Set up openvpn in p2p mode but with rendezvous server

Question

Is it possible to set up openvpn so that clients will communicate each other in p2p mode, so data will not flow through server? Server will only act as rendezvous. I want to reduce server load.

Something like in this image:

Ref: https://bford.info/pub/net/p2pnat/

Answer 1

This is usually called "full mesh routing". A "hole punching" is a technique for NAT traversal. Do you really need this? I mean, what is the load from VPN so you need to reduce it and what is this VPN so you need your clients (spokes) to talk to each other that much? In my case the main motivation to have direct spoke connections was not reducing the load on the server (hub), but to reduce network delays (round trip time) between spokes, for IP telephony.

This is impossible in OpenVPN. The best you can do with OpenVPN is to set up more VPN servers and have several connection profiles in client configurations; then you can e.g. shuffle profile order on clients or use connection profile randomization, so load will be spread to several servers (and additionally you'll gain redundancy).

The de-facto standard solution like this is Cisco DMVPN. In phase 2 spokes install direct tunnels and traffic does not flow through the hub, and NAT traversal is implemented wit the help of IPSec NAT-T. It is possible to run Cisco-compartible DMVPN router in Linux with opennhrp software, but good luck in setting it up, especially together with IPSec encryption and OSPF dynamic routing.

Much easier is to set up tinc, which implements everything full mesh routing direct spoke connections (where possible), which includes NAT traversal. To add nodes to the mesh, you generate keys for them and add public keys to only your hub nodes (you should have more than one hub for redundancy).

WireGuard also seem to be thinking in that direction by introducing the wg-dynamic tool, but mesh routing isn't implemented yet. You can already move to WireGuard, which is much more efficient in CPU usage terms than OpenVPN (something like 8 times more efficient), so you'll gain server load reduction. When they implement full mesh routing, you'll also gain that for free.