Skip to main content

Overview

This guide walks you through configuring AutoVPN to connect multiple Meter networks using a hub-and-spoke topology. You’ll learn how to set up both single and multiple spoke configurations with complete examples.

Prerequisites

Before configuring AutoVPN, ensure:
  1. You have Partner or Admin access with write permissions
  2. The hub network has a stable public IP address
  3. All networks are running a supported NOS version
  4. You have planned your IP addressing to avoid subnet conflicts

Prepare VLANs for AutoVPN

VLANs must be explicitly marked as shareable before they can participate in AutoVPN.

Enable VLAN sharing

  1. Navigate to Network-wide > VLANs
  2. Click on the VLAN you want to share
  3. Click Edit
  4. Toggle Can be shared via AutoVPN to ON
  5. Click Save
AutoVPN VLAN sharing configuration interface
Repeat this process for each VLAN that should be accessible over AutoVPN on each network.

Example 1: Single spoke configuration

This example demonstrates connecting one branch office (spoke) to a central office (hub).

Scenario

  • Hub: Main office in San Francisco
    • Public IP: 203.0.113.10
    • Shareable VLANs: 10.1.0.0/24 (Corporate), 10.1.10.0/24 (Servers)
  • Member: Branch office in Austin
    • Shareable VLANs: 10.2.0.0/24 (Corporate)

Configuration steps

  1. Navigate to AutoVPN in the Dashboard
  2. Click Add group
AutoVPN group configuration interface
AutoVPN configuration form
  1. Configure the group:
    • Name: SF-Austin VPN
    • Member locations: Select both the San Francisco and Austin networks
  2. Configure the Hub (San Francisco):
    • Hub: Select the San Francisco network
    • Subnet: Leave default (100.64.0.0/20) or customize if needed
    • Bound WAN port: Select the WAN port with the public IP
    • Failover Enabled: Toggle ON if you have redundant WAN connections
  3. Configure the Member (Austin):
    • Permitted VLANs: Select 10.2.0.0/24 (Corporate)
  4. Click Save

Verify the connection

  1. Navigate to AutoVPN in the Dashboard
  2. Click on the group name (SF-Austin VPN)
AutoVPN status and connection information
  1. Click on the member (Austin) to view handshake information
  2. Verify both RX and TX handshakes are shown with packet information
AutoVPN tunnel status showing handshake and packet information
If the tunnel shows handshakes and packet data on both sides, it is established successfully.

Configure firewall rules

AutoVPN does not automatically create firewall rules. You must configure rules to allow traffic: On Austin (Member):
  1. Navigate to Network-wide > VLANs
  2. Select 10.2.0.0/24 (Corporate)
  3. Go to Firewall Rules
  4. Add rules to allow traffic to hub subnets:
    • Allow 10.2.0.0/2410.1.0.0/24
    • Allow 10.2.0.0/2410.1.10.0/24
On San Francisco (Hub):
  1. Navigate to Network-wide > VLANs
  2. Select 10.1.0.0/24 (Corporate)
  3. Go to Firewall Rules
  4. Add rule to allow traffic from member:
    • Allow 10.1.0.0/2410.2.0.0/24
Repeat for the Servers VLAN if needed.

Test connectivity

From a device on the Austin Corporate VLAN (10.2.0.0/24), test connectivity: 
ping 10.1.0.1  # Hub gateway or resource
If the ping succeeds, AutoVPN is working correctly.

Example 2: Multiple spoke configuration

This example demonstrates connecting multiple branch offices to a central hub.

Scenario

  • Hub: Data center in Chicago
    • Public IP: 198.51.100.50
    • Shareable VLANs: 10.0.0.0/24 (Management), 10.0.10.0/24 (Databases), 10.0.20.0/24 (File Storage)
  • Member 1: Retail store in Boston
    • Shareable VLANs: 10.10.0.0/24 (Store Network), 10.10.5.0/24 (POS Systems)
  • Member 2: Retail store in Seattle
    • Shareable VLANs: 10.20.0.0/24 (Store Network), 10.20.5.0/24 (POS Systems)
  • Member 3: Retail store in Miami
    • Shareable VLANs: 10.30.0.0/24 (Store Network), 10.30.5.0/24 (POS Systems)
Note: Each site has unique, non-overlapping subnets.

