On 2026-03-17 08:42, Bryan Holloway via NANOG wrote:
Thank you to everyone who offered up suggestions.
To summarize, I agree that a UNIX VM is the most flexible solution, but we have concerns about supporting it. Router-jocks won't know how to troubleshoot if the guy who put it together gets hit by a bus.
Automating the deployment and keeping configs in version control is one way to surface all the configuration aspects of a linux server. Commits with comments adds colour as changes progress. After having stuff like this in use for a while, the Director actually made a public statement that the org was so much more efficient and effective in service delivery. He turned it into a selling point.
Yes, Wireguard is hands-down easier to implement than IPsec!! I love it. I use it on my home networks, and it was trivial to set up. If only there were more appliances that used it out of the box. This would be my ideal solution.
And yes -- MikroTik supports Wireguard, but in our experience, Mikrotik's VRF implementation isn't ready for prime-time.
Linux VRF is. Plus EBGP and VxLAN and MPBGP and EVPN.
Thanks again to everyone that chimed in. Very much appreciated!