Page 2 of 9 FirstFirst 123456789 LastLast
Results 21 to 40 of 179

Thread: VPN Routers

  1. #21
    Join Date
    May 2009
    Location
    SC
    Posts
    2,823
    Post Likes
    Looks like Contemporary controls got into enabling the self hosted VPN business.

    https://www.ccontrols.com/enews/2020/0120story1.htm

    Necessary hardware; https://www.ccontrols.com/ctrlink/remotevpn.php

    I wasn't terribly impressed with their VPN appliances and you can build the same thing with better commercial routers as I've mentioned but there is a niche for this stuff in making it easy with no recurring fees. If it is easy, found comments above suggesting it isn't super easy.

  2. #22
    Join Date
    Jan 2008
    Location
    In the work truck
    Posts
    3,268
    Post Likes
    Thread Starter
    Quote Originally Posted by MaxBurn View Post
    Looks like Contemporary controls got into enabling the self hosted VPN business.

    https://www.ccontrols.com/enews/2020/0120story1.htm

    Necessary hardware; https://www.ccontrols.com/ctrlink/remotevpn.php

    I wasn't terribly impressed with their VPN appliances and you can build the same thing with better commercial routers as I've mentioned but there is a niche for this stuff in making it easy with no recurring fees. If it is easy, found comments above suggesting it isn't super easy.

    You know what’s easy... Tosi Box! I looked into CC a little while ago but like you mentioned the fees turned me off. Using Tosi Box I have no reason to look elsewhere.
    Gotta have the right tool for the job!

    Where is all the stuff MADE IN THE USA?

    "Thats what we do Troy. Incredible, Invisible, Imbelivable things. We are an Unseen, Unknown, Unvincible fraternity of craftsman.."

  3. #23
    Join Date
    May 2009
    Location
    SC
    Posts
    2,823
    Post Likes
    To clarify; the reason I was mentioning the new CC self hosted solution was there are no ongoing fees when you host it yourself.

  4. #24
    Join Date
    Nov 2015
    Posts
    407
    Post Likes
    LOYTEC uses OpenVPN client and/or server in the product line. It's built in. If you want to use OpenVPN on your VAV box, you can do it.

    Tosibox seems very nice, but if you want some more control of your setup, there could be an issue down the road on that product. The question to ask on that is what would be a problem if they disappear tomorrow?

  5. #25
    Join Date
    May 2009
    Location
    SC
    Posts
    2,823
    Post Likes
    Quote Originally Posted by BetterDuck View Post
    The question to ask on that is what would be a problem if they disappear tomorrow?
    It would be a real problem if their cloud thing that directs everything to connect to each other goes away. I don't recall that they have recurring fees for that either which opens it up to a funding issue. On paper they seem to charge enough for the devices to fund the cloud component but in business that money they already have sometimes gets spent instead of being put away to fund the cloud portion. Small but real concern.

  6. #26
    Join Date
    Jan 2008
    Location
    In the work truck
    Posts
    3,268
    Post Likes
    Thread Starter
    Absolutely. You guys are right about the concern. There are no fees currently. What I like about the Tosi Box is that I don’t need to open a firewall port. Get the OK from IT to install and away we go.

    I would imagine that the CC Needs port 1194 opened up. They don’t really say from the email I read. Were you able to find specific installation instructions to confirm or deny ?

  7. #27
    Join Date
    May 2009
    Location
    SC
    Posts
    2,823
    Post Likes
    In textbook OpenVPN deployments you need a central hub that all the remote sites can connect to, that's the only thing that needs a port open to the internet. That's what CC is doing, their bigger router acts as the server and all the remote sites connect to that as clients. From CC site;

    Only the EIGR-V router running the OpenVPN server needs to be publicly accessible on a single IP port. You can easily put this behind an existing infrastructure router and use port forwarding from the infrastructure/internet router to the EIGR-V OpenVPN server.

  8. #28
    Join Date
    Jan 2008
    Location
    In the work truck
    Posts
    3,268
    Post Likes
    Thread Starter
    Wouldn’t we need a EIGR-V also set up on the other end (customers building ) for the site to site VPN to work?

