VPN Routers

[orion242]

And if they essentially go out of business or something similar then what?

All these cloud VPN solutions are a $hit show.

Tosi and their marketing BS gets me fired up a bit. No cloud services...except the connection facilitating part they don't want to talk about. They go under, decide to stop supporting that server, bought out, etc, your hardware investment could be garbage instantly. I have several issues with their slick sales BS that is skin deep at best...man.

[orion242]

Thing is once you are committed to managing OpenVPN with CLI you don't need a dedicated box or VM for it

Kinda my thoughts. If your really going down the OpenVPN path for all your needs, which it can likely meet...you will learn the CLI at some point or look elsewhere. Be it some other GUI wrapper or whatever that each have their own limits before your CLI again.

Yes the ER8 certainly do with a price to match

Its a one time cost and its going to take a lot to outgrow. Rock solid, constantly updated, low power and all the networking options one could ask for. Much of which is done with ASIC level performance that would be hard to match with general computing hardware.

[orion242]

not sure of the cost for EIGR-V, but I think I read it can do 15 site to site, not too bad.

It prob more than capable of that for the minor traffic BMS requires. That said, the hardware is cheap but you need to invest in learning it which is mainly CLI for this. Its a one time cost though, much of which is just OpenVPN config that directly translates to other products using OpenVPN. Its cheap gear and if it doesn't work out, most of what you learned directly relates to other OpenVPN based products. Learn to setup OpenVPN and your not reliant on any service that could evaporate overnight and any monthly fees associated with them.

Want something easy, they are several options with parasitic recurring fees. MSPs are a massive targets for ransomware these days. Hope your filtering any connection they have onsite if that's your route. Wait is there a click, click GUI for that as well??

[BetterDuck]

All these cloud VPN solutions are a $hit show.

Tosi and their marketing BS gets me fired up a bit. No cloud services...except the connection facilitating part they don't want to talk about. They go under, decide to stop supporting that server, bought out, etc, your hardware investment could be garbage instantly. I have several issues with their slick sales BS that is skin deep at best...man.

Exactly.

[Pascone10]

What is your preferred VPN solution if you were to offer installing one to a customer. Has anyone implemented the OpenVPN ( I will call it a client ) in a customer building with an outbound connection only? Does that require Open VPN Access Server?

I have deployed Edge Router Lites in a stand alone config. ( requires 1194 to be open on the fire wall) and I use TosiBox.

[orion242]

What is your preferred VPN solution if you were to offer installing one to a customer.

I wouldn't say we have settled on any one solution yet.

Has anyone implemented the OpenVPN ( I will call it a client ) in a customer building with an outbound connection only? Does that require Open VPN Access Server?

You can setup any of the edge routers to dial out to an Openvpn server on the net, aka no port forwarding needed on the customer site. You do need to have a port open at your office to allow that inbound connection through. Really anything using Openvpn can be setup this way.

It could be as simple as two ERXs. One on site that is setup to phone home and maintains that VPN tunnel to your office, DC, whatever that is just another ERX. You could also have the win/linux/etc OpenVPN server running on a box that receives the connection as well. Pretty much do whatever you want.

The draw to something like Tosi is they make the management these setups easy. After dealing with them and the more questions I asked, the weaker my confidence got.

[MaxBurn]

Has anyone implemented the OpenVPN ( I will call it a client ) in a customer building with an outbound connection only?

That's how OpenVPN clients work, they are the ones that reach out to the passive listening server. This is not at all like a IPsec site to site VPN where both ends need to be visible to the other.

Does that require Open VPN Access Server?

That's the paid product and you could use that but it isn't necessary. Everything I've done is with community edition and that's what gets embedded in all these devices.

[MaxBurn]

Yet another option if you want a GUI based OpenVPN server solution. I haven't used it, just stumbled across it.

https://www.softether.org/
https://www.softether.org/3-screens/1.vpnserver
https://en.wikipedia.org/wiki/SoftEther_VPN

[Pascone10]

thank you guys

[orion242]

Yet another option if you want a GUI based OpenVPN server solution. I haven't used it, just stumbled across it.

https://www.softether.org/
https://www.softether.org/3-screens/1.vpnserver
https://en.wikipedia.org/wiki/SoftEther_VPN

Just a quick look it doesn't seem they are based on Openvpn. Maybe I'm missing something. It does seem to be an actively maintained project though.

