Considering a New VPN
-
@Dashrender said in WTF I AM DOING WRONG (VPN edition) ?:
As for VPN - If you really need traditional VPN, Find out if your current router/firewall can do it. If not, replace it with a EdgeRouter.
I'm considering switcing to either ZeroTier or using my EdgeRouter to replace our current VPN which is getting a bit flakey on Windows 10 (Hamachi). What are the relative merits of both? Is there an obvious choice on which to choose? We have about 30 remote users needing to connect to our LAN. If the EdgeRouter, would you install OpenVPN or something else?
-
With the EdgeRouter, you have OpenVPN and IPSec options. Either will work. Depends on what you want to use on the client end.
-
I'm looking for something that is simple to set-up (VPNs are way out of my area of expertise), robust, and has a very friendly user experience. Hamachi would be perfect apart from the robustness.
I'm assuming security is not an issue as all modern mainstream solutions are satisfactorily secure.
-
There are both very secure, yes. The bigger issue that you will face is the effort in setup, they can both be insanely simple (e.g. totally transparent) for the end user. As could ZeroTier. But for you, they take effort.
-
ZeroTier is essentially no effort to deploy, think Hamachi or Pertino there, but because it is a full SDN not just a VPN, it's not going to do the hub and spoke you are used to and you'll have that networking complication to deal with.
-
Yeah, I need hub and spoke really. But that's not too difficult to setup on ZeroTier is it?
-
@Carnival-Boy said in Considering a New VPN:
Yeah, I need hub and spoke really. But that's not too difficult to setup on ZeroTier is it?
ZeroTier doesn't offer hub and spoke at all. It's pure SDN / mesh.
-
OpenVPN is very likely what you want to be using. IPSec tends to be better for site to site, OpenVPN for hub and spoke.
-
But both will do both, of course.
-
Would there be an argument for not using hub and spoke and using ZeroTier?
-
@Carnival-Boy said in Considering a New VPN:
Would there be an argument for not using hub and spoke and using ZeroTier?
Not likely. SDN involves totally revamping your entire network to be on ZT. It's an "all in" approach. It's great and can work wonders, but it's not trivial.
-
Thanks. Looks like OpenVPN on an EdgeRouter FTW then. Is it easy to set up?
-
Edgerouters are great. I have used them at clients places in the past, along with OpenVPN. You could also look at Untangle NG Firewall. I virtualized the firewall and the OpenVPN aspect of Untangle is very easy to setup. Of course you can use any firewall you want and just have a OpenVPN server. Turnkey Linux has a great OpenVPN appliance that you can download and run in any hypervisor. Also if you have a Raspberry Pi you can check out http://www.pivpn.io/
-
@scottalanmiller said in Considering a New VPN:
@Carnival-Boy said in Considering a New VPN:
Would there be an argument for not using hub and spoke and using ZeroTier?
Not likely. SDN involves totally revamping your entire network to be on ZT. It's an "all in" approach. It's great and can work wonders, but it's not trivial.
Quoted for truth!
-
Let's ask another question - instead of deploying a new VPN solution - what exactly are users accessing? and can it be changed in such a way to make VPNs not needed anymore?
-
@scottalanmiller said in Considering a New VPN:
@Carnival-Boy said in Considering a New VPN:
Yeah, I need hub and spoke really. But that's not too difficult to setup on ZeroTier is it?
ZeroTier doesn't offer hub and spoke at all. It's pure SDN / mesh.
This is not true, ZeroTier has gateway functionality.
https://www.zerotier.com/community/topic/5/bridging-ethernet-to-zerotier-virtual-networks-on-linux -
@JaredBusch said in Considering a New VPN:
@scottalanmiller said in Considering a New VPN:
@Carnival-Boy said in Considering a New VPN:
Yeah, I need hub and spoke really. But that's not too difficult to setup on ZeroTier is it?
ZeroTier doesn't offer hub and spoke at all. It's pure SDN / mesh.
This is not true, ZeroTier has gateway functionality.
https://www.zerotier.com/community/topic/5/bridging-ethernet-to-zerotier-virtual-networks-on-linuxI was leaving that out for simplicity as he's not going to build custom Linux systems for this.
-
@scottalanmiller said in Considering a New VPN:
@JaredBusch said in Considering a New VPN:
@scottalanmiller said in Considering a New VPN:
@Carnival-Boy said in Considering a New VPN:
Yeah, I need hub and spoke really. But that's not too difficult to setup on ZeroTier is it?
ZeroTier doesn't offer hub and spoke at all. It's pure SDN / mesh.
This is not true, ZeroTier has gateway functionality.
https://www.zerotier.com/community/topic/5/bridging-ethernet-to-zerotier-virtual-networks-on-linuxI was leaving that out for simplicity as he's not going to build custom Linux systems for this.
Why? Because a single VM setup as a gateway means that ZT now meets all needs also.
No different than replacing a router, etc.
-
@JaredBusch said in Considering a New VPN:
@scottalanmiller said in Considering a New VPN:
@JaredBusch said in Considering a New VPN:
@scottalanmiller said in Considering a New VPN:
@Carnival-Boy said in Considering a New VPN:
Yeah, I need hub and spoke really. But that's not too difficult to setup on ZeroTier is it?
ZeroTier doesn't offer hub and spoke at all. It's pure SDN / mesh.
This is not true, ZeroTier has gateway functionality.
https://www.zerotier.com/community/topic/5/bridging-ethernet-to-zerotier-virtual-networks-on-linuxI was leaving that out for simplicity as he's not going to build custom Linux systems for this.
Why? Because a single VM setup as a gateway means that ZT now meets all needs also.
No different than replacing a router, etc.
I've not used it, does it require you to change your IP range or can you keep what you have?
-
@Dashrender said in Considering a New VPN:
can it be changed in such a way to make VPNs not needed anymore?
Yes, it can. But not as easily as implementing a new VPN.