Good day r/Networking! I am looking for options to solve my site-2-site VPN device needs. We currently tunnel all traffic from our remote sites back to our data-center using Meraki Z3’s (about a dozen sites).
For a few reasons (effective throughput, cost) we are considering dropping Meraki. So I have been tasked with finding alternates. I have hope we could use something lower cost with better throughput and I am told Wireguard is the answer (is it really better than L2Tp/IPsec?)
I have some experience with UniFi gateways, but they are terrible at doing VPN when there is NAT traversal required. (Some of our sites are double-NAT to makes things worse).
What options do I have for a low-ish (~$400, no subscription) cost Firewall/Gateway/VPN box I could put at the sites that supports some sort of outside-in management that can do decent (usually 100Mbps, sometimes more) throughput on a full-tunnel VPN. Bonus if there is a matching “concentrator” for the data-center side that can manage 2.5Gbps+ of throughput so all the sites don’t feel choked.
Thanks in advance!
I’m using Wireguard to mesh data centres at 100GbE, so yes, Wireguard is faster. Even with QAT I get only about 57GbE with IPSEC, plus Wireguard is like the easiest VPN ever to exist, add iBGP and you are good to go. As for the firewalls, pick what you like best and can afford. IMHO I like FOSS solutions better than commercial, but you might think otherwise.
This doco explains why encryption is hard in the cloud, and some creative solutions for the limitation of 1.25 Gbps per core:
https://docs.aviatrix.com/previous/documentation/latest/planning-secure-networks/insane-mode-about.html
WireGuard is a secure and efficient option, but it doesn’t have FIPS certification yet. It uses encryption primitives like ChaCha20, Poly1305, Curve25519, and BLAKE2s, but these haven’t gone through the official FIPS process. Big companies often need FIPS certification, especially if they deal with government work or strict regulations.
Because of this, larger companies tend to stick with solutions that meet these compliance standards. They often have systems built around things like Active Directory and Windows, along with SSL VPNs that are already FIPS certified.
Security is largely about checking boxes to reduce liability, and FIPS is a checkbox.
Good to know on Wireguard. Thank you!
I have lots of flexibility, but I do need some "idiot proof"ness of “cloud managed” so was hoping for suggestions that fit that… hardware or software based
Interesting, thanks for the info. Thankfully I don’t need FIPS compliance in this use case.
Just need that throughput and remote managed devices/endpoints