[MaxBurn]

OpenVPN is one of a handful of VPN protocols it supports.

[xnigelx]

If you are providing a firewall and they are giving you a static IP I suggest sonicwall. The sslvpn is fantastic. GUI is pretty good too and there is tons of how to videos all over.

[IamSpartacus]

I use Tosi Box atm, been using it for a bit and I love it. We are implementing them in every job that we do so we can have access to our customer sites. My last job I use to set up a Cisco 5505 and send it to rackspace which was a bit of a pain. It takes no more than 10 mins to set the tosi box up and I also have it linked to my cell phone which allows me to jump on a site when I am not home.

[rkruegs]

Have you ever had clients ask to install in residential or mostly commercial applications?

[MaxBurn]

Have you ever had clients ask to install in residential or mostly commercial applications?

Mostly commercial though churches are pretty close to residential in a lot of ways, ways they probably shouldn't be but still.

[MaxBurn]

Bunch of links regarding wireguard VPN on Ubiquiti Edgerouter. https://www.reddit.com/r/Ubiquiti/co...esource_links/

EdgeRouter WireGuard Resource Links

EdgeRouter WireGuard community thread:

https://community.ui.com/questions/R...a-3ac9d9c22311

Original ER WG GitHub (no longer active)

https://github.com/Lochnair/vyatta-wireguard/releases

Current active ER WG FossoresLP fork from Lochnair

https://github.com/FossoresLP/vyatta-wireguard

EdgeRouter WireGuard install/update/remove script (uses new FossoresLP fork)

https://github.com/mafredri/vyatta-wireguard-installer

ER script to automate adding WireGuard peers

https://www.reddit.com/r/WireGuard/c...uard_peers_on/

Link to ER/WireGuard/mullvad config discussion

https://www.reddit.com/r/Ubiquiti/co...setup_for_erx/

Detailed Blog on ER/WG Setup example (note: points to older Lochnair GitHub)

https://www.erianna.com/wireguard-ubiquity-edgeos/

So not mainstream enough for production IMO but someone might easily play with this.

[Pascone10]

Cool Maxburn.

Is WireGuard ready for production? I keep trading mixed things.

Edit- Just noticed that it’s not in a package from UBNT so it won’t stay after a firmware upgrade.
I’ll wait for that LOL.

I wish they would get WireGuard or OpenVPN in the UI...

[MaxBurn]

Cool Maxburn.

Is WireGuard ready for production? I keep trading mixed things.

These guys said it better; https://restoreprivacy.com/wireguard/

and https://courses.csail.mit.edu/6.857/...-WireGuard.pdf

As far as the Edgerouter specific implementation it's a hard no from me until Ubiquiti rolls it into the base OS. At the moment if I understand it right you need to reinstall it after a firmware update...

[lin]

There are already so many available open source VPN solutions. So what is the benefit of BACnet/SC?
IMHO Wireguard or OpenVPN over UDP may be more suitable for BACnet/IP.
Running connection-less application protocol on a TCP based transport layer is not a good design.

[MaxBurn]

In my testing I found that I had fewer trend and alarm dropouts if I put BACnet/IP in a TCP OpenVPN tunnel. To me it made sense that stacking UDP on top of UDP and then sending that over the internet wouldn't be so reliable and testing seems to have born that out. BACnet requests have retries etc but the broadcasts to the server for recording history and events appear to be sent with no confirmation I know of. I haven't looked too closely into this in the BACnet spec to see if this should be the case but it was very plain to see years ago when I did the testing that all the trends and alarms didn't always get there.

The standard advice for OpenVPN is to use UDP because you don't want to have TCP in TCP and I agree with that, it's just that the advice changes when you want reliable UDP and the language itself doesn't take care of it.

Another strike against Wireguard in BMS applications, no TCP tunnel option.

BACnet/SC (and/or some API) in particular gives BMS vendors a chance to settle on something built into the controller.

Edit; In a Niagara situation that TCP/UDP situation might change because it's not BACnet between the jace and super, it's fox. Maybe fox has some more handshakes to compensate for missing packets?