… updated on Sunday, September 26, 2021 14:48 UTC
Open-Source DMVPN Alternatives
When I started collecting topics for the September 2021 ipSpace.net Design Clinic one of the subscribers sent me an interesting challenge: are there any open-source alternatives to Cisco’s DMVPN?
I had no idea and posted the question on Twitter, resulting in numerous responses pointing to a half-dozen alternatives. Thanks a million to @MarcelWiget, @FlorianHeigl1, @PacketGeekNet, @DubbelDelta, @Tomm3h, @Joy, @RoganDawes, @Yassers_za, @MeNotYouSharp, @Arko95, @DavidThurm, Brian Faulkner, and several others who chimed in with additional information.
Here’s what I learned:
As Close As You Can Get to DMVPN
- VyOS implemented DMVPN, and you can run a DMVPN network without Cisco routers.
- OpenNHRP is a compliant open-source implementation available for (at least) Alpine Linux, VyOS, OpenWrt, and Ubuntu.
- Alpine Linux had DMVPN support since ages.
- FRR has NHRP and can create shortcut tunnels over mGRE.
Alternatives
- I was told Zerotier could do routing or bridging, so it could be a DMVPN replacement. Have to dig deeper into the docs.
Almost There
- Tailscale is a WireGuard-based VPN with centralized (closed-source) control plane, so technically it doesn’t count.
- Headscale is an open-source implementation of Tailscale coordination server (control plane)
- Nebula – seems to be a host-based implementation of an overlay subnet. However, you should be able to add a routing protocol on top of it and route between Linux interfaces.
- Tinc-VPN is another host-based overlay VPN solution with the ability to bridge Ethernet segments over VPN. What could possibly go wrong with that? Being a bit more creative, one could use it the same was as Nebula to route between LAN segments and overlay network.
- Innernet is a configuration system on top of WireGuard. It looks like I’ll have to figure out what WireGuard does as well ;)
- Netmaker is another WireGuard management system.
- OpenOverlayRouter is a LISP+VXLAN implementation. In theory you should be able to run IP routing on Linux nodes to implement something like DMVPN.
Have we missed something? Would you like to add more details? Please write a comment (and yes, it’s perfectly fine to post links to product documentation ;).
Revision History
- 2021-09-26
- Added links to Headscale and Netmaker (thanks to Brian Faulkner)
If you're serious when you say "It looks like I’ll have to figure out what WireGuard does as well" then you should absolutely pause everything else and dig into Wireguard. It is a simple, efficient, and flexible VPN protocol.
From a network engineer perspective, it reminds me of a GRE tunnel, but with easy and efficient encryption, and it's UDP instead of IP 47.
From a security perspective, it uses modern crypto without risk of cipher downgrade or protocol misconfiguration.
From a developer perspective, it's not much different than configuring SSH sessions.
Also, I had not heard of Innernet and holy smokes does it have potential to be a DMVPN replacement.
There is also vpncloud (https://vpncloud.ddswd.de/docs/) which is peer-to-peer VPN. I was able to get it running using TAP mode with babel routing protocol (https://www.irif.fr/~jch/software/babel/).
Unfortunately, unlike Wiregard, currently vpncloud is not Linux namespace aware, so we couldn't do something like encryption/decryption in root network namespace while routing in private namespace.
Is DMVPN compatibility a strict requirement? What about ADVPN/RFC7018?
"An open source, self-hosted implementation of the Tailscale coordination server."
https://github.com/juanfont/headscale