SD-WAN made easy
What is SD-WAN? Apparently, it means Software Defined WAN, and WAN stands for Wide Area Network.
We might say that SD-WAN is also probably a poor man’s MPLS, as it is a mean of privately connecting distributed points (servers, clients, full networks). Many SD-WAN solutions are technically overlay networks, which means that all the traffic inside that network is actually encapsulated on the physical network. In other words, you have a Virtual Private Network (sounds familiar?) with a twist.
I was wondering if there was a way I could have my own SD-WAN without deploying complex software, needing beefy servers or shelling enterprise-grade amounts of money. Of course there was :)
I’m using a software called SoftEther VPN both on the client and server side of things. SoftEther is an Open-Source Free Cross-platform Multi-protocol VPN Program developed by the SoftEther VPN Project led by Daiyuu Nobori from the University of Tsukuba, Japan.
Architecture
The architecture is actually very simple. We just need a server reachable on port 443/TCP:
All the clients will connect to it, creating an overlay layer ethernet network between them. So the above diagram, will become this (if you can image the grey line is actually a layer 2 network :)):
Features
- Hole-punching through firewalls: The clients are only creating outgoing connections through port 443/TCP on your physical network, which is a port commonly open on many networks. If you can browse the Internet, you can use this.
- Layer 2 network: Freedom to build any IPv4 or IPv6 designs on top of the SD-WAN, even if your hosting provider doesn’t support it. Avoid complex networks managed by others and overly complex firewall configurations.
- Control which hosts join the network, one by one: Only hosts with the client software installed and the correct credentials can join the network.
- Distributed network: Every host could be on a different physical location, but you’ll see them all in the same network. Even if they move physical location, it will still look the same to you.
- Private and encrypted: An external observer will only see SSL traffic from the client to the central server, meanwhile in reality you are probably encapsulating multiple different protocols (HTTP, SQL, DNS, etc)
Use cases
- Managed Services Providers can deploy the client software on their customer’s servers, avoiding costly hardware and staff to configure and maintain IPSec tunnels. It will also increase their customer’s security, exposing zero extra services on the servers.
- Developers willing to have their workstation connected to their servers for testing, deployment and management. Avoid exposing services to be brute-forced or exploited by external attackers.
- DevOps willing to architect and run applications using different hosting and cloud providers, thus unlocking different cost saving possibilities by using the best resources from each provider.
- Distributed / Nomad companies could have an intranet with their own laptops and distributed servers, and privately share documents and other information in the encrypted network.
Technical complexity
If you really understand the architecture, it’s really not that difficult to get this solution up and running. It requires some networking knowledge, especially on the server side, and a bit of common sense. There’s an excellent guide on Digital Ocean’s site called how to setup a multiprotocol VPN server using SoftEther. It takes a while, but if you’re careful you can get it up and running.
Some of you out there might stop reading here and jump to get your own SD-WAN running, but for the rest of you I thought I could help further, so I created a service to take away all the burden from setting up and maintaining one of these systems. I’ve also worked on making it super easy to get your first Linux and Windows machines in your network… Ladies and gentlemen, please welcome…
Wormhole Network
Wormhole Network simplifies the process both on client and server side. The servers are setup and maintained by me, meanwhile you’ve got control over the networks you create and the users/machines that can join your networks. I’ve made it super easy to go from nothing to have your first machine in the network.
If you have any privacy concerns, I’d like to let you know that I’ve got zero visibility over your traffic and you’re isolated over other customers.
Those are not all the good news. I’ve made sure you can try how easy and convenient is to use this system, so I have a free tier of the service where you can create one network (inside Wormhole are called hubs). No credit card required or any other data apart from your email and a password (the name is optional).
