
//Danne
 
So many to chose from!

Has anyone had experience with a mesh style multi-site VPN? I'm trying to figure which software (dd-wrt etc) support it and how easy/hard to configure.

I think my decision will end up being roughly based on;

Reliability
Performance
Ease of use (web ui?)
Cost
ADSL modem included?
WiFi included?
 
You may not even be able to get a modem/router AIO depending on the DSL type and provider. For example AT&T needs the 2Wires/Pace gateways because they have special certificates to authenticate with the DSLAM. Many VDSL2 Providers use a similar setup.

I'd just bridge it and pick a router on your choice and use a good AP. I'm not a fan of AIO.
 
That's why the ADSL Modem Included and WiFi included were at the bottom of my list of priorities :)

Although I was thinking if i'm going down the dd-wrt route I will most likely be flashing it on a relatively "consumer grade" router which will likely already have this functionality.
 
@ ltickett

I run a few networks over DSL using either FreeBSD (Edgerouter Lite) or OpenWRT (TL-WDR3600 or WD MyNet N750) and they're very reliable. As long as the connection itself is up there are no issues really. PPPoE shouldn't matter but it will lower performance somewhat, the trickiest part is to find a (D)DNS provider that's decent and have a simple API/client. You won't most likely find an all-in-one device as most DSL modems have proprietary drivers. I'd recommend you to get a plain modem or one that supports bridging.
Running at least OpenVPN you will need to use CLI for configuration at least once.

@ /usr/home

Pretty much any provider in Europe lets you use any type of modem you'd like, any type of triple play service "requires" the provided modem/gateway. It's usually different VLANs bound to a specific port that's it.
//Danne
 
EdgeRouter Pro (or Lite) is low cost and VERY high performance and will do Site-to-Site as well as 1000 other things. I like it as long as you're comfortable with the CLI, their web interface isn't all that great for advanced config.

I've never done a mesh site-to-site outside of Cisco IOS though so I'm not sure. If you have a reliable HUB (or two) you can do DMVPN that will dynamically build VPN tunnels between hubs and between spokes for direct communications. It's complicated but you pretty much only have to set it up once. Plus you can install DSL modules and some models come with WiFi built in.
 
Really depends on the requirements. I have this guy who works from home but needed a site to site VPN so his phone would work with the network/software and I setup two Buffalo DD-WRT routers with OpenVPN and it works pretty snazzy.
 
I'd be a bit careful with DD-WRT and the ERLs original firmware though as you can't update freely as security issues occurs as they are announced as you can do with OpenWRT and FreeBSD (in this case).
//Danne
 
The specs on the EdgeRouter Lite make it sound really tempting, but not having used the CLI before and my experience with Ubiquiti makes me wonder whether it is suitable for a production environment.

*EDIT* Actually- having read http://wiki.ubnt.com/IPSec_VPN_-_CLI_Commands it looks pretty straight forward. If I can find any discussion/verdicts from people using it in the real world I may take the plunge.
 
Last edited:
Site to Site can be done in the GUI now now. It's also easy to setup via CLI. I have one using many of its features and it works great and keeps improving every firmware release. I've never had an issue with any version and I'd consider myself to be a good test since I use many of the features.
 
Zyxel USGs or UMs

Both are BSD based and and crazy rock solid. They should run for years.
 
Last edited:
Don't go by the specs, HW NAT will most likely trash stuff leaving you with a ~250mbit throughput which the regular Atheros platforms can do.
Not sure if you can do OpenVPN (SSL VPN) by the GUI, IPSec kinda only works no non NAT(ed) connections which makes it kinda useless if you want to access networks remotely.
//Danne
 
250mbit is far more than will ever need to be pushed... in fact, the router will presumably only be responsible for WAN traffic and the internet connections wont be more than about 26/1.
 
I will chime in with the WatchGuard XTM series router. Same bells and whistles as any business class firewall/router but very easy to manage. Comes with annual security suite of webblcoker, spamblocker and av defense along with SSL VPN licenses. Rock solid and good support.
They also released a line of Wireless Access Points that can be managed from the same interface with very robust connectivity and security options. Overall a great platform that will scale when necessary.
 
A quick update...

I ordered 2x EdgeRouter Lite and have had them and been playing around for a little while- they are looking very promising.

The most annoying part is that both sites currently connect to the internet using ADSL provided by BT using their HomeHub3 device. This acts as the Modem, Router (performing NAT) and Wireless Access Point. Putting the ERL behind this device wouldn't work for a few reasons (NAT and Wireless clients would be on the wrong side) so i've had to order an ADSL modem for each site. I will then move the HomeHub3 behind the ERL and use it simply as a Wireless Access Point.

Getting the ERL performing as a simple NAT router took ages till I upgraded to the latest firmware (1.5) and found the wizard.

Configuring an IPSEC VPN and all of the relevant NAT/firewall was even more complex as only possible via the CLI but I got there in the end working backward from some sample configs on the UBNT forum: http://community.ubnt.com/t5/EdgeMA...e-NOT-Working-using-sample-config/td-p/626677

The client have now added a requirement for some form of web/content filtering. Luckily it looks like the ERL is capable of this and i've had a bit of a play and have it working in it's most basic form. The next step will be to try and allow override or LDAP integration.

Things definitely seem 100x easier now i'm getting to grips with the CLI.
 
ltickett said:
A quick update...

