High-Throughput Site-to-Site Full Tunnel VPN Routers

I need to set up a number of site-to-site VPNs between our HQ and various small offices across the country. I’d like to have bidirectional and full-tunnel capability, so all traffic from the remote office runs through HQ, even if it’s destined for public internet.

I’ve started with the TPLink Omada series, but:

• The IPSec (IKEv2) site-to-site VPN apparently can’t do full tunnelling, even with custom static routes.
• The L2TP and OpenVPN VPN options are very slow when encrypted, in the ~20 Mbps range (for the ER605).

I’m looking for a product that can do a high-speed (500+ Mbps) bi-directional LAN-LAN VPN with a full tunnelling option. IKEv2 is preferred as it appears to be the modern standard. We don’t need any other fancy features, and budget is limited so low-cost options are preferred.

Foritgate of some sort.

You need an enterprise grade solution for this. If you bring all of the traffic back to your HQ, including internet traffic, then you don’t need a firewall at those sites. However having one is a good idea to reduce the spread of anything malicious.

What you describe is what SDWAN is designed for. There are a lot of SDWAN solutions out there. They are pricey and add a lot of features designed for optimizing the use of multiple ISP connections at each location. If you have multiple connections, look into SDWAN from Fortinet. Palo Alto, VMWare, Juniper, Meraki, or others.

Avoid Cisco Firepower or Chechpiint right now, both product lines are a sub-par option for their price/complexity.

If you want a firewall, I suggest:

Palo Alto Networks - The best choice. It handles IPSec really well and is easy to manage. It also scales really well. Has a very nice GUI.

Juniper SRX - This can be a router more than a firewall, but can have all of the firewall functionality you want. It excels at IPSec tunneling at scale. Its drawbacks it’s configured on a CLI, so you need a route engineer.

Fortinet - This is another top choice of firewall / IPSec router. Just stick with solid firmware. It has slightly cheaper options. You will absolutely want fortimanager too. It has a good GUI, but isn’t as intuitive as PAN.

Meraki - Not a bad choice. It’s a decent firewall. It is web managed and easy to scale IPSec tunnels with their SDWAN license. It’s designed for small businesses. The drawback is if you stop paying for the subscription it stops working.

Avoid the following firewalls for this situation:

All of these have what I call the SMB problem: needs a reboot to magically fix it. That is fine of price is your #1 concern and you are OK sending someone to the remote sites.

Watchguard - It’s a decent firewall, but has severe limitations on how many IPSec tunnels it can do. Plus it only does policy based tunnels, which means a lot of manual configuration.

Sophos Firewalls - TBH, they have all of the same limitations as watchguard plus are less stable. On top of that they make some hard assumptions about how your network WILL be configured that are not feasible to override. This can be a problem when you end up needing an edge case.

Sonicwall - SW has a history of being the cheap solution with too many compromises and compatibility problems. Also the security team that feeds SE its profiles is not well rated. It’s IPSec has compatibility issues with 3rd parties too.

If you just want a router to fully tunnel all traffic back. I suggest looking at solutions that support Wireguard

Wireguard simplifies ipsec VPNs.

Mikrotik - it has full wireguard support and a GUI. Easy to configure. Cheap. Relatively bug free. No central management. You will need to setup security on it to prevent it from getting compromised.

OPNSense / pfsense - These are opensource options. Netgate or Lanner make decent hardware for them. They both have wireguard support. They have reasonable opensource firewalls and basic IPS. They will scale and have a GUI

VyOS - This is a full opensource router OS with native wireguard support. It’s a solid router that many other platforms are based off. It is used in some of the largest ISPs in the world and still has reasonable support. You will need a network admin for this.

“various small offices across the country”

" high-speed (500+ Mbps) bi-directional LAN-LAN VPN with a full tunnelling option"

sounds like a long fat network. TCP will stop the fights around here.

I would not be surprised if you get 30 mbps tops PER FLOW.

in the linux world we tune tcp between NY and South Carolina to get about 900 Mbps, but both sides have 10gig pipes.

Any Enterprise grade SD-WAN solution will do this.
I’m biased to HPE Aruba, easy to manage, and can easily integrate with SSE for a full SASE solution.

PfSense (Netgate Appliance)

TNSR would be my choice.

Pfsense + Wireguard.

Netgate Tnsr might be a candiate. They claim serious speeds. The pricing is sane. A bit higher than I’d like, pfSense can be run way cheaper, but nothing much else that can do the job is going to cost less. Probably way more.

Also… TP-Link? Urgh. Dodged a bullet imo.

Decent sized pfSense appliances from Netgate could also easily do the job.

Linux box and wireguard. Great learning opportunity. Very performant for low cost

Cisco’s stuff is pretty good.

Untangle can do this. Use a refurbished Dell server with whatever interfaces you need. It’ll have more CPU and better redundancy and replacement parts. The license is based off protected endpoints and not on the hardware itself.

They also have SD-WAN satellite office option as well.

Any enterprise grade firewall should be able to do that. TPlink is not enterprise grade. Just don’t use Fortigates if you have a lot of VPNs as FortiOS is just a collection of bugs when it comes to VPN.

Take a look at Watchguard. It’ll do what you ask.

If IPsec is all you need… nothing more? Grab a pfsense Netgate appliance.

I recommend that with hesitation because there are IPsec software issues in the platform that impacts reliability. For example, Imagine you have multiple tunnels and you make a single change on one of them. Click Apply. All your tunnels bounce. There’s an open redmine on this with a fix…maybe…next year. It’s bad.
So if you are ok with that then grab a Netgate.

Can be done with IPSec or Wireguard and a http://pcengines.ch system, an RPI4 should be able to come close to saturating 1Gb/sec using Wireguard as well. Some assembly requires.

Hi u/ICanRememberUsername - That’s actually super simple! The cost of a capable CPE is $300 and can easily handle that throughput.
The trick is NOT to use IPsec, but instead use SD-WAN with proprietary tunnelling technology. It not only allows far greater speed with less hardware specs, but you can also use Compression, QoS + more.
The routing of all traffic to your HQ is super simple and you don’t need to add any rules to the branches, only one tiny rule to the HQ’s CPE.
Very very simple to do.

Checkpoint, especially if you are security conscious (probably one of the most security centric firewall solutions out there), can do this natively. They have their own negotiation protocol if both sides are checkpoint and you can do anything. VPN HA, hub and spoke vpns, community VPNs, routing, you name it.

Check out Sophos RED.

Fortigate the company that had a massive RCE they tried to hide lol