Cloud provider of site-to-site VPNs

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Cloud provider of site-to-site VPNs

dbuckley

29 posts

Geek
+1 received by user: 5

#319250 6-Apr-2025 11:58

I've got a few remote locations that want to connect to a central location over a site-to-site VPN, but the problem is, the central location is being shut down. Is there a cloud provider that provides site-to-site VPNs as a service? Google has provided little help. I know I could knock something up in the cloud myself, but I'd like a commercial offering so it stops being my problem.

lxsw20

3689 posts

Uber Geek
+1 received by user: 2174

Subscriber

#3361273 6-Apr-2025 12:06

Most business ISPs will provide a WAN service like this but you will pay for it. What are you trying to achieve? What traffic is going over the VPN? Do the sites actually need VPN? Assuming there is some sort of server at the hub (central location) where is that moving to?

Dynamic

4015 posts

Uber Geek
+1 received by user: 1851

ID Verified

Trusted

Lifetime subscriber

#3361278 6-Apr-2025 12:12

I'm also curious about what you are looking to achieve here. Give us more detail, please. What do the regions need to access or what does each site need to access on another? Are there servers at each location? Traditionally linking sites is done by the ISP (expensive) or with firewalls on each site and basic internet connections (more expensive up front but less expensive long term).

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

acsylaa

85 posts

Master Geek
+1 received by user: 66

Just Internet

#3361291 6-Apr-2025 12:45

dbuckley:

I've got a few remote locations that want to connect to a central location over a site-to-site VPN, but the problem is, the central location is being shut down. Is there a cloud provider that provides site-to-site VPNs as a service? Google has provided little help. I know I could knock something up in the cloud myself, but I'd like a commercial offering so it stops being my problem.

What is the Current Cloud managed VPN that you are using? (if its meraki or Forti some MSP's could take this over and carry on managing this)

Would you want the Cloud provider manage all the endpoint routers and VPN service?

Are you wanting something that will work with your existing routers or are you looking at replacing your routers?

Would you prefer to set it up and manage it your self with some guidance?

What is the Current setup consist of such as Routers make model and so on?

Where are the locations, and are they in fiber fed areas, how many remote sites are we talking about here?

There are many ways to skin this cat, i have a few ideas that i could point you towards but more information would be good to point you in the right direction.

I have a few sites setup with various VPN's and configurations as we offer this as a service to our Customers via our MSP.

djtOtago

1181 posts

Uber Geek
+1 received by user: 605

#3361299 6-Apr-2025 13:17

If you are looking for a way internet connected servers can easily and reasonably securely talk to each other then maybe Tailscale or a ZereoTier network may suit.

dbuckley

29 posts

Geek
+1 received by user: 5

#3361301 6-Apr-2025 13:28

OK, so this is for an small organisation that is closing it's main physical presence, where the rack with the current servers, PABX, firewalls etc are, and going all virtual, work from anywhere. The current server-provided services in the rack are either migrated to commercial cloud offerings, with a few oddballs being moved to Linodes. So far so good.

There are, however, a number of (tiny) remote sites that just have things in them, no people, but have devices that need to be connected to from the office-less people and monitoring systems. This is all currently-planned to be done using a VPN, and the office end of the VPN was a router intended to be in the office rack. But then it was decided the office rack would be no more, so where to put the VPN router. There's lots of possibilities, but a better answer is to not have this VPN router at all, and have a cloud VPN router. Which I could knock up on a Linode easy. But... I'm trying to minimise the collection of custom stuff that needs expertise to manage. Hence looking for a VPN provider that does site-to-site VPNs as a ready-to-go product.

So far, the only hopeful I've found is Catalyst Cloud, who can do SDN using OpenStack, but that still requires construction and maintenence, VPNs are not their core business.

acsylaa

85 posts

Master Geek
+1 received by user: 66

Just Internet

#3361308 6-Apr-2025 14:05

dbuckley:

OK, so this is for an small organisation that is closing it's main physical presence, where the rack with the current servers, PABX, firewalls etc are, and going all virtual, work from anywhere. The current server-provided services in the rack are either migrated to commercial cloud offerings, with a few oddballs being moved to Linodes. So far so good.

