Possible hundreds of clients - Main Node recommendations

butterfry · 2022-05-28T17:34:43.247Z

I’m designing a system, hopefully based on gl.inet hardware. We have many remote customers (possibly 5-600+ in the future) and we need VPN access. I am looking at goodcloud as an easy solution that we can deploy.

My question is: I see on github we have a very old version of the generic x86 goodcloud implementation. Can I use that in a powerful computer for the main node, or is it too old of a version? It doesn’t look like it’s been updated in 3 years. I installed it, and it seems to work - But I need mac/serial/id combination to register on goodcloud - so that is useless to me at this time? Are you able to provide that here to me in PM?

Can that get updated so I can use it? for the production use, I’d probably get a very powerful mini-pc that can handle hundreds of clients. Data is VERY low - simply monitoring/ping and occasional troubleshooting via http/ssh remotely. Ideally I would like the full UI of a router - My empolyees will be using wireguard VPN to remote into this main node to gain access to client routers/networks. The x86 goodcloud appears to only be cli.

If that doesn’t work - What router do you recommend? What is the capacity that I can expect for the fastest gl router?

hubpub · 2022-05-29T06:06:04.399Z

“Main node” is a term related to site-to-site VPNs, typically deployed between a fixed number of stably-connected locations where the head office acts as the “main node.”

When lots of VPN clients connect/disconnect on-demand or roam, you can deploy a traditional hub-and-spoke VPN architecture, and run any Linux x86 distro on the WireGuard VPN server (hub).

assuming this VPN server is on-premise at the head office, configure and administer it directly (it is outside of the GoodCloud scope)
GoodCloud should be used only to configure/monitor/troubleshoot the fleet of GL-inet routers as VPN clients

Given the large number of GL-inet routers involved, I recommend to drive the provisioning process through scripting. Below is a previous forum thread with some technical considerations.

Bulk flashing process Technical Support for Routers

There are webAPIs for checking and triggering firmware updates. But this would require going through the upgrade process one router at a time (serially). In my case, I run an out-of-the-box-setup script to initialize the admin password (see below), and then enroll the routers into GoodCloud management. Business users can request a “business” level GoodCloud account, which can perform firmware upgrades and apply configuration templates in bulk/parallel. #!/bin/sh # router by IP (default) ROUTE…

alzhao · 2022-05-30T11:15:26.329Z

As we are working on firmware 4.x, we will update x86 version later. Maybe 2nd half of this year.

Now you cannot make a x86 station and add to your GoodCloud Account.

butterfry · 2022-05-31T15:36:35.063Z

Thanks for the info - I won’t waste more time on it. You should mark that repository as stale/not-working

butterfry · 2022-05-31T15:52:47.029Z

re: Main Node - Well, that is how GoodCloud displays it. I’m quite aware how s2s and p2p vpns work. I just needed some way to reference the single node that has maintains the connection - The only one requiring an open port. Part of my configuration issues is I’m dealing with end-user/homeowner networks. I need a solution that I can just drop a router in place and either AP to their WiFi or hardwire and not have to deal with whatever NAT hell is going on there. The only node that I have control over is the main, home office node.

The problem I’m solving for is: My company installs IoT based Solar Power systems in residential locations. Consumer wifi is all over the place - I spend too much time fixing issues with our devices. I’m trying to create a walled garden that the on-premises devices can connect to, instead of the in-home wifi/network. Ideally the gl.inet router would be hardwire WAN in so the homeowner can change wifi passwords without requiring a site visit. And with the VPN I can now get granular configuration on the devices themselves, instead of taking a trip out there to modify a single setting.

I don’t think we need things always connected - but that raises issues for our service techs who don’t understand networking/VPN - and deploying/maintaining a very complicated (500-1000+) set of P2P VPN configurations. My solution is that if you VPN just into the one “Main Node” at the office then I can own the DNS to get my employee/tech to the correct site to administer by simply connecting to “client-name” dns entry.

Thanks for the link with your scripting work - If I go this route I’ll be needing something like that, building on your work here.

alzhao · 2022-06-01T04:26:44.028Z

butterfry:

Ideally the gl.inet router would be hardwire WAN in so the homeowner can change wifi passwords without requiring a site visit. And with the VPN I can now get granular configuration on the devices themselves, instead of taking a trip out there to modify a single setting.

I am not sure if a vpn solution is needed.

You can change config on the router via Goodcloud directly.

You can remote (ssh) to the router via Goodcloud and then from there, ssh to your IOT devices (if this is the way). If you IOT devices provide a web panel, you can also do it via goodcloud directly.

Let me know your detailed requirement so that I can check what we can do.

butterfry · 2022-06-01T05:46:27.480Z

I’m quite familiar with openwrt and gl’s line. I have been using them for years in all kinds of edge cases where flexibility is needed. I’m certain a VPN is needed.

The system I’m designing is not for technical network administrators, it is for employees who’s job it is to install and configure solar systems. They just need it to work and wouldn’t know what a ssh was if it was taking a nap on their lap. I have already mapped it out and validated the configurations.

I’m curious does the ar300m ext model actually give more range with the external antennas? There will never be much load/connections on these. But in some cases stronger 2.4ghz will be necessary. I think we can use a mix of devices. Possibly the n300 for sites with good signal and the ar300m ext for more complicated sites.

Any plans for a new usb router stick? That would be ideal in some cases.

alzhao · 2022-06-01T07:18:45.003Z

OK. I understand your scenarios.

AR300M should be pretty good with external antenna.

But we have no USB router upgrade right now.