OpenNHRP is now available via RPM

After a LONG hiatus, I’m finally starting to work on my Open Source implementation of DMVPN, again. So far, I’ve started off by taking the OpenNHRP source code and building RPM files. I made no changes to the source code itself. Heck, I don’t even consider myself a developer. I just built the RPM binaries so that a person could build a DMVPN device without needing to have developer tools installed on the device itself. It should be a little more secure that way. :)

Currently, the RPM files are being built in a CentOS 6 x86_64 environment. However, if this is something that people like, I will entertain building the RPM’s for 32 bit environment or possibly deb packages for ubuntu / debian based environments.

The binary and source RPM’s are available right now! I’m still testing them to make sure everything is working properly.  You can get the package by installing the repository:

Have fun! I look forward to getting an open source of a DMVPN implementation up and running soon! Leave a comment if you have any comments or questions.

October 2, 2012

Posted In: DMVPN, Linux, Open Source Alternatives, OpenNHRP, RPM, System Administration, VPN

An Open Source Implementation of Cisco’s Dynamic Multipoint VPN (DMVPN)


For a few years, Cisco has had a pretty innovative VPN solution called “Dynamic Multipoint VPN”. In essence, it’s a traditional hub and spoke VPN design, except that when two, or more, spokes want to communicate directly with each other, they initiate a dynamic IPSEC tunnel with each other instead of sending the traffic to the hub, where the hub would route the traffic to the destination spoke. If you’re confused, the “hub” would be the main office where all VPN sessions are initiated to and the “spoke” are the branch offices.

Why does this matter? There are two HUGE reasons: bandwidth and ease of operation. If two spokes need to send data back and forth to each other over the VPN, it doesn’t make sense that the data should be sent from spoke 1, to the hub, to spoke 2. Doing this doubles the amount of Internet bandwidth that you need. That’s a lot of wasted money. For the people configuring the VPN devices, it’s an added complexity to add all kinds of VPN tunnels to each branch turning your VPN network into a mesh design. Could you imagine doing that with hundreds or thousands of branch offices? It would be an administration night mare. So essentially, either way you look at it, DMVPN could save your organization a ton of money in total cost of ownership and on bandwidth. Your network admins will love you for it.

How is DMVPN achieved? It uses all the same tricks as traditional hub and spoke VPN; IPSEC, GRE, a dynamic routing protocol, along with a fairly new protocol called Next Hop Resolution Protocol. “NHRP is an Address Resolution Protocol (ARP)-like protocol that dynamically maps nonbroadcast multiaccess (NBMA) network. With NHRP, systems attached to an NBMA network can dynamically learn the NBMA (physical) address of the other systems that are part of that network, allowing these systems to directly communicate.” (Cisco.com) Pretty cool, right?

It now looks like the Open Source community is putting together the last piece of the DMVPN puzzle. For years there have been open source implementations of IPSEC, GRE, and dynamic routing protocols, such as OSPF. (It’s a shame that EIGRP is proprietary to Cisco.) Now there is a NHRP implementation in the works, that looks promising. I’m sure that I’ll be keeping up with the progress.

Maybe Vyatta will implement this? hmmm…

RFC 2332 – NBMA Next Hop Resolution Protocol

Open Source Related Links:
OpenNHRP
Quagga Routing Software
Iproute2 – Open Source GRE implementation
StrongSwan – IPSEC for Linux
OpenSwan – Another IPSEC for Linux

Cisco Related Links:
Cisco’s implementation of NHRP
Configuring DMVPN using GRE over IPSEC between multiple routers
DMVPN Overview

May 31, 2009

Posted In: Open Source Alternatives, VPN