Router that accepts VPN. Which Router

[LupoLover]

Hi all

Im rewiring my house major building works, and will be networking the house with as many CAT6s in sensible places as I can (TV, PC, Game consoles, Underfloor Heating, PoE security cameras, etc....)
Im with sky fibre and usual router currently and will be staying sky prob.

I was wondering which router I should buy and how many? Currently I get VERY poor signal but house is rather large and been extended lots so a few external walls are now inside for signals to go through. Ground Floor is 130m2 and its a 3 story house so yes a 9 bedroom home but dont worry its going to be a 4 bed by time Ive finished with cinema room and a study, playroom etc...

Id like to put a VPN so all the connections are covered with like a PIA account, can I do that with Ubiquiti stuff? What should I think about for wireless for phones and tablets, just a single Unifi AP on each floor in ceiling? Is that overkill or not enough?

Cheers

 

[Avalon]

OK let’s start with the basic’s, what’s the VPN usage for and what protocol are you intending to use? What exactly (other than VPN/Wi-fi) are you looking to improve over the standard sky router?

Wifi wise install AP’s on each floor, if you have external walls internally, then consider one in the extension etc. I’d start by grabbing a 3 pack and going from that.

VPN wise do you understand the potential implications of what you are suggesting? You’ll be blocked from some sites altogether, have online transactions refused/referred, iPlayer etc. won’t work, online banking issues, google and many other sites making you go through the ‘I’m not a robot’ check several times a day etc.

You really want policy based routing rather than doing this at a router level generally. How fast is your connection currently? Most VPN providers still use OpenVPN and it’s not that efficient, certain routers can do the encryption required in hardware, others do it in software and it’s slow. Do you have anything suitable for running docker/VM? Reason I ask is if you have for example a decent NAS or server that will support docker, you could run a docker based VPN solution with Privoxy acting as a proxy and config the clients that actually *need* to use a VPN while leaving everything else alone. The other option is policy based routing, something like pfSense and setting up VLAN’s so that you have a ‘private’ section of your network that connects via VPN and won’t failover/cross talk to the unencrypted WAN. Generally that’s going to be more complicated/expensive vs. configuring a proxy on a client.

 

[LupoLover]

Thank You.
Sounds like my VPN is a daft idea!
My Sky router is in corner room downstairs and does 90% of downstairs, but only the room above it upstairs. So 3 Ubiquiti APs (1 on each floor should prob be good enough)

 

[Avalon]

The VPN part is not a daft idea, realistically without one, your entire browsing history is searchable with near zero oversight into who has access or how tenuous that ‘need’ has to be. It’s usually not ideal to just push *everything* via VPN though, as you mentioned four bedrooms, I guessed it may not be just you to consider.

 

[LupoLover]

Thank You for listening. Yes maybe I just VPN my PC.
I also want to send images my security cameras to my phone while at work so I can look if I want.
Also want to control my underfloor heating and send the temperature data to my phone from my unvented cylinder (Ri Pi Setup)

 

[Energize]

Thank You.
Sounds like my VPN is a daft idea!
My Sky router is in corner room downstairs and does 90% of downstairs, but only the room above it upstairs. So 3 Ubiquiti APs (1 on each floor should prob be good enough)

An OpenVPN based VPN connection will easily achieve the typical 200Mb/s offered by the likes of Virgin etc. it's not a daft idea at all.

Routes can be setup so that traffic to Netflix et al goes through a different virtual interface than the VPN so you don't get blocked by such services. Another alternative is to setup your own VPN server so that Netflix doesn't recognise it as a VPN.

 

[Avalon]

An OpenVPN based VPN connection will easily achieve the typical 200Mb/s offered by the likes of Virgin etc. it's not a daft idea at all.

Routes can be setup so that traffic to Netflix et al goes through a different virtual interface than the VPN so you don't get blocked by such services. Another alternative is to setup your own VPN server so that Netflix doesn't recognise it as a VPN.

Op has Sky, not Virgin (500Mbit everywhere, gigabit in one area and rolling out in full next year), OpenVPN is single threaded so either relies on high core speed and/or hardware acceleration, most consumer/prosumer routers don’t have hardware acceleration that will work with OVPN and can’t do as you state, IPSEC is different.

