I am sick of these Routers I have been using. I just want to have three routers all vpn’d together. Shouldn’t this be pretty easy these days? Does anybody know of a company that makes this easy? I just want a secure link between the three that is on constantly and all traffic can traverse all three locations. Anybody got a recommendation please?
Easiest config is probably Meraki but I generally recommend Fortigate which are pretty easy to do as well.
MikroTik or Ubiquiti
I use Checkpoint and found them easy enough to setup. A bit costly though.
While views vary on the company, Ubiquiti makes site-to-site VPNs very easy. However, I also second u/Internal_Seesaw5612, as I’ve heard a lot of great things about Tailscale.
The Meraki line of Cisco products should also make site-to-site VPNs fairly easy to configure, but they tend to be pricy compared to the alternatives. However, I have not personally configured their VPNs.
Take a look at Ubiquiti portfolio. You can’t go wrong with Ubiquiti.
Move to tailscale VPN and never look back. Anything that isn’t based on wireguard is legacy VPN software at this point.
Question do you need just a router or router/firewall. Cause I mean if your dealing with three site edges then I wouldn’t recommend anything other than actual firewalls. ANY UTM even three desktops running PFsense will work. They’ll all support vpn and even can use routing protocols if you need to get that deep. If your behind a firewall then I mean any vendor pretty much. Also it depends on if there environmental factors ie this is going on a water tower in the middle of nowhere and isn’t going to have active cooling etc they you’ll want industrial style equipment.
What routers are you using right now?
I recently did a TP-Link Omada deployment and documented some ‘gotchas’ that were preventing me from setting up a one-to-many site to site VPN.
Purchase any VPS and install softether to make your own centralised vpn server no dependency on the hardware router.
Had Meraki. The auto site-to-site is super nice if you don’t have statics. It auto adjusts and just works.
Just installed ubiquti fw last night. The site-to-site is either OpenVPN or traditional IPsec. Got the IPsec working with the remaining Meraki that I haven’t swapped over yet. I’m going to assume the OpenVPN setup will be simpler.
Yea no ipsec with AES-256 is just as secure what are you saying? Just because it’s new doesn’t make existing securre protocols obsolete. Plus it’s new and new means more likely it’s implementation with vendors is going to be garbage for a few years etc. Like all the Crazy with SD WAN. Literally its vpn’s with a system link monitor on the wan interface. Stop it.
Router/Firewall/VPN was what I was intending. Each site has a Synology NAS.
It has been setup for the last 6 years or so where each network was 192.168.1.x, 2.x, 5.x and we could all see anything at each others locations. I update the router firmware and it all broke and is being a real PITA to get them all connected again.
To be fair, I only have about 5 computers at each location…
Mikrotik hEX RB750Gr3
Opening ports in your business firewall is usually more of a risk. Also legacy VPN solutions start with all access completely open. Tailscale VPN is configured to block all by default and you need to manually open what’s needed. Setup a few exit nodes that your clients will use to route into your network, no firewall ports needed.
Wireguard has been around for 10 years now, the protocol is very mature and ready for production. Existing protocols are obsolete when you really see how fast and stable wireguard really is. Not to mention at it’s core tailscale is designed to block all by default and its fine tuned ACL will blow your mind.
Every major VPN provider is in a mass scramble to dev their own wireguard solutions, the writing is on the wall.
All these consumer grade devices are going to behave like this. Get your self a firewall appliance like fortigate, or literally ANY vendor and worst build your pfsense boxes (I think theres a vendor that sells pfsense appliances etc).
Anything like this you’ll want something that’s vendor supported. You can get vendor firewalls for cheap and go with basic maintenance and not add all the bells and whistles. Just don’t go with consumer products cough “netgear” cough and expect stability.
Good idea to change those subnets now before you start to route the most common subnet that every home router uses (big problems incoming).
You are not opening a port if the firewall is the one listening to the port. You have to let traffic in some way if you are going to VPN.
VPN solutions start with all access completely open
No they don’t. And even if they do, they allow you to put an explicit deny all and build out zero trust access. Even Merakis can do this.
Also if we’re going to talk about VPNs becoming legacy, role and application-based rules are the future ie:Zscaler
Most of the web outside of the states has been moving to IPV6.