    I have only configured OpenVPN Servers to connect to buildings, then using my PC (client I suppose) to connect to it.

    I’ll start some googling because I don’t see it specific on their site, but your saying the customers EIGR-V would not be configured as an OpenVPN Server, therefore would only require an outbound connection.

    Makes sense. Never tried that. So CC is making the shared keys easier to set up more than likely.

  9. #29
    Join Date
    May 2009
    Location
    SC
    Posts
    2,823
    Post Likes
    There are Site to Site VPNs out there but that isn't what this is. The OpenVPN configuration I'm familiar with is hub and spoke. The server passively listens for connections and clients actively reach out to connect to the server. The server doesn't really care where the clients reach in from. So on the client side you can reach out through a NAT with a dynamic IP, no port forwarding, and everything is fine. The OpenVPN application itself has no real difference between client or server. It can be client or server, it just depends on what configuration you feed it and tell it what to do.

    I have a couple EIPR-V in the office and they have no provision to generate VPN configurations for you in their UI, they only have a place to upload a OpenVPN configuration file with inline keys. In CC's lineup for "BAS Cloud" which was their hosted VPN solution the EIPR-V is the OpenVPN client that connected to their server in their data center. Maybe you could hand assemble a server config for this router but I got the impression it was pretty CPU and memory constrained.

    In the literature on their website CC describes the EIGR-V as having the ability to build OpenVPN server and client configs in the web page. Here I'm picturing something like a pfSense OpenVPN server config plus their automated OpenVPN client config export utility. I'm optimistic here, the pfSense OpenVPN configuration is actually really well done.

  10. #30
    Join Date
    Jan 2008
    Location
    In the work truck
    Posts
    3,268
    Post Likes
    Thread Starter
    Yes. pfSense did a great job. I use the Ubuiquti Edge Router often and have set up Open VPN on it. That’s all CLI. Not so much fun. But I learned quite a bit.

    For the CC implementation to take off they need a simple UI like pfSense. Otherwise I don’t see it going very far.

    Thanks for the explanation on the OpenVPN config. I have to wrap my head around how to make that work in an outbound fashion.

    Side note. Have you looked into Wire Guard at all?

  11. #31
    Join Date
    May 2009
    Location
    SC
    Posts
    2,823
    Post Likes
    If you have seen the diagram on BACnet SC and how that works it's very similar to OpenVPN. Minus the redundant hub.

    I read the web page for wireguard and it sounds good. Functionally for the data rates we are dealing with here there isn't really any difference. The thing with OpenVPN is it is everywhere by default and there are a ton of writeups to use it.

  12. #32
    Join Date
    Nov 2015
    Posts
    407
    Post Likes
    Quote Originally Posted by MaxBurn View Post
    It would be a real problem if their cloud thing that directs everything to connect to each other goes away. I don't recall that they have recurring fees for that either which opens it up to a funding issue. On paper they seem to charge enough for the devices to fund the cloud component but in business that money they already have sometimes gets spent instead of being put away to fund the cloud portion. Small but real concern.
    How are they administering certificates?

  13. #33
    Join Date
    Nov 2015
    Posts
    407
    Post Likes
    Quote Originally Posted by MaxBurn View Post
    There are Site to Site VPNs out there but that isn't what this is. The OpenVPN configuration I'm familiar with is hub and spoke. The server passively listens for connections and clients actively reach out to connect to the server. The server doesn't really care where the clients reach in from. So on the client side you can reach out through a NAT with a dynamic IP, no port forwarding, and everything is fine. The OpenVPN application itself has no real difference between client or server. It can be client or server, it just depends on what configuration you feed it and tell it what to do.
    This can be powerful when all your devices have this capability. And nice there is no cost added.

  14. #34
    Join Date
    Jan 2008
    Location
    In the work truck
    Posts
    3,268
    Post Likes
    Thread Starter
    Quote Originally Posted by BetterDuck View Post
    This can be powerful when all your devices have this capability. And nice there is no cost added.
    Sure does sound powerful. If that's an open VPN thing I want to read how to implement it on a piece of hardware like an edge router Or something similar.
    Gotta have the right tool for the job!

    Where is all the stuff MADE IN THE USA?

