Globalways is a German internet service provider with 20 years in the industry. They have laid over 230 miles (360km) of dark fiber in Stuttgart, Germany and maintain 19 points of presence (PoP) distributed all across Germany. A few years ago Globalways began to optimize their internet services by reworking their out of band infrastructure which consists of hardware (Cisco and Juniper routers and switches and a PCEngines APU) and a VPN.
Alongside the hardware, Globalways ran OpenVPN on Debian as a virtual concentrator. This infrastructure served Globalways for a time, but many issues kept popping such as no 3rd-party carrier support for most PoPs, heavy power draw from the hardware which puts stress on each PoP location, linking to other PoPs requires working EDFAs (an optical amplifier used to increase network performance), and VPN configuration and maintenance issues.
In search of a VPN failover
The core issue Globalways wanted to focus on was VPN failover. If the central VPN concentrator failed, the entire OOB network failed with it. Globalways needed a solution to ensure resilience in case of a catastrophic failure and they found that building a redundant OpenVPN failover was unpredictable, difficult to maintain, and a hassle to implement correctly.
The Globalways team no longer wanted to spend time digging into a VPN solution that demanded extra engineering effort. According to Globalways CEO Moritz Frenzel, “…we are an ISP, we are not here to spend our money and our resources on running a VPN. We are here to serve our customers.”
After upgrading their aging Cisco and Juniper hardware with Opengear hardware and adding cellular connectivity with WhereverSIM, Globalways went out to find a solution to address their VPN concerns. While on the search for an OpenVPN alternative, Globalways came across WireGuard and was intrigued by the potential to create a full mesh VPN architecture.
The point-to-point connections that Wireguard provides would remove the need for a central VPN concentrator while also improving the speed at which data flows through their network. There were lingering questions regarding key management, commercial support, firewalls for ACLs, and configuration for a full mesh network.
This led Globalways to Tailscale - a modern VPN built using WireGuard. With Tailscale, Globalways was able to:
- build a full mesh network with zero configuration.
- automate key rotation for key management
- use a JSON-based ACLs configure file to manage access control at scale
- install Tailscale on Opengear hardware through the CLI
A catastrophic routing failure
While evaluating Tailscale, the feared catastrophic routing failure became reality due to a misconfiguration. Fortunately, there was an Opengear with Tailscale already installed that was brought to the data center and plugged into the core router. “It just worked! It really saved our butts and reduced the down time,” said Frenzel.
For Globalways, Tailscale was easy to implement into their new hardware and network infrastructure. It also proved incredibly valuable with resolving a major network outage. The ease of use and the powerful configuration tools allowed Globalways to move their business forward without interruption. “For us, it was one of those few IT projects that actually just went as planned - on time and on budget,” said Frenzel.
Even in the midst of rolling out Tailscale across their PoPs, Globalways is already documenting and looking to opensource a guide to configure Tailscale with Opengear hardware.
To learn more about how Globalways uses Tailscale, listen to Globalways CEO Mortiz Frenzel’s talk that was delivered on Wednesday, May 31, 2023, at the Tailscale Up conference in San Francisco.