Community discussions

MikroTik App
 
massinia
Member Candidate
Member Candidate
Topic Author
Posts: 159
Joined: Thu Jun 09, 2022 7:20 pm

What type of VPN should I use to connect 4 sites?

Tue Apr 18, 2023 12:20 pm

Hi everyone, I need your expert advice on which vpn to use.
We need to connect 4 sites to each other, there are no VLANs and we only use a Fritzbox 7530 as a VoIP PBX (it's a client of site A).

Site 1
192.168.1.1/24 -> MikroTik hEX
192.168.1.2/24 -> AVM Fritzbox 7530

Site 2
192.168.2.1/24 -> MikroTik hEX
192.168.2.2/24 -> VoIP Phone

Site 3
192.168.3.1/24 -> MikroTik hEX
192.168.3.2/24 -> VoIP Phone

Site 4
192.168.4.1./24 -> MikroTik hEX
192.168.4.2/24 -> VoIP Phone

It is important that when the internet connection of one office does not work, the others can still communicate (VoIP excluded)

What would you use?
For example, GRE Tunnel+IPSec, WireGuard, OpenVPN or what?
Zerotier is not supported but I couldn't use it anyway, VPN managed by external services are not allowed.

Thanks
 
fragtion
Member Candidate
Member Candidate
Posts: 257
Joined: Fri Nov 13, 2009 10:08 pm
Location: Johannesburg, South Africa

Re: What type of VPN should I use to connect 4 sites?

Tue Apr 18, 2023 1:49 pm

Personally I use wireguard(+eoip layered on top where higher MTU is needed. this also allows bridged configurations) wherever I can.
But some enterprise environments won't approve such setups and prefer to use the likes of ipsec (well, that's to their disadvantage then, isn't it)
I guess one disadvantage with this approach is the sheer amount of configuration needed, especially if you want a mesh-like topolology and have several nodes. This is where tailscale containers may come in handy (MikroTik has ZeroTier built-in, but that didn't work as well for me personally when testing in my setups)
Last edited by fragtion on Tue Apr 18, 2023 1:52 pm, edited 1 time in total.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5325
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: What type of VPN should I use to connect 4 sites?

Tue Apr 18, 2023 1:51 pm

+1 for wireguard.
Much faster then any other VPN given same HW.
 
User avatar
spippan
Member
Member
Posts: 333
Joined: Wed Nov 12, 2014 1:00 pm
Location: Austria

Re: What type of VPN should I use to connect 4 sites?

Tue Apr 18, 2023 2:13 pm

would interconnect those 4 sites with WIREGUARD and setup a OSPF instance for dynamic routing
so every router has 1 wg-interface and 3 peers and via those wg-interface you could setup OSPF (optionally; otherwise static routing)
MT_VPN_195487_18-04-2023.png
You do not have the required permissions to view the files attached to this post.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5325
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: What type of VPN should I use to connect 4 sites?

Tue Apr 18, 2023 2:41 pm

SWEET suggestion !!

...(MikroTik has ZeroTier built-in, but that didn't work as well for me personally when testing in my setups)
Just adding: I am glad I am not the only one struggling with ZT :lol:
 
BillyVan
newbie
Posts: 36
Joined: Tue Sep 04, 2018 10:29 pm
Location: Greece

Re: What type of VPN should I use to connect 4 sites?

Tue Apr 18, 2023 3:00 pm

would interconnect those 4 sites with WIREGUARD and setup a OSPF instance for dynamic routing
so every router has 1 wg-interface and 3 peers and via those wg-interface you could setup OSPF (optionally; otherwise static routing)

MT_VPN_195487_18-04-2023.png
i think yours suggestion wants all of 4 Mikrotik with Public ip
 
holvoetn
Forum Guru
Forum Guru
Posts: 5325
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: What type of VPN should I use to connect 4 sites?

Tue Apr 18, 2023 3:26 pm

Not static IP.
All 4 having a dynamic (but public accessible) IP is sufficient.

But the remark is valid, all 4 should be externally accessible (static or dynamic).
Otherwise you can not make this scheme.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: What type of VPN should I use to connect 4 sites?

Tue Apr 18, 2023 4:09 pm

Simple method to get you up and running.
Select the Site that you control directly or best internet connection!!

Yup if only one site had an accessible WANIP, it would still work.
All three units would wireguard into the one router and all would be able to reach the others....... One Wireguard interface.