    "Thats what we do Troy. Incredible, Invisible, Imbelivable things. We are an Unseen, Unknown, Unvincible fraternity of craftsman.."

  15. #35
    Join Date
    May 2009
    Location
    SC
    Posts
    2,823
    Post Likes
    Quote Originally Posted by BetterDuck View Post
    How are they administering certificates?
    For the BAScloud product they are generated and served up by website to be downloaded from their servers in their cloud solution. I assume the EIGR-V does the same internally like a pfSense router will do. The difference here is they must be using a weaker Diffie Hellman than I am using because a 4096bit DH generation could take a day or two on a Edgerouter. On a moderately recent Xeon it can take up to a couple hours, not really an issue for me though.

    Quote Originally Posted by BetterDuck View Post
    This can be powerful when all your devices have this capability. And nice there is no cost added.
    This is the big get, tomato or WRT routers generally have this built in as well. My favored Edgerouters all do and I'm reasonably sure other commercial routers like Mikrotik etc. I really like well adopted and vetted FOSS software like this.

    Quote Originally Posted by Pascone10 View Post
    Sure does sound powerful. If that's an open VPN thing I want to read how to implement it on a piece of hardware like an edge router Or something similar.
    Edgerouter as OpenVPN client is easy to kick off.

    Load your config and keys to /config/auth/

    In CLI Configure mode this one line loads it

    Code:
    set interfaces openvpn vtun0 config-file /config/auth/client#.ovpn
    commit, save and exit config mode and this line shows you the VPN status.

    Code:
    show interfaces openvpn detail
    If that comes back blank there was a problem.

    Code:
    egrep openvpn /var/log/messages
    I wouldn't use an edgerouter as a OpenVPN server though. Our commercial solution has the server on a windows virtual machine but I suppose you could sub in a pfSense router reasonably easily.

  16. #36
    Join Date
    Jan 2003
    Location
    USA
    Posts
    6,426
    Post Likes
    Quote Originally Posted by MaxBurn View Post
    I wouldn't use an edgerouter as a OpenVPN server though.
    Why not? ER8 and up seem to have a fair deal of grunt behind them to handle this.
    Propagating the formula. http://www.noagendashow.com/

  17. #37
    Join Date
    May 2009
    Location
    SC
    Posts
    2,823
    Post Likes
    Yes the ER8 certainly do with a price to match, if you don't mind administering the server completely in CLI it's an option. I think most here would prefer pfSense GUI for that. Even better when you realize you don't need to purchase a netgate appliance for pfSense, you can build your own pfSense router from pretty much any PC with AESNI and dual (or more) intel NIC. If you are virtualizing you can stick pfSense in a VM. It would be really easy to standardize on that product and fit it into your needs. FOSS software makes it all possible, and if you have something against pfSense you can always take a look at OPNsense. I hear it's nearly the same thing for the purposes discussed here.

    Thing is once you are committed to managing OpenVPN with CLI you don't need a dedicated box or VM for it, just stick it on the OWS or other central server somewhere. As a background service it doesn't use a bunch of resources and shares fine with Niagara/WebCTRL etc. It can simplify things because you have one less client and one less equipment to deal with.

    Also there is nothing saying you can't use a ER-X as the central server and manage the keys elsewhere. The DH key only gets built once on a big machine and can be loaded to the router remotely, that wouldn't be too hard. Just, you know, practice safe key handling practices.

    There are a ton of possibilities here, no one right way.

  18. #38
    Join Date
    Nov 2015
    Posts
    407
    Post Likes
    Quote Originally Posted by MaxBurn View Post
    For the BAScloud product they are generated and served up by website to be downloaded from their servers in their cloud solution...
    And if they essentially go out of business or something similar then what?

  19. #39
    Join Date
    May 2009
    Location
    SC
    Posts
    2,823
    Post Likes
    Yes, same thing. That and the recurring fees are why I thought it worth mentioning their self hosted EIGR-V solution.

  20. #40
    Join Date
    Feb 2005
    Posts
    1,706
    Post Likes
    not sure of the cost for EIGR-V, but I think I read it can do 15 site to site, not too bad.

Page 2 of 9 FirstFirst 123456789 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •