New Member
Posts: 11
Registered: ‎04-19-2014

Multisite VPN using Edgerouter

[ Edited ]

Hi All,

Have read the guides and wiki's but haven't really had a difinitive answer as to whether an Edgerouter will suit my requirements.


We have a network with four sites:
Site 1: 192.168.0.0/24, DNS, DHCP, AD, File storage (head office)
Site 2: 192.168.1.0/24, DHCP, File storage
Site 3: 192.168.2.0/24, DHCP, secondary DNS
Site 4: 192.168.3.0/24, DHCP

Is it possible to have all sites accessing all sites via VPN, but will continue to work if head office goes down?

If someone could send me a link to a rough guide that would be great.

In addition remote user dial in using PPTP would be nice also.

vpn.png
Member
Posts: 276
Registered: ‎11-16-2013
Kudos: 104
Solutions: 15

Re: Multisite VPN using Edgerouter

It can be done using tinc vpn. But at this moment there's no cli/gui integration (but will be) with edgeos.

New Member
Posts: 11
Registered: ‎04-19-2014

Re: Multisite VPN using Edgerouter

Is tinc VPN included as a part of EdgeRouter as standard or do I have to add it?

Rough guide for setup available?

Member
Posts: 276
Registered: ‎11-16-2013
Kudos: 104
Solutions: 15

Re: Multisite VPN using Edgerouter


@VIT_Aus wrote:

Is tinc VPN included as a part of EdgeRouter as standard or do I have to add it?

Rough guide for setup available?


Simplest way is to install debian squeeze mips package using dpkg, but you will need to manually create config files.

Member
Posts: 115
Registered: ‎05-13-2013
Kudos: 181
Solutions: 12

Re: Multisite VPN using Edgerouter

If you only have 4 sites then you only have to configure 6 VPN tunnels to achieve a full mesh as shown in your diagram. EdgeOS definitely supports multiple VPN peers out-of-the-box, and IPsec encryption is even hardware accelerated. Check out this wiki article for details on how to configure this.

Highlighted
New Member
Posts: 11
Registered: ‎04-19-2014

Re: Multisite VPN using Edgerouter

Hi ryan3531,

I was hopeful to avoid this as while it is easy at the moment, if we end up with 10 offices, that's 45 tunnels!
At present it is the best option. Thank you all for your input.
Thanks for the wiki link too!

Emerging Member
Posts: 90
Registered: ‎11-14-2013
Kudos: 38
Solutions: 1

Re: Multisite VPN using Edgerouter

We just do two tunnels, one each to geographically disparate locations.  You'll pull your hair out trying to build a full mesh with many sites on edgerouters.

Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3142
Solutions: 945
Contributions: 16

Re: Multisite VPN using Edgerouter

I use openvpn tunnels from each remote location to HQ and then run ospf over the tunnels.  Not as efficient than full mesh, but less frustrating.

EdgeMAX Router Software Development
Member
Posts: 276
Registered: ‎11-16-2013
Kudos: 104
Solutions: 15

Re: Multisite VPN using Edgerouter

[ Edited ]

@UBNT-stig wrote:

I use openvpn tunnels from each remote location to HQ and then run ospf over the tunnels.  Not as efficient than full mesh, but less frustrating.


As alternative to this, you can run point to multipoint with configs like this:

#show interfaces openvpn 
 openvpn vtun0 {
     description "Main VPN Tunnel"
     device-type tap
     local-port 1194
     mode server
     openvpn-option --comp-lzo
     openvpn-option --client-to-client //enables clients to talk to each other
     openvpn-option --fast-io
     openvpn-option --float
     protocol udp
     server {
         client R2 {
             ip 10.254.15.2
             subnet 192.168.0.0/24 //subnet behind router what should be routed via ovpn
         }
         client R3 {
             ip 10.254.15.3
             subnet 192.168.10.0/24
         }
         client R4 {
             ip 10.254.15.4
             subnet 192.168.20.0/24
         }
         subnet 10.254.15.0/24
         topology subnet
     }
     tls {
         ca-cert-file /config/auth/ca.crt
         cert-file /config/auth/R1.crt
         dh-file /config/auth/dh2048.pem
         key-file /config/auth/R1.key
     }
 }

In this like config, you can hold multiple routers in one tunnel, but problem is – you must specify subnet what client router can route, and you will need or specify routing table staticaly in ovpn config (didn't tried it) or run ospf/rip over tunnel (working solution).

As benefit - client routers can talk to each other without running traffic over ovpn server.

With multiple ovpn servers, you can make something like DMVPN. But in my mind, tinc is better, that's why i'm spending time on it Man Happy

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5480
Solutions: 1656
Contributions: 2

Re: Multisite VPN using Edgerouter

Yeah if there are (or will be) more than a handful of sites, the client/server mode could become simpler in terms of configuration than the site-to-site mode. However, either way it is still a "hub-and-spoke" deployment and doesn't satisfy the OP's "continue to work if head office goes down" requirement. Would be great if you can provide some experience on tinc if you are playing with it of course! Thanks!

New Member
Posts: 9
Registered: ‎01-02-2015
Kudos: 111
Solutions: 1

Re: Multisite VPN using Edgerouter

[ Edited ]

Ok, so I have been in your shoes and tried with IPSec, OpenVPN, etc. Here's what I have found to be the quickest/fault tolerant and most reliable way to connect multiple sites in a full mesh configuration without the pain of using IPSec / Ovpn / GRE etc.