Main Router
/ip address
192.168.50.1/24 interface=wireguard-main network=192.168.50.0

/allowed-addresses=192.168.50.2,subnetA,subnetB ( assuming subnets A,B are on peer router 2 )
/allowed-addresses=192.168.50.3,subnetC,subnetD ( assuming subnets C,D are on peer router 3 )
/allowed-addresses=192.168.50.4,subnetE,subnetF ( assuming subnets E,F are on peer router 4 )
/allowed-addresses=192.168.50.5 ( remote admin peer laptop )
/allowed-addresses=192.168.50.6 ( remote admin peer iphone/ipad)

/ip route
add address=subnetA dst=address=wireguard-main routing-table=main
add address=subnetB dst=address=wireguard-main routing-table=main
add address=subnetC dst=address=wireguard-main routing-table=main
add address=subnetD dst=address=wireguard-main routing-table=main
add address=subnetE dst=address=wireguard-main routing-table=main
add address=subnetF dst=address=wireguard-main routing-table=main

/firewall rules (input chain)
add action=accept chain=input dst-port=listening port protocol=udp
add action=accept chain=input in-interface=wireguard-main src-address-list=admins

/firewall address list
add address=192.168.50.5 list=admins
add address=192.168.50.6 list=admins
add address=LANIP of admin on router2 list=admins
add address=LANIP of admin on router3 list=admins
add address=LANIP of admin on router4 list=admins

/firewall rules forward chain
add chain=forward action=accept in-interface=wireguard-main out-interface-wireguard main comment=relay
add chain=forward action=accept in-interface-list=LAN out-interface=wireguard-main { allow internal subnets to access other subnets }
add chain=forward action=accept in-interface=wireguard-main out-interface=LAN { limit by src remote address or by out interfaces allowed access, may have several rules here }

Router2
/ip address
192.168.50.2/24 interface=wireuard-two network=192.168.50.0
/allowed-addresses=192.168.50.0/24,subnetC,subnetD.subnetE,subnetF,subnetX,subnetY ( assuming subnets X,Y are on Main router )
pesistent-keep-alive=35s

/ip route
add address=subnetX dst=address=wireguard-two routing-table=main
add address=subnetY dst=address=wireguard-two routing-table=main
add address=subnetC dst=address=wireguard-two routing-table=main
add address=subnetD dst=address=wireguard-two routing-table=main
add address=subnetE dst=address=wireguard-two routing-table=main
add address=subnetF dst=address=wireguard-two routing-table=main

/firewall rules (input chain)
add action=accept chain=input in-interface=wireguard-two src-address-list=admins

/firewall address list
add address=192.168.50.5 list=admins
add address=192.168.50.6 list=admins
add address=LANIP of admin on router3 list=admins
add address=LANIP of admin on router4 list=admins

/firewall rules forward chain
add chain=forward action=accept in-interface-list=LAN out-interface=wireguard-two { allow internal subnets to access other subnets }
add chain=forward action=accept in-interface=wireguard-two out-interface=LAN { limit by src remote address or by out interfaces allowed to access, may have several rules here }

Router3
/ip address
192.168.50.3/24 interface=wireguard-three network=192.168.50.0
/allowed-addresses=192.168.50.0/24,subnetA,subnetB.subnetE,subnetF,subnetX,subnetY
pesistent-keep-alive=40s

/ip route
add address=subnetX dst=address=wireguard-three routing-table=main
add address=subnetY dst=address=wireguard-three routing-table=main
add address=subnetAdst=address=wireguard-three routing-table=main
add address=subnetB dst=address=wireguard-three routing-table=main
add address=subnetE dst=address=wireguard-three routing-table=main
add address=subnetF dst=address=wireguard-three routing-table=main

Router4
/ip address
192.168.50.4/24 interface=wirguard-four network=192.168.50.0
/allowed-addresses=192.168.50.0/24,subnetA,subnetB.subnetC,subnetD,subnetX,subnetY
pesistent-keep-alive=45s

/ip route
add address=subnetX dst=address=wireguard-four routing-table=main
add address=subnetY dst=address=wireguard-four routing-table=main
add address=subnetAdst=address=wireguard-four routing-table=main
add address=subnetB dst=address=wireguard-four routing-table=main
add address=subnetC dst=address=wireguard-four routing-table=main
add address=subneD dst=address=wireguard-four routing-table=main


