Connecting Several Thousand Raspberry Pi Devices with a VPN

Hello everyone, I’m thinking about a project where I would set up thousands of Raspberry Pis in different remote locations to monitor humidity, temperature, and take pictures. I want to secure these devices with a VPN, but I’m wondering if that’s a good idea or not.

If I set up an EC2 instance and run an OpenVPN server, can it handle several thousand Raspberry Pis? My goal is to have them on the VPN so I can SSH into them from anywhere.

I like that setting up a VPN is straightforward, just a simple command on the Raspberry Pi.

What other problems might come up with having so many devices on a VPN?

Also, I should mention the plan involves:

• Someone takes a Raspberry Pi to a random place (like a store)
• They plug it in
• The device collects data like temperature, and how many people go in and out, plus humidity
• It sends that data probably over HTTPS
• I want to be able to SSH in to update or monitor it

There are about 2500 devices planned.

From what I’ve heard, having one server support over 1000 VPN connections is pretty rare. Even with low traffic per device, managing the cryptography for that many connections is tough.

If I had to guess, I’d say a good connection to server ratio might be 100 devices per server. You could create a Docker image that picks up an IP automatically and use a cluster (like Kubernetes or EKS) to scale up as you set up the devices and balance the load with AWS.

Sorry if you already know this, just sharing my thoughts.

@Avi
I handle around 8000 VPN tunnels across mainly four routers. You can definitely make it work, but it can get expensive.

Tenzin said:
@Avi
I handle around 8000 VPN tunnels across mainly four routers. You can definitely make it work, but it can get expensive.

What routers are you using for that? I know high-end routers can do it, but they can cost over $40,000 each.

@Avi
I use different ASR 9000 models. With contracts and line cards, you might hit $100,000 with no problem.

Tenzin said:
@Avi
I use different ASR 9000 models. With contracts and line cards, you might hit $100,000 with no problem.

Wow, it sounds like VPN is way too industrial for my needs.

Maybe I should consider using something like AWS IoT Core and skip SSH entirely.

Tenzin said:
@Avi
I use different ASR 9000 models. With contracts and line cards, you might hit $100,000 with no problem.

I was thinking about this too. Could you create your own VPN box using open-source packages and Linux?

@Beck
You could, but with that many tunnels, you really want good support. If something goes wrong, handling open source troubleshooting can be messy, you want reliable help.

High-end machines like the ASR series can get pretty costly.

@Tenzin
If something goes down, you definitely don’t want to be left to troubleshoot an open-source project, you need good support.

I think this is where home IT people differ from those in bigger companies.

@Akira
I agree with that. We do a similar thing, and OpenVPN has been solid for us while we’ve had issues with products like Check Point. Other vendors must be doing better than Check Point.

Tenzin said:
@Akira
I agree with that. We do a similar thing, and OpenVPN has been solid for us while we’ve had issues with products like Check Point. Other vendors must be doing better than Check Point.

I wasn’t saying that as a rule. I’ve seen home lab folks hired and wonder why we aren’t using Linux all over the place or some other self-supported approach. People tend to forget you can’t be the best at everything, and that’s where the need for vendor support comes in.

@Akira
Absolutely, I’ve seen that too. The human element often gets overlooked.

Tenzin said:
@Avi
I use different ASR 9000 models. With contracts and line cards, you might hit $100,000 with no problem.

$100,000 would be the base model (like ASR9001), but around $500,000 for a decent pair of ASRs is more realistic.

@Avi
I think the person who posted this is leaning more towards SSL client VPN than full site-to-site VPN. Plus, the traffic should be low.

We’ve had over a thousand SSL VPN clients running through an older Juniper MAG appliance and it handled it just fine.

@Avi
We’re currently using over 1000 IPSec tunnels to a firewall and it works well. For OpenVPN, we manage hundreds on low-cost EC2 instances. Our bandwidth needs are minimal per device.

@Avi
Appreciate your insights. Would this be similar to running OpenVPN on an AWS VPC and scaling out?

Would a VPC still handle all 3000 devices on the same network as a single point or do I need to find a way to divide them?

If I scaled out a Docker image, how could I direct a VPN client to a specific endpoint?

Sorry if I’m asking basic questions, I’m still learning about cloud scaling.

@Tenzin
That’s right! EKS will run within a VPC and operate like servers. If you use containers, you can maintain consistency and easily update them later.

A VPC can behave like a data center; it can host whatever you want, though sometimes separating tasks into different VPCs can be better.

Scaling out the endpoints is likely as easy as assigning DNS. You could have a CNAME like vpn.yoursite.com that points to different records, eventually leading to your OpenVPN servers. So you could point a host to a specific server if you want.

(Sorry if I overspoke, I don’t mean to come off as condescending.)

@Avi
Not condescending at all!

Checking through the AWS pricing it seems like a more affordable option.

I’m surprised such a setup isn’t more common. Don’t many businesses have lots of devices they SSH into? Or do they just set up a server and have devices check in with it over HTTP?

@Tenzin
I worry I’m helping to plan a DDOS attack, as many setups end up like that. But knowledge isn’t bad, right?

Avi said:
@Tenzin
I worry I’m helping to plan a DDOS attack, as many setups end up like that. But knowledge isn’t bad, right?

No, I swear this is for a bunch of retail stores!

But I realize my technical skills aren’t quite strong enough for this.