Dynamic SF Tunnels (Dynamic VPN)


Is there a plan to support something like “dynamic VPN” in the future?

The idea would be to permit generate direct SF tunnels on demand between remote sites to serve as a shortcut and avoid extra bandwidth consumption on the central hub. (SF Bonding is great but customer always want more efficiency)

I understand that we can use different route costs between peers, so we can use a shorter route in a fully meshed topology, but it also demands to use big balance models because of the amount limits in speedfusion peers.

Also, in a dynamic VPN environment we could use smaller devices (BPL-210) at remote branches with the main SF tunnel to central office and the option to create 1 or 4 more tunnels directly to other remote branches… This way we can have a star topology supported with direct tunnels with spokes when needed.



Would you able to further elaborate this ? You only need the backup tunnel start connect when the primary tunnels is down ?

1 Like

We aren’t looking this feature as redundancy but as bandwidth efficiency.

Redundancy is very well covered with “WAN Smoothing” and “Disaster Recovery” option in a star topology, by the way this last one feature is great and works perfectly.

Below a very basic architecture to explain it:


It would be nice to be able to set-up one SF tunnel from Peer B to Central Office and leave the second tunnel of the BPL-210 available to create the SF shortcut on demand to another peer.

With the “On demand” term I mean to an automatic process that allow Peers to know other peer´s networks and its public IPs addresses, so they can create the tunnel when a request arrives internally from their LAN. For example: An IP Phone from network B wants to call an IP Phone from network C, the B210 from Peer B receives this request and create a SF to B210 from Peer C. Both Balance (B and C) already had the current and necessary data spread by the central Balance/FusionHub to create the tunnel.

Perhaps in a 3-peer scenario it doesn’t make sense, but it would in a larger architecture.

Hello Peplink Team,
For especially Utility and Data acquiring market, We need this feature. We lost a lot of projects ( thousands unit) because of DMVPN. For example PLC unit in PeerB should communicate with PLC in Peer B directly. Private APN is generally using. I know CGNAT environment is not suitable for kind of this deployment.
Incontrol can provide WAN IP information and LAN subnets of peers to other Peers. So, a peer can easily initiate vpn to other peer when traffic triggered.
But speed of vpn establishment should also be optimized. Peplink’s vpn establisment speed is not fast enough. For example, Silver-Peak SD-WAN units are authorized by Orchectrator (SD-WAN controller), It means, an unapproved unit cannot be part of the sd-wan fabric, So phase1 of ipsec UDP is eliminated. VPN establishment speed is incredibly fast.

1 Like

So you want to have on these devices a list of preconfigured SF profiles based on ip-to-ip that can boost start whenever needed ? It would encapsulate on the fly the new session in a pepvpn tunnel. Now that we have some buffering in pepvpn, might be possible no?

1 Like