/firewall rules (input chain)
add action=accept chain=input in-interface=wireguard-four src-address-list=admins

/firewall address list
add address=192.168.50.5 list=admins
add address=192.168.50.6 list=admins
add address=LANIP of admin on router2 list=admins
add address=LANIP of admin on router3 list=admins

/firewall rules forward chain
add chain=forward action=accept in-interface-list=LAN out-interface=wireguard-four { allow internal subnets to access other subnets }
add chain=forward action=accept in-interface=wireguard-four out-interface=LAN { limit by src remote address or by out interfaces allowed to access, may have several rules here }


+++++++++++++++++++++++++++++

Example user on Router4 subnetF, wants to access server on Router 2 Subnet A.

1. Router 4
a. Route exists for such traffic and tells router the route is through wireguard-four interface.
b. Firewall rule allows subnet G to enter Tunnel
c. Router matches dst-address to existing allowed address and peer ( main router )
d. Traffic is sent to Router MAIN.

2. MAIN
a. traffic from subnetF is filtered from corresponding peer and incoming subnet F source address is matched and allowed to exit the tunnel
b. subnet F traffic is now, relatively speaking, on the LAN side of MAIN,
c. Router has an IP route for the destination traffic to subnet A through wireguard interface-main
d. Router has a firewall rule to allow traffic from wireguard interface to re-enter wireguard interface (relay)
e. Router seaches for destination address on peer list and matches to PEER (Router 2) and sends traffic to correct peer

3. Router2
a. traffic coming in on the tunnel from Router MAIN haas source address subnet of subnet F, which is on the allowed list and thus traffic exits the tunnel
b. subnet F traffic is now relatively speaking, on the LAN side of Router2
c. firewall rules determine if the traffic is allow to any LAN subnets (forward chain) or Router (input chain)
d. Return traffic is automagic as IP routes ensures the return traffic for destination subnet F has a route back into the tunnel!
 
massinia
Member Candidate
Member Candidate
Topic Author
Posts: 159
Joined: Thu Jun 09, 2022 7:20 pm

Re: What type of VPN should I use to connect 4 sites?

Wed Apr 19, 2023 10:09 am

Thank you all!
You are always a great help :)

I'll follow your advice and use wireguard, it seems much simpler to me than IPSec.
hEX has hardware acceleration for IPSec but that doesn't matter, WireGuard will be faster.
 
Rox169
Member
Member
Posts: 432
Joined: Sat Sep 04, 2021 1:47 am

Re: What type of VPN should I use to connect 4 sites?

Wed Apr 19, 2023 10:26 am

Anav,

this is great guide...you should create more of those....I have wiregued and zerotier between 3 locations and I have some troubles in routing. Im trying to start OSFP. Could you please implement OSFP into your guide above? I will use it as learning how to set up OSFP between MT locations. Thank you
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: What type of VPN should I use to connect 4 sites?

Wed Apr 19, 2023 1:27 pm

Hahaha, I will think about it but do keep in mind I dont even know what OSPF stands for............ :-)
 
holvoetn
Forum Guru
Forum Guru
Posts: 5325
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: What type of VPN should I use to connect 4 sites?

Wed Apr 19, 2023 2:18 pm

Oklahoma State Poultry Federation

(serious: Open Shortest Path First)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: What type of VPN should I use to connect 4 sites?

Thu Apr 20, 2023 8:33 pm

WHEN USING OSPF, some common wireguard concerns are handled within OSPF.
a. one does not need to delineate all the separate IP routes via WG for subnet traffic. That is handled within the OSPF configuration.
b. one does not need to delineate forward chain rules so subnets can talk to each other. That is handled within the OSPF configuration.

Assumption all four routers have publicly accessible WANIPs......
Needed Steps:

(1) Each router has 3 wireguard interfaces ( one to each of the routers )
(2) Each router has settings of 0.0.0.0/0 for each peer.

Done!!

++++++++++++++++++++++
If your are asking for OSPF guidance/setup.......... --> https://www.youtube.com/watch?v=f9FDNCT ... 3_&index=2
 
holvoetn
Forum Guru
Forum Guru
Posts: 5325
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: What type of VPN should I use to connect 4 sites?

Thu Apr 20, 2023 8:48 pm

4 wireguard interfaces.
Your own and 3 others.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: What type of VPN should I use to connect 4 sites?