 

#Step 0 - Let's open firewall ports to WAN_LOCAL (Basically outside interface in direction local) If you are already using rule 2 use another one but prefarably make this towards the top of your ruleset before deny rules. Port 655 is default port. I think the only routers you have to open this up on are hub sites but I do it on all to be safe and/or to add future sites to hub sites. 

 

configure
set firewall name WAN_LOCAL rule 2 action accept
set firewall name WAN_LOCAL rule 2 description TINC
set firewall name WAN_LOCAL rule 2 destination port 655
set firewall name WAN_LOCAL rule 2 log disable
set firewall name WAN_LOCAL rule 2 protocol tcp_udp
commit;save;exit;

 

#Step 1 - Configure Repos apt-get update and install tinc + nano

configure

set system package repository wheezy components 'main contrib non-free'
set system package repository wheezy distribution wheezy 
set system package repository wheezy url http://http.us.debian.org/debian
set system package repository wheezy-security components main
set system package repository wheezy-security distribution wheezy/updates
set system package repository wheezy-security url http://security.debian.org
commit
save
exit
sudo su
apt-get update
apt-get install tinc nano -y

 

#-------------------
#Step 2 - Make Directories

#-------------------

cd /etc/tinc 
sudo mkdir meshvpn 
sudo mkdir meshvpn/hosts 
cd ./meshvpn

 

#------------------
#Step 3 make main configuration file
#------------------

 

nano tinc.conf
#/etc/tinc/meshvpn/tinc.conf
Name = corporate
AddressFamily = ipv4
Device = /dev/net/tun
#Typically the ConnectTo = xxxx line is what I use on the branch sites. On "hubs" I don't specify this or an address. Simply listen
#for incoming connections
#ConnectTo = branchX
#ConnectTo = branchY
 

#------------------
#Up/Down scripts
#------------------

 

nano /etc/tinc/meshvpn/tinc-up
#!/bin/sh
#You'll be creating an ip to route over. The interface will be named whatever the directory name is. In this case it's meshvpn
ifconfig $INTERFACE 10.6.1.1 netmask 255.255.255.0
#add appropriate routes. You can summarize by changing subnet mask or you can be very explicit as to who can route where. All based on your preferences.
ip route add 192.168.0.0/16 dev $INTERFACE

 

nano /etc/tinc/meshvpn/tinc-down
#!/bin/sh 
ifconfig $INTERFACE down
 
 
 
#make executable
 
chmod a+x tinc-*

 

 

#Configuration file for router. Each router will have a different name so be sure to name accordingly

 

nano /etc/tinc/meshvpn/hosts/corporate
#/etc/tinc/meshvpn/hosts/corporate
#Don't fill in on your corporate router when configuring HOWEVER.... Fill in w/ public IP address on all connecting routers
#Address = YOUR PUBLIC IP ADDRESS Comment out for local uncomment for remote
#Your subnet(s) that you are answering for I typically include locate /32 for tinc interface
Subnet = 192.168.4.0/24
Subnet = 10.6.1.1/32

 

#Generate Keys

tincd -n meshvpn -K

 

#After you do this you will have a new corporate file in /etc/tinc/meshvpn/hosts copy this to same directory structure on remotes and vice versa! Quickest way to get it off is to cat /etc/tinc/meshvpn/hosts/corporate and paste to a notepad then on remote site nano /etc/tinc/meshvpn/hosts/corporate and paste contents

 

#And Finally Connect NOTE FIRST VPN WILL RUN WAITING FOR NEW CONNECTIONS 

sudo tincd -n meshvpn

 

#To Kill

sudo tincd -n meshvpn -k 

 

#IMPORTANT!!!! If you want to automatically start up @ boot time you MUST edit /etc/tinc/nets.boot

 

nano /etc/tinc/nets.boot

## This file contains all names of the networks to be started on system startup. You can add multiple VPNS by name here.

 

 

Hope this helps. I had something like 20 sites to connect and with IPSec and OpenVPN it became very cumbersome..

 

If you have more than 1 "Connect To = " parameter in your remote hosts the routers will continue to function without all sites being online. You can also specify multiple addresses in your tinc.conf if you have a site with multiple ISPs. Works like a charm. Never failed me once even when I've had multiple sites/ISPs out. Always comes back online without any interaction.  Also works flawlessly with client sites behind 1X or 2X NAT as long as there is not any address overlap and even if there is you just have to get more explicit with routes / ie route to specific hosts excluding local outbound gateway.

 

Other important thing to know when you upgrade your configs disappear as do the packages. This is easy to work around. basically on first login do the following:

 

sudo su 
apt-get update 
apt-get install tinc nano -y
 
cp -R /root.dev/w.o/etc/tinc /etc
service tinc restart

voila you're back in business. I am certain there has to be a way to script this but haven't looked yet or tried to. 

 

C

 

Emerging Member
Posts: 87
Registered: ‎09-25-2013
Kudos: 128
Solutions: 6

Re: Multisite VPN using Edgerouter

Great work!

 

My only concern is throughput.  What speeds did you see using ERL or ER-PRO?

 

I've been told that OpenVPN on ERL has some performance issues due to the lack of hardware acceleration.

 

Would TINC stuffer the same fate?

 

-Eli

 

Regular Member
Posts: 418
Registered: ‎02-26-2014
Kudos: 35
Solutions: 4

Re: Multisite VPN using Edgerouter

In my scenario i connected ipsec site to sie with multipley location, and terminated OSPF via vti

Do you want help ?
Visit -> https://ubiquitipolska.pl

We are Ubiquiti Networks Managed Services and Integrator Company
https://ubntnetworks.net