Site to Site VPN: Unlocking Secure Network Connections

April 26, 2024

Types of Site VPNs

First off, we've got what's often referred to as a site-to-site VPN. This setup is perfect when you're looking to connect entire networks to each other. For instance, you can connect your office network with an AWS VPC. This allows devices from your office network to communicate seamlessly with services running in AWS, and vice versa. To establish this connection, at least one machine in each network must have a public IP address to set up the WireGuard tunnel. Once this tunnel is established, the machine with the public IP can act as an egress gateway for the rest of the network. It's essentially like merging two private networks into one virtual network, which is incredibly useful for allowing different parts of a business to interact with each other securely.

Another variant you might consider is a point-to-site VPN, especially if you're dealing with scenarios where you need to connect individual devices to a network. Netmaker's flexibility means it can also cater to scenarios where, say, a remote employee needs secure access to the company's internal network. The device acts as a client connecting to the gateway that provides entry into the network, ensuring secure access to internal resources.

VPN Protocols for Site to Site Networking

There are a number of VPN protocols you could use to setup your site to site VPN.

Starting with IPsec, it's like the Swiss Army knife in your networking toolkit. Designed to secure Internet Protocol communication by authenticating and encrypting each IP packet of a communication session, IPsec comes in handy when I need to establish secure connections over the inherently insecure Internet. Imagine you're sending a letter that contains sensitive information. Using IPsec is akin to putting that letter in a lockbox, where only the sender and the recipient have the key.

Source: Netgate

Then there's MPLS, or Multi-Protocol Label Switching. This technology steers clear of the public Internet, offering instead a private network solution that's for companies with multiple locations that need to communicate with each other reliably and securely. MPLS shines in its ability to manage traffic efficiently, ensuring that high-priority applications like VoIP (Voice over Internet Protocol) get the fast lane, so to speak. For a client with a critical need for voice and video application performance across their network, MPLS is a good fit.

Source: Meraki

SSL VPNs, on the other hand, offer a flexible and accessible solution for secure remote access. Unlike IPsec VPNs, which require installing specialized client software, SSL VPNs work with any standard web browser. This approach is user-friendly and ideal for companies that have a lot of remote users or clients who need access to specific applications or services within their network. One time, I set up an SSL VPN portal for a client's remote workforce. It was a revelation for them. Their employees could now access the internal tools they needed from anywhere, using any device, without compromising security. It was all about making secure access as painless as possible.

Source: Fortinet

‍WireGuard adds an interesting dimension to the VPN landscape. It's a modern VPN protocol that aims to be simpler, faster, and more secure than its predecessors like IPsec and SSL VPNs. WireGuard uses state-of-the-art cryptography and is designed to be efficient and easy to configure. It operates by establishing secure tunnels using a concept called Cryptokey Routing, where each device on the network has its own set of keys for encrypted communication.

The simplicity of WireGuard is one of its standout features. It aims to streamline the process of setting up a VPN, reducing the complexity found in other systems like IPsec. This simplicity doesn't come at the expense of security; in fact, WireGuard is intended to provide stronger security with fewer lines of code, which helps in auditing and reviewing the software for security vulnerabilities.

WireGuard's performance is another significant benefit. It is known for its high-speed connection capabilities and lower overhead, making it ideal for everything from small mobile devices to large servers. The protocol is particularly effective in environments where the network might change frequently, such as switching between Wi-Fi and cellular data on smartphones. This makes it very suitable for mobile users who need reliable and secure connections without sacrificing speed.

Moreover, WireGuard's lean design means that it consumes less battery on mobile devices, which is a critical consideration in today's always-connected, mobile-first world. Its integration into Linux kernels and availability across multiple platforms, including Windows, macOS, iOS, and Android, also speaks to its versatility and broad applicability.

Site to Site VPN with Netmaker

Netmaker leverages WireGuard to create secure connections, and the security features are top-notch. It means that each node (or endpoint) in the network securely connects over these encrypted tunnels. Our key refresh feature integrates directly with WireGuard's use of public and private keys. Imagine you're managing a set of nodes across an enterprise network, and you have a sneaking suspicion that one of your keys might have been compromised, or maybe you're just proactive about security. With Netmaker, refreshing the public keys of all your machines is as simple as clicking a button. This is crucial because in the world of network security, being able to swiftly rotate keys without disrupting the network can be the difference between a secure operation and a compromised system.

Another powerful feature we've integrated is the ability to set expiration dates on nodes. Let's say you're running a temporary project, and you've set up a network specifically for this. With Netmaker, you can specify exactly when each node in this network should expire. This automatic expiration not only helps in cleaning up after the project is done but also significantly reduces the attack surface by ensuring that inactive or temporary nodes aren't left open to exploitation.

Using Site to Site VPNs set up through Netmaker, we're not only talking about the benefits of seamless connectivity across your AWS VPC and your office network, for example. We're also looking at a setup where your entire network's security posture is dynamically managed, mitigated against unauthorized access, and can be adapted on the fly to meet your security needs. Whether it's accessing a private subnet on AWS from an office machine or vice versa, the underlying premise is that all of this is done over secure, encrypted connections.

Netmaker gives you complete flexibility in configuring your networks, and multiple options for integrating sites into your virtual network. For the Site-to-Site VPN, the best option is to use our Remote Access Gateway with routers. Assuming you have routers at each site, you can simply generate a WireGuard config file using the Remote Access Gateway for each of your sites, and add it to your router using any available WireGuard plugin. Any sites added this way will become available to each other.

Additionally, Netmaker gives you the option of the Egress Gateway, for environments such as AWS where you are not working with a Router. Here, any Linux virtual machine can be set to route traffic into and out of your VPN network. Simply set the Linux machine as an egress gateway to your AWS VPC, and the site becomes available from your VPN. To make the VPN accessible FROM the VPC is a little more work, but by setting routing rules in your VPC to route traffic via the Egress Gateway, your site-to-site setup is complete.

More posts


A WireGuard® VPN that connects machines securely, wherever they are.
Star us on GitHub
By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.