Skip to main content

Overview

AutoVPN is a native Meter solution for automatically connecting multiple networks via secure tunnels using a hub-and-spoke topology. This architecture enables organizations to securely connect a central office (hub) with multiple branch offices (spokes/members) to provide access to shared company resources.

Architecture

Hub-and-spoke topology

AutoVPN uses a hub-and-spoke model where:
  • Hub: A central network that acts as the focal point for all VPN connections. All member networks connect to the hub, and the hub facilitates communication between members.
  • Members (Spokes): Branch networks that connect to the hub. Members can access resources on the hub and, through the hub, can reach other members in the same AutoVPN group.
This topology simplifies network management by centralizing connections at the hub, rather than requiring mesh connectivity between all sites.

Addressing and subnets

Each AutoVPN group uses a dedicated subnet for tunnel addressing. By default, Meter uses the carrier-grade NAT (CG-NAT) space 100.64.0.0/10 for tunnel interfaces. This subnet:
  • Is used exclusively for communication between tunnel interfaces
  • Does not conflict with typical private network addressing
  • Can be customized if needed for specific deployments

Routing model

How routing works

When you configure AutoVPN:
  1. VLAN participation: VLANs on each network must be explicitly marked as “Can be shared via AutoVPN” to participate in routing.
  2. Member to hub: Members advertise their permitted VLANs to the hub. Traffic destined for these VLANs is routed through the tunnel to the appropriate member.
  3. Hub to members: The hub automatically advertises all of its shareable VLANs to all members. This allows members to access hub resources by default.
  4. Member to member: Communication between members flows through the hub. For example, if Member A needs to reach a resource on Member B:
    • Traffic leaves Member A and travels through the tunnel to the hub
    • The hub routes the traffic through another tunnel to Member B
    • Return traffic follows the same path in reverse
  5. Allowed IPs: Each member’s configuration includes “allowed IPs” that specify which prefixes are reachable through each tunnel. These include:
    • The hub’s shared VLANs
    • Other members’ shared VLANs (routed via the hub)
    • The tunnel addressing subnet

Permitted VLANs

When configuring a member, you select which of its shareable VLANs should participate in the AutoVPN group. This provides granular control over which subnets are accessible remotely. At least one VLAN must be selected for the tunnel to establish.

Routing requirements and limitations

Current capabilities:
  • Direct-connected routes are automatically advertised from both hubs and members
  • Hub advertises all shareable VLANs to members automatically
  • Members advertise only selected permitted VLANs
Current limitations:
  • Spokes cannot advertise non-directly connected routes (only hubs can do this)
  • Client VPN routing over AutoVPN is not currently supported (use IPSec for this use case)
  • Tunnels are formed from WAN interfaces only, not LAN interfaces
  • Only one WAN interface can be actively used per tunnel (failover supported, but not active-active)
  • Overlapping or duplicate IP spaces across different AutoVPN groups can cause conflicts
  • Networks behind NAT may experience tunnel formation issues in some configurations

Network requirements

Hub requirements

  • Must have a stable public IP address on the WAN interface
  • Should have sufficient bandwidth to handle aggregate traffic from all members
  • Must be running a supported NOS version

Member requirements

  • Must be able to initiate outbound connections to the hub’s public IP
  • Firewall rules must allow traffic to/from AutoVPN VLANs
  • Must have at least one VLAN configured for AutoVPN participation

Subnet planning

To avoid routing conflicts:
  • Each site should have non-overlapping subnets for VLANs that participate in AutoVPN
  • If multiple sites use the same IP space (e.g., 10.0.0.0/24), they cannot be members of the same AutoVPN group
  • Plan your IP addressing scheme before deploying AutoVPN across many sites

Tunnel formation and maintenance

Tunnel establishment

  1. Member devices initiate connections to the hub using the configured WAN interface
  2. Secure handshakes establish the encrypted tunnel
  3. Once established, both sides exchange routing information
  4. Traffic can flow bidirectionally through the tunnel

Keepalives

Members send keepalive packets to the hub to maintain tunnel state, especially through stateful firewalls and NAT devices.

Failover behavior

If “Failover Enabled” is toggled on for the hub:
  • The tunnel will automatically shift to whichever WAN port is currently active
  • This provides resiliency if the primary WAN connection fails

Scale considerations

  • Current maximum: 2,000 tunnels per AutoVPN deployment
  • Scale testing is ongoing for current and new hardware generations
  • Consider hub hardware capacity when planning large deployments

Firewall behavior

When AutoVPN is configured, Meter does not automatically create permissive firewall rules between VLANs. You must explicitly configure firewall rules to allow traffic between:
  • Member VLANs and hub VLANs
  • Member VLANs and other member VLANs (via the hub)
This ensures security by default and gives you control over which traffic is permitted.

Security

AutoVPN provides:
  • Encrypted tunnels using cryptographic protocols
  • Authentication using cryptographic keys
  • Isolation of tunnel traffic from other network traffic
  • Fine-grained control over which VLANs participate in routing

Need help?

If you run into any issues or have questions, please reach out to our Support Engineering team by opening a ticket via the Dashboard: https://dashboard.meter.com/support Last updated by Meter Support Engineering on 09/30/2025
I