Routers for VPN project?

We are reviewing the capabilities of MikroTik routers for a VPN project. I’d like to reach out to the forum in regards our project, router capabilities. Perhaps someone is doing something similar with success? We have received some praise from MikroTik devices in general (not specially VPN), and have had success with this “class” of devices for small niche projects.

Jump below for specific questions, to skip the background:

We are a municipal IT dept. and presently have small satellite offices/schools we must serve which are in locations with short leases, no fiber access, no PTP wireless line of site. At present we are serving these locations with old PCs (Celeron 300mhz in one case) running Centos & OpenVPN matched with cable internet service. The problem with using PCs is they are bulky, require larger UPS, extended power outages they don’t re-power on, etc. Linux knowledge is limited to 1 person in our dept.

Sites have a small number of PCs, limited and sporadic traffic. Datacenter has an OpenVPN server receiving multiple connections for multiple sites. All traffic at sites is bridged back to our core, so that Internet is filtered/logged.

Requirements:

Prefer OpenVPN protocol as it has served us well, no mtu problems, etc.

1 Router (at core) to accept multiple connections (2-4).

1 Router for each site to connect to core.

Present cable is static IP (Business class), would like to be able to use dynamic retail class service for cost savings – thus require policy routing capabilities (for bridged traffic) as outbound interface would need to be default route for DHCP.

Bridge all site traffic through VPN via static routes or OSPF, and policy based routing if possible. Want to avoid NAT.

Core to Site all L3, no trunk.

After loss of power and power restored, do MicroTik routers reboot up?

CPU power to provide throughput enough for low volume traffic at sites, and enough for core unit to receive multiple streams?

thanks!

All mikrotik routers are able to fulfil your requirements. Yes, they boot up after power restored. You have not mentioned what throughput you want to pass via tunnels. This will be the main parameter for devices selection.

If you want to use OpenVPN [which I think is a good choice] then Mikrotik is, IMO, a bad choice.

'Tik’s OpenVPN only supports TCP tunnels, not UDP based.
With 'Tik You can’t push routes from the OpenVPN server. [That I’m aware of - the docs sucked, last time I looked.]
Support is woefully lacking for OpenVPN on 'Tik.

For OpenVPN support, I’d strongly recommend Ubiquiti Edge Router. The OpenVPN support is much better.

Caveat: OpenVPN throughput will probably be less than spectacular - as I understand it, the OpenVPN code is in userland, not the kernel, in both systems and that limits performance/throughput. [You won’t see the CPU peg, but you won’t get more throughput. I’ve tested it on 'Tik and it’s not too horrible, performance wise…haven’t had a chance to do so on UBNT.]

IPSec site-to-site, especially on UBNT ER will be offloaded to hardware making IPSec throughput pretty incredible. [But IPSec is back to TCP tunnel inside a TCP connection - which isn’t the greatest.]

HTH

-Greg

Actually I am using sstp tunnels between branches in similar scenario and it works pretty good. Maybe openvpn can have some cons or limitations but if you want to solve the situation and don’t insist on openvpn only, you have also many other options how to make tunnels besides that with mikrotik devices.

Thanks for all the responses!

Throughput. It has been a while since I measured any. At one site for example we have like 3 PCs, and the larger maybe 10 at most. These are special education sites which have a limited user base and use limited internet and internal resources. So they need access but performance is secondary to cost & flexibility. Our existing connections are junk PCs running Linux/OpenVPN and the throughput is excellent using UDP.

We’re not totally wedded to OpenVPN, just have had success with it. We’ve done some testing with IPSEC and a pile of extra 2811 Cisco routers here and have run into MTU performance type problems to no end and were looking for other options. We’ve been using UBT PTP wireless for a few years and love them, I’ll check them out as well.

Is anyone doing one to multi site VPNs with Tik with other protocols successfully?

Mikrotik RB1200 as VPN Solution

Just for information. I just set the SSTP tunnel with 256bit AES encoding in my lab between two RB750 (the weakest contemporary cheap mikrotik box). They were able to encode/decode almost 20Mbits/s together with traffic generation.