We have about 4500 Pepwaves (mostly MaxBR1 and Surf SOHOs) to manage, registered with Incontrol2. These are installed in various places across the 50 states in the US, sometimes in areas where where we do not have any engineers to easily support these in person.
Especially in these situations we use PepVPN to setup and connect to the locations network so we can access our own devices behind the Pepwaves for support purposes (saving us sending an engineer over). Right now we create these ad-hoc pepvpns by having local ‘support’ Pepwaves (balance 20/surf soho’s) and the remote Pepwaves establish a single tunnel. This is a little slow and cumbersome, not to mention requires these physical support pepwaves onsite in our office (and our support engineers VPNed into our office). I was wondering, seeing there are cloud applications (as we’re also a heavy user of AWS) if there are any better/recommended/cost effective ways of dealing with such a scenario?
I wasn’t exactly sure how that would work, would i need 4500 speedfusion licenses and myself connect to the speedfusion cloud? what data is sent to speedfusion vs regular non-vpn WAN?
The devices we have behind the peplink’s are a wide variety of non-pepwave devices with shell (SSH) or local web (HTTPS) portals.
I would host a Fusionhub - either a licensed one that can connect to say 10 remote peers, or free fusionhub solo licenses - one per engineer.
On those Fusionhubs setup remote user access using L2TP/IPSEC so your support guys can use any device to securely connect to it.
Then set up a PepVPN profile in IC2 that uses dynamic tagging. Assign a tag to each engineer’s Fusionhub.
Then when they need to access the devices behind a remote peer you add the tag to it, it builds a PepVPN to that engineers Fusionhub automatically and they can remotely access the LAN side devices. When they are finished they remove the tag from the remote peer and it tears down the VPN.
Otherwise you have InTouch, but that is going to take you ages to configure over 4500 devices unless you do it as you go.
What are the devices you are wanting to access remotely?
We have a variety of IoT solutions (some with local web portals), often installed along an edge-controller (SSH).
Usually we’re able to establish a reverse SSH tunnel directly from the edge-controller into our cloud, however when that fails or when we don’t have an edge-controller available, having access through something like pepvpn is a great solution.
InTouch does not overtly work via a tunnel, its abstracted away in the background.
The devices would need to have some sort of speedfusion cloud active, but that is part of prime care & essential care, so as long as the devices are in an active support plan it will work.
Another idea is to create all the ad-hoc pepvpns on the (balance 20/surf soho’s) you would ever need and leave them active to connect back to you. Then either create the profile on your peplink as needed or precreate the profile on your side and leave it disabled as needed. If you create it ad-hoc on the “server” side as needed then just use something like a spreadsheet to record it , or a script to build the server side pepvpn as needed. When the “server” side is build the remote side will tunnel back to you.
But that wouldnt allow multiple support engineers to connect simultaneously to multiple ‘sites’ through pepvpn (all sites have the same subnet etc. and we’d be creating collisions?)
I’ve setup a fusionhub in AWS, and am able to VPN into it. And as a 1-1 solution it works great.
You mention that a license would allow 10+ remote peers simultaneously, however since all remote peers have the same network configuration how would that work?
Say we have the following:
laptop1>-------><AWS>------><FusionHub EC2>-------><Site A> 192.168.0.1/24
How would laptop1 connect to Site A, while laptop2 connect to Site C? I assume we have 2 VPN profiles, what type of VPN would be needed and would I need to configure some route somewhere while shielding conflicts?
I saw @Jonathan_Pitts below mention 1-1 VNAT, I’m not familiar with that, is that the solution for this too?