Hi,
I am in need of some advice for a VPN solution for managing multiple sites.
My use case is that we have some ubuntu servers running, that we are running BMS (Building Management System) on. In some cases it would be nice to have VPN access to update the ubuntu server, and get access to other devices on the network (modbus converter for example).
The different sites should not be able to talk to each other at all, only my computer should be allowed access. Some of the sites also have the same local subnet.
It would be nice if I could skip the port-forwarding part if possible.
Some of the sites have fiber, but some are using a 4G router, so it should be able to handle both if possible.
I would prefer a professional solution, not a self-hosted one. Easy to use, install and manage (keep updated/safe) is important.
We don’t mind paying a bit for this if needed, but not crazy amounts.
I don’t need permanent access to the devices, just to login in if something is wrong and updating the software 2 times a year maybe.
I have looked at a few alternatives, Zerotier and Tailscale. It looks to be like Zerotier would be the best fit for me, since I could create multiple networks? Then I could have each site in their own network, and join a network from my desktop if I needed to login to a site.
Any other solutions I should look at?
For now we have about 4 different sites, but it will increase over time.
Your segmentation instincts are spot on, and I agree with your desire not care too much about the bearer network at different sites or faffing around opening firewall ports. You’re already looking at the right architecture. You can see all of the vendors with a mesh overlay network architecture here The no-bullshit ZTNA vendor directory - I hope that’s helpful. (disclosure; founder @ https://enclave.io)
I think with most of the options, depending on the isolation model you required you could either;
a) Enrol all systems into a single tenant and configure one-way policies; e.g.
Single Tenant:
[ops-team] → [BMS 1]
[ops-team] → [BMS 2]
or
b) Enrol the systems at each site into their own isolated tenant, then enrol your operator/management system(s) into each individual tenant too:
Tenant 1:
[ops team] → [BMS 1]
Tenant 2:
[ops team] → [BMS 2]
If you went for option (b) your deployment would be similar to how MSPs and Systems Integrators deploy Enclave for their customers. There’s a switch-toverb, which enables management systems to be enrolled to multiple tenants simultaneously, but only active in a single tenant at any one time.
Good luck!
If you can run docker at each network for the controller (maybe on the Ubuntu box) then I think Twingate might work for you also.
Hi, I really like wireguard, so that would be nice.
Is there an easy way to use Wireguard behind without to much hassle? Especially behind a 4G router.
A solution that could be set up at my desk, and is plug and play on-site would be what I am looking for, but I don’t think Wireguard can offer that? Please correct me if I am wrong.
Looks like a good alternative, only problem I see is I could have some trouble with devices having the same local subnet. A workaround is I could just leave them all disabled in the dashboard until I need one. Enable that one, use it, disable.
Maybe thats the easiest option…
Hub/Spoke. Create a central Wireguard server and connect all sites to it. From there use VRF for your routing needs between sites.