Best way of implementing a VPN for remote device management

Looking for thoughts on how to proceed with our remote management of hardware.

We deploy MileSight LoraWan UG65 gateways at our customers.

The tooling Milesight themselves provide for remote management are a bit wonky so I'm looking to connect the devices through a VPN so we can reach and manage them.

We have now tried two things:

1. We have an IoT simcard in these devices. This works well and we can reach them through our sim provider VPN. However this solution is not ideal because this only works if we make the cellular connection dominant. If we prefer ethernet or wifi then the cellular IP is not bound to the Nginx management interface. We are in contact with Milesight for possible solutions but so far I'm not very confident this will lead anywhere.

2. We tried to setup a reliable VPN server. This proofs harder than we thought as there are apparently barely any managed openvpn servers available for good pricing.

We looked at OpenVPN CloudConnexa and Open Connect but the pricing per connecting per month is around $9 which is steep.

Does anybody know of any other VPN solutions we might be able to look at? We could host the free openvpn server ourselves but this is not something we prefer (maintenance, security, etc).

The following VPN protocols are available:

DMVPN     IPsec     GRE     L2TP     PPTP     OpenVPN Client

Many thanks in advance!

This is mostly comment but space is limited....

However this solution is not ideal because this only works if we make the cellular connection dominant

You have routers which can't implement alternate routes?

We could host the free openvpn server ourselves but this is not something we prefer

So you are happy to operate (N) openvpn endpoints, but (N+1) would be bad for maintenance/security?!

Does anybody know of any other VPN solutions we might be able to look at?

ssh

It provides encryption in transit, authentication, encapsulation, routing, is available out of the box on many devices/operating systems and has a security track record things which describe themselves as "VPNs" can only dream of.

Examine the assumption that a remote access VPN is required. It might be if the IP side of this gateway does not run secure protocols. Or it might be fine over the internet, but you're having problems routing the applications.

That gateway advertises "WAN Failover" as a feature. You tried to make this into a out of band access thing, so the management interface over cell data and everything else over presumably internet. Possible they didn't test it to do this, and failover moves all features over to a different WAN link. Explore the possibilities with the vendor. Maybe in the short term you can tolerate workarounds like replacing the internet access with another device, a proper dual WAN router. Or having on site hands manually switch the WAN over if necessary.

Should this gateway's management functions not be sufficient, consider adding a remote management and monitoring service. Some of these are managed services, and would be phoning home status over the internet. Although these likely require a general purpose computer to run an agent on. If the only customer equipment is this gateway and some simple devices, that might be tricky to get on site.

Server Fault does not make product recommendations. Note that some organizations will pay a decent amount to make the VPN or RMM platform someone else's problem. Your correctly noted that self hosting is an option, but would be a thing to maintain and provide infrastructure for.