Hello, I’m in the process of implementing Site-to-Site VPN and asking for advice;
I have the main site that needs to communicate with a few branches, the main router will be probably CCR2004 and others RB4011.
In a test environment, I set up both solutions, WireGuard and GRE w/IPSec, subnet IP, routes and src-nat. Locally WireGuard can reach 700Mbps where GRE 500Mbps UP / 1000Mbps DOWN (used Bandwidth Test).
WireGuard has a tricky set-up with multiple peers (using the same UDP port is OK?), where GRE seems easier just by adding multiple tunnels (not sure if I need to change the ID).
Before proceeding with more tests, I’d like to ask for opinions, which VPN solution would you recommend? GRE seems lighter because of hardware encryption offload, but is IPSec stable?
If you can use on the GRE/IPSEC combo an encryption method which can be HW offloaded on both ends of a tunnel, it might be the better option.
Wireguard is completely SW so everything has to pass CPU.
GRE and EOIP are quite similar (actually EOIP is made on top of GRE) and I know for EOIP you need to use different ID per tunnel.
PS when using bandwidth test, make sure to test THROUGH the devices, not FROM.
Otherwise you put quite some additional CPU load on the device being used for testing and this might also impact tunnel performance.
Use a connected device on each end, running iperf3 (Iperf server can be on Linux box or Docker container or …). That’s the best way to test.
In my own experience EOIP can be very CPU intensive. I’m only connecting two sites so I’m using Wireguard but IPSEC would be the way to go for multiple sites.
Wireguard is hands down easier to setup, and having multi-sites is not a problem if the requirements are clearly stipulated. The main difference is knowing if every node that you want to be able to act as a server for handshake, has access to a public IP ( or have its upstream router/modem be able to forward a port to the mikrotik ). Ispec doesnt care I dont think, but Wireguard is more limited.
Also I believe 2FA can be done with Ipsec and not so sure using Wireguard ( some businesses demand 2FA access for employees)
For a multi site scenario, one has to decide the setup …one site and all connect to that single site.
No redundancy if main single site fails ( loses ISP or equipment failure ).
single wireguard interface, ( stupid easy )
Mesh approach where all devices have public IP and you wish to have tunnels being established from any site to any site ( maximum redundancy ).
need multiple wireguard interfaces, most complexity ( mostly in volume not trickery )
Something in-between, where there is a backup site in case the main site fails…
need two wireguard interfaces, medium complexity.
Thanks for your suggestions.
Bandwidth Test was done from the device, not the best scenario but was just for reference, throughout will be few MB/s in production.
Will test again with a third device.
In case branches switch to a backup LTE connection with private IP, which one is the less “sensible”?