Which VPN to use?

[defaultuserfoo]

Hi,

I want to connect two remote sites over some kind of VPN connection with a layer 3 link --- at least I think it needs layer 3:

There is an access point controller on one of the sites that controls wireless access points.  It hands out IP addresses to the access points via DHCP and communicates over some tunnel it estblishes between them and itself.  So I think I need a connection that lets layer 3 broadcasts go through for the broadcasts to work.

The access point controller is in its own VLAN.  I want to extend that VLAN to the remote site.  So far, I have always used routed connections, i. e. IPsec and wireguard.  There is currently a routed IPsec connection between the sites which is going to be replaced with wireguard.

There will be OPNsense routers at each ends of the connections.  Should I use IPsec or OpenVPN for this?  Or should I use something else, like a tunnel over a wireguard connection?

[lilsense]

OpenVPN uses SSL as opposed to IPSec. I would recommend OpenVPN in you case.

[defaultuserfoo]

Why?

It doesn't seem to make a difference?

However, there will be a wireguard connection between the two sites anyway.  Could I use some kind of tunnel that goes over the existing wireguard connection?  How would I set this up, are there plugins for this?  I've never done anything like that.

[bartjsmit]

OpenVPN is simpler to configure than IPSec by a mile.

Wireguard is another VPN, so you will only need to sort the routing. The default gateway on each side needs to have a route across the tunnel. Consider how the packets go to the AP controller and how the return packets come back.

Bart...

[defaultuserfoo]

I wouldn't expect to be able to route broadcasts.  I need a 1:1 connection as if I had an enthernet cable between the two sites.  It's supposed to be the same VLAN on both ends.  Otherwise it would be difficult or impossible to make it so that the remote access points can find the controller.

And I don't want to extend any other networks than that particular VLAN.  From what I've seen with IPsec and wirguard, everything can (must) be routed if so desired.  But apparently with IPsec, you can choose 'tunnel' instead of 'routed', and I'm guessing that goes for OpenVPN as well? And you can't do that with wireguard because wg is always routed.  But how would I limit the connection to that particular VLAN when I choose tunnel instead of routed?  Or can I somehow route broadcast packets?

[Patrick M. Hausen]

Layer 3 site to site, OPNsense on both ends --> WireGuard. No contest. Simple, secure, fastest, supports IPv4 and IPv6 in a single tunnel.

[defaultuserfoo]

Wireguard?  That is routed, isn't it?

PS:

Yes, it is.  I made some packet captures and I can see the broadcasts on the site where the access points and the controller are, and there aren't any on the other endpoint of the wg connection.

That's what I expected; broadcasts aren't routed.  So that won't work.

[Demusman]

You can't use a layer 3 vpn for what you want.
Did anyone who replied even read the original post??
I don't use opnsense so I can't give exact steps but you're gonna need to use OpenVPN in tap mode.
I do this with pfSense. I'm actually trunking 3 separate vlans over a tap so you will be able to do just one vlan with no problem.
The only problem you may have is, from the times I've tried opnsense, I notice it's very "dumbed down" compared to pfSense so it may not even be able to do this but if you follow this article, you might get there.

https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-bridged.html

Some suggestions... Set a separate DHCP range for the remote site. The remote virtual interface is going to receive the first IP of whatever range you set so a separate range will make more sense. What I did was take the local subnet, say it's a /24, and make the remote subnet either a "virtual" (meaning don't actually change the mask, just split the /24) /25 out of the /24 or smaller depending on how many IP's you need on the remote end. So if you make it a /25, .0 through .127 will be local, .128 through .255 will be remote and the DHCP range set in your tap config will start with .128. The remote virtual interface will receive that address. To be honest I got rid of DHCP and set all static reserves on the remote site, if you can, I suggest doing the same.

You'll need a vlan capable switch on both ends since you'll need to trunk them for the vlan.

Since you have an existing vpn to the remote site already, you'll need a separate physical interface on the remote site to bridge to the virtual vpn interface, this is gonna cause trouble with routing tables so make sure you do not pull routes over the tap. I have a tun vpn to the remote site on my setup also, do yourself a favor, setup a remote access vpn to the site too. That way if the routes get screwy you can still use the RA vpn to get to the site and fix route tables.

That link is a guideline, you may need to change some things but it works very well when you get there.

[defaultuserfoo]

Hm, so I need a layer 2 link --- I wasn't sure which layer is needed.  I've been looking at the documentation of IPsec and OpenVPN, and it seems neither can do what I need because they are all like routed.

The article you're pointing to looks interesting.  OPNsense also has the tap mode, so I'll go through that and see if that might work, or even try it out.

Using a different network on the remote site with its own DHCP server probably won't work, at least not easily.  I'm pretty sure that the access point controller uses DHCP options to tell the access points where to find itself so that they can establish a tunnel to the controller.  Maybe that won't work anyway when MSS settings interfere ...

There will be about 20 access points on the remote site (and there are about 20 locally).  I don't want to configure any of them other than through the access point controller.  Not configuring all the access points manually is the point of having an access point controller   If you have more than 3--5 access points to configure, you can get away with doing it manually; any more than that and it doesn't make any sense.

