I have been asked to set up connectivity between four office locations for a friends business. Right now, they use a combination of vnc and Onedrive, which is not ideal!
Each location needs to be able to access data/directory shares, and use a secure connection to each of the other locations.
I am familiar with the concept of hub and spoke, but am unsure what I need to implement this. Each location has a dedicated IP address; so my assumption is that each location will have its own subnet:
Or something to that effect. I also assume we would use a VPN from each of the locations to a central location?
What do I need for each of the locations in terms of hardware? This is not a big operation, so spending a lot on Cisco appliances may be a stretch. What would I need to use at the central/hub location? Would it be possible to use an AWS Customer Gateway? I am not sure what the performance of that is like however.
The cheapest method is something like a pfSense firewall on any random hardware. The next step up is a vendor firewall like a FortiGate (that would also give you the possibility of ADVPN, so each connection would easily be able to set up connection to the other locations without involving the hub).
Zerotier is a full mesh vpn. When used with a routing protocol such as ospf, rip, or bgp, each site will be able to directly communicate with each other without hair pinning through one site. Host your own controller with ztncui for a completely free solution.
Please keep in mind, my advice comes from an hobbyist/enthusiast experience, not from a professional MSP / admin perspective.
The simple solution is Hub & Spoke: Pick the fastest location (or rent a server in a datacenter), have all locations connect via [OpenVPN / WireGuard / IPSec].
Another option would be a wireguard mesh config. You mentioned each location has a dedicated IP address. So you could create a config for each location that has the other three locations as peers so e.g. traffic from loc2 to loc3 does not need to go through the one central location.
There is a helper module for this, but you could do all of this by hand: github.com/k4yt3x/wg-meshconf
Regarding hardware, this depends on yoru supported internet speeds. For example, the Negtate 4200 looks like a great fit for up to gigabit speeds.
After that, you still need a solution for remote desktop and filesharing. Assuming it’s just randomly grown hardware without a domain, this could be the bigger task at hand.
Cisco’s end of year is coming up in July. Buy four MX65’d and turn AutoVPN on. It’s got its limits but if your needs are simple the whole thing just works.
What equipment do you have right now in each office? might not have to buy additional equipment assuming each office has a somewhat of a decent router….if that’s the case…
Setup ipsec tunnel from the office with the fastest internet to all other offices
Use OSPF or BGP to share routing tables between the offices
Why is it so many people default to the old-ass IPsec?
It’s an ancient, gigantic pile of code that is slow and supports too many insecure standards. The giant pile of code makes it much harder to audit and the old insecure standard support makes it easier to accidentally (or unknowingly) configure it in an insecure manner.
Why use it for regular site-to-site VPNs when OpenVPN and Wireguard exist?
Edit: I don’t understand why everyone is downvoting and nobody is actually answering my question.
This is one of my favorite solutions. Works great, however I did notice a little bit of throughput issues through the tunnel(ie both sites have a 300/300 link but I was only able to make transfers of around 40Mb/s)
Because IPsec has been the de-facto standard for decades. Security is as strong as you make it. It is a large code base, but it’s perfectly feasible to deploy it securely and it has broad support across enterprise hardware.