Introduction
As a solution architect focused on cloud connectivity, I help many customers integrate their business with Oracle Cloud. Increasingly, customers have had desire to connect their edge locations directly to Oracle Cloud using the public internet. In this blog series we will look at how to connect these edge use cases with VyOS. VyOS is a particularly interesting offering with its potential to offset high licensing costs, keep connectivity private and secure, and the ability to acquire enterprise support. Let’s take a closer look at how this solution pairs with Oracle Cloud and connect our edge!
A quick note: VyOS is the focus for this blog series, but you can also use this deployment method for many other software routers and SD WAN appliances (VeloCloud, SilverPeak, Viptela, Prisma, etc) by replacing VyOS router with your software image of choice throughout this guide. If another appliance is chosen in lieu of VyOS, I recommend you confirm that your appliance is supported by the 3rd party vendor and Oracle Cloud.
Getting Started with VyOS in Oracle Cloud
Make sure to read this first blog post in it’s entirety before getting started with the deployment.
Connect VyOS to OCI — Start Here!
Configure VyOS for Remote Connectivity with IPsec Tunnels
Connect SD-WAN, Cloud Service Providers and Data Centers to Oracle Cloud
Configure VyOS for Remote Access VPN’s for Client Access
Configure OpenVPN using VyOS
Configure WireGuard using VyOS
Configure OpenConnect using VyOS
Architectural Considerations
While reading this series keep in mind that there are many opinionated configuration options, some which may not be suitable for a production environment or your environment in general. This is to be used as a strategic guide on possible connectivity options into OCI. Some features and integrations are out of scope for this article, but should be considered for a larger implementations such as User Based Authentication (LDAP, SAML 2.0, etc), High Availability and Clustering, Performance Tuning (OCPU count, NIC count, SR-IOV and memory optimization), FQDN resolution for public IP’s, certificates signed by a trusted CA, certificates generated off-box, SSL decryption offloading, etc. These topics may be included in future topics for this blog series.
Also, this blog series does not cover high availability for Remote Access VPNs. Since VyOS is a software router, there are a few ways to have a cold standby instance. In the event of a fault domain failure, this instance will automatically be moved to another fault domain and continue to function. For Availability Domain outage protection, the VyOS boot volume can be backed up and restored to another Availability Domain. Warm standby and active/active implementations will most-likely work, but the configurations are not yet certified by VyOS. The Site-to-Site VPNs (IPSec VPN’s) deployed in this scenario relies on BGP failure mechanisms and is able to support a highly available configuration by deploying 2 or more VyOS routers. This configuration example is shown in the blog series.
Protocol Considerations
The goal for this blog series is to get VyOS connected to OCI and then give you, the cloud architect, several options for connecting your remote offices and remote workers into OCI. You may be bound by existing organizational requirements which limit your ability to use some of the VPN implementations that will be discussed in these articles, so multiple options are presented to you. Regardless of the implementation you take on, expect high performance for end users and secure end-to-end connectivity over the public internet. Nothing is without it’s limitations, however. All internet VPNs will have protocol overhead impacting throughput and performance, and they are only as good as their underlying connection.
IPSec VPN
Advantages
– Runs in kernel space (fast)
– Can tunnel routing protocol traffic for dynamic route learning
– High availability can be achieved by deploying a second router and using BGP as a failover mechanism
Disadvantages
-Implementation is a point-to-point connection, no multi-point support. The initial configuration can be cumbersome, since each site needs to be configured separately on VyOS.
OpenVPN
Advantages
– Widespread adoption
– Excellent community support
– LDAP and Active Directory support for user authentication
Disadvantages
– Data processing happens in user space (slower than kernel space, and takes CPU cycles), but is on VyOS’s roadmap
OpenConnect
Advantages
– Existing AnyConnect clients will be able to connect without installing additional software
– Cost effective AnyConnect server alternative
– Supports Radius for user authentication
Disadvantages
– Community support is limited, so feature-set is sparse compared to it’s closed-source competitor
– Split tunneling does not work (VyOS v1.3.2), though VyOS has the command set to push specific routes to the client.
WireGuard
Advantages
– Alternative to OpenVPN that is easier to configure, and processing happens in kernel (faster packet processing, and much lower CPU impact)
– Simplest Remote Access VPN to deploy
– The WireGuard client is available on every major operating system
Disadvantages
– The VyOS implementation of WireGuard does not support user based authentication
– Not as well known as OpenVPN