There are, however, a number of (tiny) remote sites that just have things in them, no people, but have devices that need to be connected to from the office-less people and monitoring systems. This is all currently-planned to be done using a VPN, and the office end of the VPN was a router intended to be in the office rack. But then it was decided the office rack would be no more, so where to put the VPN router. There's lots of possibilities, but a better answer is to not have this VPN router at all, and have a cloud VPN router. Which I could knock up on a Linode easy. But... I'm trying to minimise the collection of custom stuff that needs expertise to manage. Hence looking for a VPN provider that does site-to-site VPNs as a ready-to-go product.

Going by that picture im picking that the Remote sites that need access are PLC's?

And Client Machines and the office need access to those PLC's ?

I have a bunch of Remote Gallagher Access sites that are using Zerotier back to a central server in Hamilton, and a few that go to a AWS host in Sydney.

Zerotier would be your best best as its pretty easy to get going, but also really easy to manage.

If its a PLC and there is'nt going to be much data you could use a IOT sim or if its got fibre to the location you can use a smart location connection to get it online.

If you want to discuss privately send me a private message and we can get in to more detail there.

Lenovo

Shop now for Lenovo laptops and other devices (affiliate link).

freitasm

BDFL - Memuneh
80652 posts

Uber Geek
+1 received by user: 41035

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#3361322 6-Apr-2025 14:54

Tailscale or ZeroTier. No central node required.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

lxsw20

3689 posts

Uber Geek
+1 received by user: 2174

Subscriber

#3361375 6-Apr-2025 18:56

Are multiple people accessing them at once/are the nodes pushing data back to the clinets? If not you could put in the likes of a NUC as a jump box onsite with team viewer or something, and ditch the whole VPN setup.

taneb1

544 posts

Ultimate Geek
+1 received by user: 213

ID Verified

Trusted

Mercury

#3361466 6-Apr-2025 21:05

Will also add a vouch for Tailscale and Zerotier. Currently run Tailscale connecting half a dozen cloud servers + my home subnet - Haven't done anything too crazy, but haven't had any issues (touch wood) in 2+ years its been running. They have some good documentation on site to site as well - https://tailscale.com/kb/1214/site-to-site

Any comments made are my personal views and does not represent those of my employer

deadlyllama

1283 posts

Uber Geek
+1 received by user: 476

Trusted

#3361486 7-Apr-2025 06:52

Zerotier is fake Ethernet. Tailscale is routed. Personally I find Tailscale gets in my way more. Zerotier let's you use whatever IP ranges you want, tailscale wants to assign out of 100/8.

Ragnor

8279 posts

Uber Geek
+1 received by user: 585

Trusted

#3361558 7-Apr-2025 10:31

I see Tailscale and Zeroteir have already been mentioned but you could probably solve this with Cloudflare WARP/Cloudflared/Zero Trust also.

Samsung

Shop now on Samsung phones, tablets, TVs and more (affiliate link).

freitasm

BDFL - Memuneh
80652 posts

Uber Geek
+1 received by user: 41035

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#3361572 7-Apr-2025 11:06

The problem with using Cloudflare WARP is that it can give access to the LAN routes (as you want) but it will also be the exit point (all your client's traffic goes through the Cloudflare network), which might impact speed or not be desirable at all.

Tailscale will give you access to your LAN routes, and optionally use one of your clients as an exit node.

Optionally is the keyword here.

Also, Cloudflare Zero Tier is a lot more complex to configure.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

dbuckley

29 posts

Geek
+1 received by user: 5

#3361580 7-Apr-2025 11:13

deadlyllama:

Zerotier is fake Ethernet. Tailscale is routed.

That's really helpful, thanks.

I'm going to give Zerotier a go.

deadlyllama

1283 posts

Uber Geek
+1 received by user: 476

Trusted

#3361730 7-Apr-2025 14:43

Also, on Linux Tailscale likes to futz with your iptables rules, add extra routing tables, ... which has broken things for me in the past.

If you're crazy enough to have a full IPv6 routing table on the same router as Tailscale, it likes to enumerate all your routes (all 212,324 of them) every so often, maxing your CPU in the process.

Zerotier will add a few static routes if you ask it to, and configure the interface if you ask it to, but you can also ask it to get out of your way. It's fundamentally a virtual ethernet switch.