Fri Apr 21, 2023 12:52 am

Are you adding requirements behind my back???
The setup is to connect four routers for OSPF via wireguard.

If the OP wants to remotely connect to any of the existing routers
Sure he can create a fourth wg interface for remote access.
 
User avatar
spippan
Member
Member
Posts: 333
Joined: Wed Nov 12, 2014 1:00 pm
Location: Austria

Re: What type of VPN should I use to connect 4 sites?

Fri Apr 21, 2023 3:36 am

you know that only 1 wg IF is needed on each router and the rest is peer configuration, right?

after that OSPF or BGP if wanted/needed for route exchange
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: What type of VPN should I use to connect 4 sites?

Fri Apr 21, 2023 4:37 am

Nope not aware, as I said I have no experience with OSPF.
 
User avatar
spippan
Member
Member
Posts: 333
Joined: Wed Nov 12, 2014 1:00 pm
Location: Austria

Re: What type of VPN should I use to connect 4 sites?

Fri Apr 21, 2023 5:00 am

Nope not aware, as I said I have no experience with OSPF.
that has nothing to do with ospf
it is the vpn peering among the 4 routers
every router has 1 WG IF and 3 wg-peers

all interfaces in a common /29 address space, which is also included in "allowed addresses" for the wireguard config, and you should be good to go

ospf comes after thatbif needed (could also be achieved with static routing)
only thing to be aware here is, ospf needs to be NBMA or PtMP (preferably nbma)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: What type of VPN should I use to connect 4 sites?

Fri Apr 21, 2023 6:08 am

Really?
Dont see that working at all but you are entitled to your opinion.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5325
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: What type of VPN should I use to connect 4 sites?

Fri Apr 21, 2023 7:26 am

@spippan
Isn't that a possible single point of failure ?
Hence the need for 4 wg interfaces.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: What type of VPN should I use to connect 4 sites?

Fri Apr 21, 2023 1:10 pm

Thats not the only problem I see attempting that way..........but I know holvoe you will see it eventually.
By the way didnt you mean 3 WG interfaces at every router ( a fourth perhaps if you want to access router remotely outside OSPF. )
 
holvoetn
Forum Guru
Forum Guru
Posts: 5325
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: What type of VPN should I use to connect 4 sites?

Fri Apr 21, 2023 3:41 pm

No, 4 WG interfaces ?!
Each router acts as hub for the others.
Each router is also peer to 3 others.
Hence 4 WG interfaces on each device if I can count ?

There are 4 routers in the drawing above: A / B / C / D
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: What type of VPN should I use to connect 4 sites?

Fri Apr 21, 2023 5:22 pm

?????????
Dont they teach math in Belgium land. One chocolate, two chocolate,,,,,,,,,, Or one belgium worker is worth 2 french workers, and one belgium military is worth 3 french military so I can see how you get confused. :-)

IF I am at Router A. I see three other routers not four.
A mesh network requires each router to be paired with the other3 FULL STOP.
Your inventing some spoke and hub BS here.

The only reason as stated previously, but you love reading my prose, so I will repeat, to have a fourth WG interface at any of the router is to provide an independent remote access capability.

Sending you some Canadian crow to eat. :-)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: What type of VPN should I use to connect 4 sites?

Fri Apr 21, 2023 5:25 pm

The solution is simple...........
Each router has three WG interfaces.
Each WG inteface has one peer
Each peer has allowed IPs (addresses) =0.0.0.0/0

DONE, Wireguard mesh network ready for OSPF overlay.

Its in OSPF that one details where all the other routers are located and what subnets are involved.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5325
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: What type of VPN should I use to connect 4 sites?

Fri Apr 21, 2023 6:02 pm

IF I am at Router A. I see three other routers not four.
A mesh network requires each router to be paired with the other3 FULL STOP.
Your inventing some spoke and hub BS here.
A serves B, C and D (latter ones connecting to A, A just listens for it)
A is peer on B (A initiates connection towards B, B only listens there)
A is peer on C (A initiates connection towards C, C only listens there)
A is peer on D (A initiates connection towards D, D only listens there)
= 4 WG interface active on A
And similar on each device, so each will have 4 different WG interfaces active.

Once that's setup, OSPF magic can run.
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1025
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: What type of VPN should I use to connect 4 sites?