Configuration steps

  1. Navigate to AutoVPN in the Dashboard
  2. Click Add group
  3. Configure the group:
    • Name: Retail Stores - Hub and Spoke
    • Member locations: Select Chicago (hub) and all three retail locations (Boston, Seattle, Miami)
  4. Configure the Hub (Chicago):
    • Hub: Select the Chicago network
    • Subnet: Leave default (100.64.0.0/20)
    • Bound WAN port: Select the WAN port with the public IP
    • Failover Enabled: Toggle ON for redundancy
  5. Configure Member 1 (Boston):
    • Permitted VLANs: Select both:
      • 10.10.0.0/24 (Store Network)
      • 10.10.5.0/24 (POS Systems)
  6. Configure Member 2 (Seattle):
    • Permitted VLANs: Select both:
      • 10.20.0.0/24 (Store Network)
      • 10.20.5.0/24 (POS Systems)
  7. Configure Member 3 (Miami):
    • Permitted VLANs: Select both:
      • 10.30.0.0/24 (Store Network)
      • 10.30.5.0/24 (POS Systems)
  8. Click Save

Verify all connections

  1. Navigate to AutoVPN in the Dashboard
  2. Click on the group name
  3. Verify each member shows as connected with active handshakes
You should see three established tunnels (one for each retail store to the hub).

Configure firewall rules

On each retail store (Members): Allow store networks to access hub resources:
  1. Navigate to Network-wide > VLANs
  2. For each permitted VLAN, add firewall rules to allow access to hub VLANs:
    • Allow local subnet → 10.0.10.0/24 (Databases)
    • Allow local subnet → 10.0.20.0/24 (File Storage)
On Chicago (Hub): Allow hub resources to reach stores if needed:
  1. Navigate to Network-wide > VLANs
  2. For the Databases VLAN (10.0.10.0/24), add rules to allow POS traffic:
    • Allow 10.0.10.0/2410.10.5.0/24
    • Allow 10.0.10.0/2410.20.5.0/24
    • Allow 10.0.10.0/2410.30.5.0/24

Store-to-store communication

If Boston needs to communicate with Seattle, traffic will flow: Boston → Hub (Chicago) → Seattle This requires:
  1. Boston has a firewall rule allowing traffic to Seattle’s subnet
  2. Hub has routing configured (automatically handled by AutoVPN)
  3. Seattle has a firewall rule allowing traffic from Boston’s subnet
The hub facilitates all inter-member communication.

Test connectivity

From a device on Boston’s Store Network (10.10.0.0/24): 
# Test hub access
ping 10.0.10.1  # Database server in Chicago

# Test store-to-store (via hub)
ping 10.20.0.1  # Device in Seattle

Monitoring and troubleshooting

Check tunnel status

Navigate to AutoVPN and select your group. For each member:
  • Established tunnel: Shows both RX and TX handshakes with packet counts
  • Tunnel down: Shows only one-way handshake or no packets

Common issues

Tunnel not establishing:
  • Verify hub has a stable public IP
  • Check that at least one VLAN is selected in “Permitted VLANs” for the member
  • Ensure WAN firewall allows VPN traffic
No connectivity despite tunnel being up:
  • Verify firewall rules are configured on both source and destination VLANs
  • Check for overlapping IP addresses across sites
  • Confirm VLANs are marked as shareable on both networks
Performance issues:
  • Verify hub has sufficient bandwidth for aggregate traffic
  • Check for network congestion on WAN links
  • Consider hub hardware capacity for large deployments

Best practices

  1. Plan IP addressing carefully: Use non-overlapping subnets across all sites
  2. Start small: Test with one or two members before adding many sites
  3. Document your configuration: Keep records of which VLANs are shared and firewall rules
  4. Monitor tunnel health: Regularly check AutoVPN status in the Dashboard
  5. Use descriptive names: Name groups and networks clearly for easy identification
  6. Test failover: If using redundant WAN connections, test failover behavior

Need help?

If you run into any issues or have questions, please reach out to our Support Engineering team by opening a ticket via the Dashboard: https://dashboard.meter.com/support Last updated by Meter Support Engineering on 09/30/2025
I