Decentralised VPN
-
Consider the setup below:
What I am trying to do is to make these sites connect to each other. I already know that is easily achievable using OpenVPN, but the thing is that all these sites need to be able communicate with each other even when one of them is down.
I have read/watched a dozen tutorials about OpenVPN and all of them suggest setting a server on the company HQ router and one client on each branch router, in which case the branches would depend on the the HQ router to be able to communicate with each other and the HQ router would unnecessarily become a hub for the company's private traffic. One other downside would be that if for some reason the HQ lost its connection, the private network would go offline.
What I want to do, however, is to come up with a decentralised VPN setup. Traffic must not have to go through the HQ and if It were to go down, access from one branch to the others would still be possible. My theory is that if I were to set up one VPN server on each of the routers and clients for every other, I would achieve my goal.
Does my theory make sense? If not, how would I be able to achieve my goal?
-
Maybe tinc is better suited...
-
I have never heard about tinc and honestly, I don't care about it at all. I want to do this using OpenVPN. I know my theory would require me to do a lot of work setting up all the routers and if the company were to open a new branch, I would have to go through each and every router and add new clients. But that is not an issue at all. What I want to know if my theory is valid.
-
Sure you can Mesh all your Sites with OpenVPN without any problem.
What is your concern or question?-Rico
-
I wanted to validate my theory. Now I have; thank you very much.
So, do you call it "a mesh"? Also, are there any problems that I might run into in such a setup?
-
Yes you have Hub-and-spoke (aka star) or Mesh.
I can't think of any problems, it just scales very poorly / lot of administration overhead.
In my production network we have like 50 sites, it would be a big nightmare for me to add any additional site with mesh
Besides the fact that our branches only do a little talk to each other, our main site is also the datacenter hosting all the servers. So if the main site/HQ is down I have bigger problems then site A can't talk to site B anyway.
-Rico
-
I see, thank you again. "Administrative overhead" is not an issue. But I wonder, is there a practical or theoretical limit to the number of nodes I can include in this mesh?
-
There is no limit for mesh or star.
With lots of sites and traffic you just need beefy hardware.-Rico