With these access points, I probably can't give them static addresses because that would involve to configure them manually.  I think there's some option to tell them where the access point controller is.  That would also require to pre-configure them all manually first, and I don't know if that would work.

Suitable switches are available.

Is it not possible to just extend the VLAN as if there was a network between the two sites?  What's the problem with DHCP?  If I need to, I can set a long lease time, and the APs tend to keep their IPs even when they can't reach the controller and continue to work once they are configured.

[Patrick M. Hausen]

Layer 2 links across the Internet via VPN are a really bad idea. All broadcast traffic, speccifically ARP and neighbor discovery will have to be sent across the link. Better rethink your architecture so you can route. Really.

[defaultuserfoo]

Layer 2 links across the Internet via VPN are a really bad idea. All broadcast traffic, speccifically ARP and neighbor discovery will have to be sent across the link. Better rethink your architecture so you can route. Really.

I don't see an alternative other than having an access point controller at each site, which doubles cost and maintenance.

How much traffic do you expect on a VLAN with about 40 devices in total?  If it's too much, I can probably cut the connection once the remote access points are configured and/or bring it up limited to some hours during the night when nothing else is using much internet.

[Patrick M. Hausen]

What sort of access points and controller? Unifi need not be in the same broadcast domain. Unifi access points can be told their controller's IP address via DHCP.

Neither IPsec nor WireGuard will do layer 2. OpenVPN supposedly can via tap, but I have managed to avoid these scenarios so far.

An Ethernet bridge across VPN is a bad bad bad idea. Go ahead, do it, you will find out. You have no idea how much broadcast and multicast traffic is happening in an Ethernet all the time. And all of this must be transferred over the wire introducing delays for which the protocols on top were not designed, because it's a local Ethernet, right?

If you are indeed using Unifi, it works like this - see screenshot. The first two bytes are a special vendor code, the next four are the IP address of the controller in hexadecimal.

HTH,
Patrick

[defaultuserfoo]

It's all HP, MSM760 and MSM422.

Ubiquity has taken themselves out of business since they want to force you to register your devices with them mandatorily --- which is, of course, unacceptable --- and by apparently having given up the EdgeMax product line.  The stuff has basically disappeared from their web site, there have been no firmware updates for EdgeRouters in a year and they are unable to deliver even when ordered for many weeks.

I sent them an email a while ago, asking about their EdgeMax products, and their answer was that I can take at look at their web site which lists discontinued products if I want to find out if they are going to continue to support them.

So stay away from Ubiquity.

On a side note: It will be a while before I know more, but it seems that you can't use their EdgeRouters for routed IPsec site-to-site connections because such connections go down frequently and don't come back up.

There is reasons why we switched to OPNsense and are ditching Ubiquity.  And that doesn't even mention their lack of documentation.  They have improved on that over the years, but they still don't understand what documentation is.

[Demusman]

Using a different network on the remote site with its own DHCP server probably won't work, at least not easily.  I'm pretty sure that the access point controller uses DHCP options to tell the access points where to find itself so that they can establish a tunnel to the controller.  Maybe that won't work anyway when MSS settings interfere ...

Never said use a different network. What I said was split the network between the two sites just to keep things clear. You'll still use the same /24 (or whatever the local is) but set the remote to specific IP's. This suggestion is basically just for "record keeping" and not a necessity at all.

There will be about 20 access points on the remote site (and there are about 20 locally).  I don't want to configure any of them other than through the access point controller.  Not configuring all the access points manually is the point of having an access point controller   If you have more than 3--5 access points to configure, you can get away with doing it manually; any more than that and it doesn't make any sense.

With these access points, I probably can't give them static addresses because that would involve to configure them manually.  I think there's some option to tell them where the access point controller is.  That would also require to pre-configure them all manually first, and I don't know if that would work.

20 AP's means a lot of clients I would think. Both of my sites have a symmetrical gig for internet. I have no problems whatsoever with bandwidth so don't believe the warnings you hear. That said I only have 2 servers and 10 cameras at the remote site. Cameras are nothing when it comes to bandwidth but the servers do use a bit, as I said, no problems though.

Is it not possible to just extend the VLAN as if there was a network between the two sites?  What's the problem with DHCP?  If I need to, I can set a long lease time, and the APs tend to keep their IPs even when they can't reach the controller and continue to work once they are configured.

Vlans are layer 2. Can't route them so I'm not sure what you mean by "a network in between".
DHCP, not really a problem but I found you can't assign a DHCP range to just the remote site and addresses were being handed out to the local site as well. If you don't care what address goes where, then just leave one DHCP pool and let it go.

If opnsense can do this correctly, you'll find that it's exactly what you wanted.

[meyergru]

What do you mean by having to register the Unifi devices mandatorily? I used those devices for years and never had to do anything like that.

Since you chose to use a professional solution by HP, what makes you think you need to try to extend a broadcast domain in order to have the APs configured? I would assume even HP has seen some kind of routed enterprise network over the years.

If you look at the HP manuals (https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-c02704528), they describe discovery procedures over routed networks, like a means for DHCP- or DNS-based discovery (see page 6-6 onwards).