I ordered 2x EdgeRouter Lite and have had them and been playing around for a little while- they are looking very promising.

The most annoying part is that both sites currently connect to the internet using ADSL provided by BT using their HomeHub3 device. This acts as the Modem, Router (performing NAT) and Wireless Access Point. Putting the ERL behind this device wouldn't work for a few reasons (NAT and Wireless clients would be on the wrong side) so i've had to order an ADSL modem for each site. I will then move the HomeHub3 behind the ERL and use it simply as a Wireless Access Point.

Getting the ERL performing as a simple NAT router took ages till I upgraded to the latest firmware (1.5) and found the wizard.

Configuring an IPSEC VPN and all of the relevant NAT/firewall was even more complex as only possible via the CLI but I got there in the end working backward from some sample configs on the UBNT forum: http://community.ubnt.com/t5/EdgeMA...e-NOT-Working-using-sample-config/td-p/626677

The client have now added a requirement for some form of web/content filtering. Luckily it looks like the ERL is capable of this and i've had a bit of a play and have it working in it's most basic form. The next step will be to try and allow override or LDAP integration.

Things definitely seem 100x easier now i'm getting to grips with the CLI.
Click to expand...

I don't know the EdgeRouter devices, but can you configure NAT Traversal for IPSEC?
 
You can indeed :)
Code: 
vpn {
    ipsec {
        auto-firewall-nat-exclude disable
        esp-group FOO0 {
            compression disable
            lifetime 3600
            mode tunnel
            pfs enable
            proposal 1 {
                encryption aes128
                hash sha1
            }
        }
        ike-group FOO0 {
            lifetime 28800
            proposal 1 {
                dh-group 14
                encryption aes128
                hash sha1
            }
        }
        ipsec-interfaces {
            interface pppoe0
        }
        nat-networks {
            allowed-network 0.0.0.0/0 {
            }
        }
        nat-traversal enable
        site-to-site {
            peer 0.0.0.0 {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret secret
                }
                connection-type initiate
                ike-group FOO0
                local-ip 0.0.0.0
                tunnel 1 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group FOO0
                    local {
                        subnet 192.168.10.0/24
                    }
                    remote {
                        subnet 192.168.20.0/24
                    }
                }
            }
        }
    }
}
 
...and that has to be the most awkward configuration layout ever.
//Danne
 
This EdgeOS on these Ubiquiti devices look impressive. So thanks for getting me to look at these devices and I might get one myself for testing.

I must say though, the marketing material Tolly report that compares them against Cisco and Juniper is amusing. There trying to put them against Branch Routers like the Cisco 3925 and Juniper J6350. Never the less they look really nice on first impressions.

How are you getting on with them?
 
As a routing device they are wicked fast, but adding QOS slows them down a bit. There's an effort to enable kernel level acceleration for QOS, but it's not working at the moment.

There's nothing even competitive on the market if you are only concerned about routing performance.
 
anybody know what the tunnel performance is on the site to sites on the edgerouter lites?

i've got openvpn on one of them but it's on a really slow connection, just wondering if anybody has used those...

thinking about upgrading a small VPN i've got going on with 1 main site and 5 smaller sites... if i could get maybe an edgerouter PRO for the main site and lite's for the 5 smaller i wonder how well that would work.... ipsec performance-wise

EDIT: i just found on small net builder the lites will do ~250mbps over ipsec, and the pro's ~500mbps... that should be plenty for an aggregate site... impressive
 
IPSEC will be much faster on them due to their offloading of IPSEC. I think OpenVPN has a max throughput of ~30mbps.
 
I correct myself, the layout isn't bad the order looks very odd and FWIW I'm coming from the FreeBSD world which JunOS is based on. :-P
//Danne
 
We use SonicWALLS for just about every set up we do, but I've heard and seenv ery good things with the Juniper boxes. Netgears are consumer/smallbusiness grade that I prefer to avoid.
 
@ /usr/home
They do about 20mbit which is very similar to your average OpenWRT box. IPSec is offloaded on Linux so it should be pretty good, I have no idea if you can do NAT-T and still use hardware offloading on the other hand.

As for stability of the ERL boxes... (gateway/fw, openvpn server, dhcp server)
FreeBSD 10.0-CURRENT #0: Sat May 4 01:29:11 UTC 2013
12:58AM up 143 days, 14:52, 1 user, load averages: 0.35, 0.24, 0.18
..and yes, it's getting old :)
//Danne
 
Although I have done Linux deployments for IPSEC I've never used offloading. In my experience OpenVPN has been less processor intensive than IPSEC. This is one of the reasons I deployed OpenVPN on my low powered device at home.

I'm not saying OpenVPN is better than IPSEC, but am saying it should be on low powered devices. But it matters what encryption levels you have set and transport protocol?

This isn't taking into account offloading. Additionally, just to be clear, I can assume that if you have the NIC you will get better performance with offloading on low powered devices.

What hardware do you have on the OpenVPN device?
 
Last edited:
OpenVPN uses more processing power than IPSec from my experience..
//Danne
 
OpenVPN HW accellation offload is on the wanted list for features on the UBNT edgemax router.

But I don't see HW accel for OpenVPN occurring until 2016.

If you looked that more expensive 8 port edgemax router, you'd probably see double the throughput of the edgemax lite router.
 
OpenVPN doesn't benefit from hwaccl at all so its just a waste of time.
//Danne
 
You must log in or register to reply here.
Back
Top