Wireguard is the way to go. No platform lock-in, encrypted, extremely lightweight and an easy to configure kernel module. Only drawback being that there’s no implemented mesh topology, but that doesn’t sound like a requirement for your use case. We actively push 8Gbit through our WG tunnels with no issues.
Phin On Thu, Feb 10, 2022 at 6:26 PM Dave Taht <dave.t...@gmail.com> wrote: > tailscale > > On Thu, Feb 10, 2022 at 10:24 AM Mark Wiater <mark.wia...@greybeam.com> > wrote: > > > > pfsense and opnsense both do fine with natted ipsec in the environmnets > i've tested. > > > > Isn't there an openvpn appliance too? > > > > On 2/10/2022 1:17 PM, Shawn L via NANOG wrote: > > > > Meraki MX series? > > > > > > > > I don't like the way they do their licensing (your license runs out, the > box is a paper-weight) but they do really well at establishing site-to-site > VPNs in some pretty challenging scenarios. Dynamic IPs and NATs don't > really cause them a problem. Some CGNats do (AT&T I'm looking at you). > > > > > > > > > > > > Shawn > > > > > > > > -----Original Message----- > > From: "Keith Stokes" <kei...@salonbiz.com> > > Sent: Thursday, February 10, 2022 1:11pm > > To: "William Herrin" <b...@herrin.us> > > Cc: "nanog@nanog.org" <nanog@nanog.org> > > Subject: Re: VPN recommendations? > > > > Pfsense on Netgate appliances? > > I’ve used several of them, while not for this exact purpose they have > done the roles but maybe not the amount of VPN traffic. > > > > -- > > Keith Stokes > > SalonBiz, Inc > > > > On Feb 10, 2022, at 12:02 PM, William Herrin <b...@herrin.us> wrote: > > > > Hi folks, > > Do you have any recommendations for VPN appliances? Specifically: I need > to build a site to site VPNs at speeds between 100mpbs and 1 gbit where all > but one of the sites are behind an IPv4 NAT gateway with dynamic public IP > addresses. > > Normally I'd throw OpenVPN on a couple of Linux boxes and be happy but > my customer insists on a network appliance. Site to site VPNs using IPSec > and static IP addresses on the plaintext side are a dime a dozen but > traversing NAT and dynamic IP addresses (and automatically re-establishing > when the service goes out and comes back up with different addresses) is a > hard requirement. > > Thanks in advance, > > Bill Herrin > > > > -- > > William Herrin > > b...@herrin.us > > https://bill.herrin.us/ > > > > > > > -- > I tried to build a better future, a few times: > https://wayforward.archive.org/?site=https%3A%2F%2Fwww.icei.org > > Dave Täht CEO, TekLibre, LLC >
