For commercial, large scale installs of zabbix you will most certainly pay some bucks, for possible support, at least. Like for an insurance policy Price of UISP is somewhere hidden in the cost of UBTs hardware, I suspect. Or does it also work with non-UBT stuff ?
UISP only works with the Ubiquiti equipment, and specifically only certain parts of their overall product lineup (EdgeMax and UISP, possibly a few other bits of WISP related kit, but only from UI). The cost of the USIP environment (from a development standpoint) is built into the hardware that runs on the platform, but the hardware is relatively inexpensive compared to some other vendors because UI doesn't provide much support (almost all support is volunteer/community based). Typically the stuff from other vendors that is more expensive (hardware) and/or involves paid-licensed software includes some level of official support from company reps.
Just to be clear, yes, I know.
As would the VPN, you're simply adding another "Layer of Abstraction" in your mind for connecting to all the devices. Apologies if you were only seeking a software management solution to solve the problem.
(some of the VPNs could be scripted...BTW )
nebula package, which technically can be classified as "any other VPN", but which should work behind double NAT.
I've been struggling to make it netifd-compliant tho, so for now, you can't add a nebula interface to the dropbear settings.
But it is a reasonable, simple option, combined with 'fail2ban', for example.
That's just part of the problem as LuCI and uhttpd may not be tolerant against malicious HTTP requests.
Here's an example of the same class of vulnerability for httpd:
Since OpenWISP has been mentioned, I wanted to share a few screenshots of the upcoming version, which will be a major milestone of the project and satisfies many of the needs which are mentioned in this post.
A VPN is not strictly required for controlling configuration but it's required if you need to use the Firmware Upgrader and Monitoring modules, OpenWISP supports OpenVPN and can automate its provisioning (including the generation of certificates). Support for Wireguard/VXLAN has also just been recently added thanks to several sponsors which are using OpenWISP and contributing to its development and it will be included in the release (at the moment this feature is available in the 1.0.x branch of OpenWISP Controller on github.
The upcoming version of OpenWISP can be already installed following the instructions provided at the following link: https://github.com/openwisp/ansible-openwisp2/tree/dev#deploying-the-upcoming-release-of-openwisp (the URL to the instructions may change in the future, if in doubt ask in the OpenWISP support channels).
For any other question regarding OpenWISP there's a dedicated mailing list or chat.
That is one heck of a sales pitch!
I do want to manage firmware and keep things up to date on field installed OpenWRT routers. If I let OpenWISP manage OpenVPN and certs will it also export useable config files to drop in the OpenWRT routers to facilitate their connection to OpenWISP?
Yes, that's the point, OpenWISP automates the provisioning of tunnels because doing it manually is error prone and time consuming.
Instructions for OpenVPN: https://openwisp.io/docs/user/vpn.html#creating-vpn-server
Instructions for Wireguard (but need the 1.0.x branch of openwisp-controller mentioned above): https://github.com/openwisp/openwisp-controller/tree/1.0.x#how-to-setup-wireguard-tunnels
Instructions for VXLAN over Wireguard (but need the 1.0.x branch of openwisp-controller mentioned above): https://github.com/openwisp/openwisp-controller/tree/1.0.x#how-to-setup-vxlan-over-wireguard-tunnels
See also the concept of Configuration Template which is quite important to understand how a number of devices can be updated easily by changing one template.
Most of the work is involves preparing the initial configurations, but once it's done, it allows to provision new devices very easily, even someone with IT experience who does not have Linux/OpenWrt experience can provision new devices by following a set of instructions.
PS: for the reasons explained above, OpenWISP makes sense only when the number of devices involved is high and hence all the time which has to be spent in setting up the system pays off in time saved later. I think for anything below 15 devices may be overkill.
Best luck with the solution you will choose!
I don't have a commercial fleet or anything, but I'm running RPi4 devices as routers using the standard debian RPi OS and using cfengine to automate administration. Add a wireguard tunnel to a central server, and IPv6 ULAs to connect to netdata and you get a lot of flexibility, a lot of visibility, and a huge amount of CPU grunt.
Check out also
What is the current status of OpenWisp? Can somebody share latest screenshots? Is there now a list of clients that are currently connected to the Wifi like in Omada Controller?
The official videos https://www.youtube.com/channel/UCOeMZ4FGmmhwUjXUjdCgQQA/videos are about 4 years old and hopefully there is now a lot more information as @nemesis showed in the screenshots for the upcoming version.
Yes, OpenWISP Monitoring provides a list of clients.
The current status is that it's not stupid-easy to install and setup yet but hopefully with the next releases this should become easier.
Is there already some release date planned?
Currently OpenWISP seems to need a whole server as configuration, whereas Omada Controller can be installed into a single directory and has almost all required libraries and executables included. This makes it possible to run Omada Controller on Raspberry Pi out of a single directory together with other services, so no dedicated system needed for Omada Controller, see https://github.com/JsBergbau/Omada-SDN-Controller-mongodb-Raspberry-PI
I have the impression OpenWisp is intended for controlling OpenWRT on a lot of different sites and places which seems to introduce a lot of complexity which isn't needed for home systems with a few OpenWRT APs.
Is there also planed something regarding running in a single directory and targeting also OpenWRT installations with a few APs?
By the end of the first quarter 2022 I am aiming to complete the new release of OpenWISP.
The later releases will most likely bring improvements to make it easy to install and use.
And yes, OpenWISP is not designed for home users, nor it receives any kind of financial support from these kind of users, while it receives most of its support from business users which use it for thousands of devices scattered around multiple cities, so that's why the focus is that one. Hopefully with more people and organizations joining we'll be able to improve it for home users too.