I am looking for some good guidelines on how to properly setup a Mikrotik to manage 1500+ VPN endpoints
Each VPN endpoint will have 3 or 5 devices connected, among others an NVR which needs to be accessed from a central location. We are using the
MikroTik SXT LTE6 kit, 10Mbps throughput is more than sufficient for each site.
I have chosen to use Wireguard due to it’s simplicity of use
Which MikroTik model would be good enough as a central VPN Server?
Wiereguard uses a /24 Class B subnet for the VPN - is This good enough?
1500 vpn endpoints, I would not use wireguard as you want something more enterprise…
Look at cloudflare options or some sort of enteprise ipsec offering.
My suggest would be something with RADIUS, like IKEv2, to manage authentication centrally. Even wireguard configuration generation can be scripted, there’s still error-prone things here. With RADIUS, configurations are pushed through RADIUS-attributes, you only need to set equal config for each endpoint and push same certs. You can also try /31 addressing for ptp (which is officially not supported, but can be done by setting IP address with no mask, and remote peer IP with no mask in network field)
Besides a decent management interface, you will need a proper VPN concentrator that is powerful enough to handle the expected number of concurrent encrypted VPN sessions. What’s the use case?
As in the first post NVR mentioned, I think the use case is to have a centralized security camera monitoring, maybe at some small outlets. It is true about sufficient VPN server tho, even from abstract numbers, 1500 endpoints * 10Mbit is around 15Gbit/s of encrypted data which is a lot. There probably should be a bunch of smaller border routers to decrypt this or a very decent hardware
I was a bit unclear - I meant an example use case for the type of work the organization does, like a neighborhood association or a security solution with SLAs for emergency response, or something similar, possibly with redundancy requirements, etc.
Yeah, 1.5 Gbit/s requires heavy-duty equipment for VPN encryption and a solid communication pipeline. It’s a setup that needs real expertise in surveillance systems, system and network architecture design, configuration management, active monitoring, and so on.
@SilverNodashi - This is probably not the best forum for your request, so I’d recommend reaching out to a consultant with strong experience in network architecture and complex system solutions for surveillance.