Fri Apr 21, 2023 6:24 pm

Dont they teach math in Belgium land. One chocolate, two chocolate,,,,,,,,,, Or one belgium worker is worth 2 french workers, and one belgium military is worth 3 french military so I can see how you get confused. :-) Sending you some Canadian crow to eat. :-)

Yep, too much Belgian beer early Friday afternoon. 🤣🤣🤣
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: What type of VPN should I use to connect 4 sites?

Fri Apr 21, 2023 8:22 pm

DONE, Wireguard mesh network ready for OSPF overlay.
I just think OSPF more useful if the topology was likely to grow (e.g. a 5th, 6th, etc). If it's always 4 sites... why make it complex with OSPF...

Also EoIP should not be need for VoIP.

WG be better here, but hEX doesn't support ZeroTier so nothing to consider there.
 
User avatar
spippan
Member
Member
Posts: 333
Joined: Wed Nov 12, 2014 1:00 pm
Location: Austria

Re: What type of VPN should I use to connect 4 sites?

Mon Apr 24, 2023 11:02 pm

just if someone might want to take a look
less interfaces and sleeker configuration (on the wireguard side at least)


made a EVE-NG setup which works with EACH router of those 4 only having ONE wireguard interface and peers with each other
NO routing (not static nor dynamic)
NO firewalling

just basic setup with a pppoe "wan connection" (only so all 4 routers are interconnected "via a wan" (the internet so to speak)
this could be used as a foundation for OSPF or BGP dyn. routing between all 4 sites

i put a 7zip archive as an attachment with the exported eve-ng lab, backup of the vm rOS7 routers and cleartext exports in it
that's the topology (the "wan" is just a bridge so to speak which connects the 4 routers to pppoe server and the peering for wireguard goes via the pppoe ip-addresses)
2023-04-24 21_46_10-EVE _ Topology.png
You do not have the required permissions to view the files attached to this post.
 
Rox169
Member
Member
Posts: 432
Joined: Sat Sep 04, 2021 1:47 am

Re: What type of VPN should I use to connect 4 sites?

Tue Apr 25, 2023 7:22 am

Hi,

I have similar setup. Could enyone help me how to setup OSFP between those location connected thorough wireguard?

Thank you
 
User avatar
spippan
Member
Member
Posts: 333
Joined: Wed Nov 12, 2014 1:00 pm
Location: Austria

Re: What type of VPN should I use to connect 4 sites?

Wed Apr 26, 2023 9:25 am

Hi,

I have similar setup. Could enyone help me how to setup OSFP between those location connected thorough wireguard?

Thank you
some basic questions:
1. are you understanding OSPF and how it works?
2. how are you planing to troubleshoot and maintain it?
3. without any further information on your setup, how should someone be able to start off with any kind of help?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: What type of VPN should I use to connect 4 sites?

Fri Apr 28, 2023 7:53 pm

No capiches sipan. Are you saying that all four routers are connected to the same PPPOE router, and dont have their own publicly accessible IP. I do not understand your diagram in the least........
 
User avatar
spippan
Member
Member
Posts: 333
Joined: Wed Nov 12, 2014 1:00 pm
Location: Austria

Re: What type of VPN should I use to connect 4 sites?

Sat Apr 29, 2023 11:52 am

No capiches sipan. Are you saying that all four routers are connected to the same PPPOE router, and dont have their own publicly accessible IP. I do not understand your diagram in the least........
it's "spippan"

the "pppoe router" simulates an ISP or "the www"

i attached everything of the config in my previous post... you caneven rebuild it in eve-ng if you can
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: What type of VPN should I use to connect 4 sites?

Sat Apr 29, 2023 7:04 pm

No thanks, it bears no resemblance to the oPs question so not interested.
He has four separate MT routers each with public internet, no need to add a single point of failure xtra pppoe router............??/
 
User avatar
spippan
Member
Member
Posts: 333
Joined: Wed Nov 12, 2014 1:00 pm
Location: Austria

Re: What type of VPN should I use to connect 4 sites?

Sun Apr 30, 2023 4:58 am

No thanks, it bears no resemblance to the oPs question so not interested.
He has four separate MT routers each with public internet, no need to add a single point of failure xtra pppoe router............??/
pppoe router is just a substitute for the isp/www for the lab.

every of those 4 router is connected to the internet i reckon and is able to reach each other via the www (or at least one of them is reachable directly so all other would be able to peer with that for the tunnel)

Who is online

Users browsing this forum: No registered users and 49 guests