search

gravitl / netmaker

Netmaker makes networks with WireGuard. Netmaker automates fast, secure, and distributed virtual networks.
https://netmaker.io
Other
9.4k stars 547 forks source link

how to build multiple site-to-site mesh VPN ? #51

Closed changchichung closed 2 years ago

changchichung commented 3 years ago

I see no any documents about how to establish site-to-site vpn using netmaker. Is this feature complete yet?

afeiszli commented 3 years ago

Hi @changchichung, "site-to-site" configuration is not currently supported, only "full mesh." However, if you detail your use case / needs and how you envision it working, we will get that into the roadmap. I would like to see site-to-site functional within the next month, as I have use cases for it as well.

afeiszli commented 3 years ago

I am going to tentatively roadmap this for v0.6, slated for mid-June. We will reassess next sprint to see if we can fit it in any sooner.

changchichung commented 3 years ago

I want to apply Mesh VPN in two main ways

* Connections between headquarters branch offices
* connecting staff from home to office

this is how we connect HQ and BO with openswan IPSEC in openwrt routers

I had 8 routers and each one needed to maintain 7 IPSec tunnels(keys/configurations...). As you can imagine, when I had to add or remove any one of them, it's really a disaster.

After the launch of WireGuard, I changed to use WireGuard to do site to site VPN and use ansible as the management tool. Compared with before, it is much more convenient now, but I think it is not enough, I prefer to be able to achieve full mesh vpn with a web UI to add/delete nodes/keys/iptable rules .

So I found GL.iNet's router. On some models, GL.inet provides the "goodcloud" service, which is basically the GL.inet version of the tailscale/zerotier service. goodcloud can meet most of my needs, but there are some limitations

  1. in the same network can only have 10 router
    • "Due to the device's performance, each Site to Site network can have up to 10 devices"
  2. so far, the service is very stable, but, in the future?

So I think I need a solution that can be

* set up on my own (easily)
* run on an openwrt router(x86/ARM)
* full mesh site-to-site VPN managed in WEB UI

I did try many project to do so , netbula/zerotier/tinc and many other tools. Each has its own advantages and disadvantages. https://github.com/costela/wesher is a good one , but they do not provide site-to-site solution so far.

connecting staff from home to office is more easier I think.

I can config a server easily , docker would be better ! and manage nodes in WEB UI/command prompt (or LDAP in the future ? )

These are my user stories sincerely hope that netmaker can become the total solution in full mesh VPN .

afeiszli commented 3 years ago

Hi @changchichung, please watch our tutorial video on setting up gateways and comment on if this solves for your need. If we require further enhancements like a relay/concentrator, let us know.

https://youtu.be/krCKBJhwwDk

changchichung commented 3 years ago

Do you have offical documents for setting up gateway ? I know there is a video tutorial , but I think an offical documents will help users to build standard procedures.

and also is that gateway mode can only on/off in WEBUI ? I deployed netmaker with ansible , and ull support for command line mode is very important for ansible/chef/puppet .

Cucalister commented 3 years ago

Hi, im on the exact same network topology than @changchichung and also using openwrt (x86) as main routers, im currently using tinc, but want to use netmaker, can we get a step by spet guide to install and configure it?

So we get a main HQ with netmaker on the same openwrt router.

N branch offices, each with one public ip and lot of pcs on a 192.168.x.x ip range, so all brach offices can reach 192.168.x.x ips on the other ones and HQ pcs too, and the rest of the internet trafic go all directly to internet from each brach offices router

All with a full mesh vpn to reduce hops and improve latency.

Then of course N road warriors to conect staff from home to office doing full traffic throug vpn.

afeiszli commented 3 years ago

Hi Cucalister, Netmaker's netclient does not currently support openwrt. You should be able to achieve this without openwrt by specifying a gateway node in each office location. You could also just create a full mesh with all the devices and avoid the gateway altogether. Devices will use the local network for routing locally (192.168.x.x), so you don't need to be concerned about them going out to the internet and back in.

If you require the netclient to run on openwrt, this would require custom development. We are looking for support to run the netclient on openwrt but it is currently out of scope for us.

afeiszli commented 2 years ago

We have started supporting OpenWRT in the community, would be good to hear an update on this, but closing in the meantime as this issue is now stale.