Setting up your own VPN end point comes with a few considerations not often discussed, it’s relatively easy to do this with pre-made containers, but harder and potentially a lot more expensive to do it right. Obviously you would need a remote server, you can get preconfigured dockers to do the basics and stop logging, but in the event that you actually want to be secure, you have an obvious problem. You don’t own your end point, the hosting provider does, so any legal service is directed at the owner, if you rent a VPS or dedicated server then the host is under no obligation to act in your interest or even notify you, they’ll give you up in a heartbeat as they are a business who doesn’t want agro. Compare that to PIA (op mentions them) who have a 100% track record of not providing any logs to law enforcement, at all, ever. Also Netflix tends to block based on IP ranges, not individual IP’s, I know of at least one hosting provider who is an unsuitable end point in certain DC’s due to this.

 

[Energize]

Op has Sky, not Virgin (500Mbit everywhere, gigabit in one area and rolling out in full next year), OpenVPN is single threaded so either relies on high core speed and/or hardware acceleration, most consumer/prosumer routers don’t have hardware acceleration that will work with OVPN and can’t do as you state, IPSEC is different.

Setting up your own VPN end point comes with a few considerations not often discussed, it’s relatively easy to do this with pre-made containers, but harder and potentially a lot more expensive to do it right. Obviously you would need a remote server, you can get preconfigured dockers to do the basics and stop logging, but in the event that you actually want to be secure, you have an obvious problem. You don’t own your end point, the hosting provider does, so any legal service is directed at the owner, if you rent a VPS or dedicated server then the host is under no obligation to act in your interest or even notify you, they’ll give you up in a heartbeat as they are a business who doesn’t want agro. Compare that to PIA (op mentions them) who have a 100% track record of not providing any logs to law enforcement, at all, ever. Also Netflix tends to block based on IP ranges, not individual IP’s, I know of at least one hosting provider who is an unsuitable end point in certain DC’s due to this.

Sky's typical throughput is much worse than the actual 200Mbit you get with Virgin and his question was can it be done with Ubiquiti stuff, not some crappy router supplied by the ISP, the answer is most definitely yes.

The biggest use cases for VPN's are avoiding mass surveillance at the ISP level, getting round ISP blocks, and securing traffic over public connections. If you are being actively targeted by an adversary it's pretty easy to snoop on someone.

 

[Avalon]

Sky's typical throughput is much worse than the actual 200Mbit you get with Virgin and his question was can it be done with Ubiquiti stuff, not some crappy router supplied by the ISP, the answer is most definitely yes.

The biggest use cases for VPN's are avoiding mass surveillance at the ISP level, getting round ISP blocks, and securing traffic over public connections. If you are being actively targeted by an adversary it's pretty easy to snoop on someone.

To my recollection, Sky have always supplied routers capable of handling the connection being supplied at the time. Virgin were irrelevant to the conversation, you introduced them for some reason, not the op. Also Sky offer gfast at 200+. For the benefit of the op, feel free to provide details of a Ubiquiti router in budget that will do over 200Mbit of OpenVPN throughput, i’dbe interested myself as I must have missed an announcement/discussion.

The only consumer products on the market that I’m aware of that will do this in budget are the AC87U (with 3rd party firmware and hardware-acceleration enabled), other than that it’s IPSEC or use wireguard on a OpenWRT/DDWRT build, the former is discouraged by PIA, the latter is supposed to be on the roadmap to be supported eventually, but not yet as it’s still beta.

Not sure why you’re trying to tell me why the world uses VPN’s, again you introduced an idea of setting up your own VPN server and obviously as the OP specified he was using PIA you weren’t talking about a local end point - that would be pointless as he clearly wants privacy, not for example access to iPlayer from a non UK dwelling.

 

[Energize]

I mentioned virgin because they represent the fastest connections typically available for consumers, ie. he doesn't need to worry about the router handling the throughput of his connection.

He has not specified a budget.

The reason I am telling you why VPN's are used is because you brought up the fact that PIA aren't known to have given logs to law enforcement, which is irrelevant if you want privacy from mass surveillance at the ISP level. The OP has not specified what he uses the VPN for.

I would also suggest that putting trust in a VPN provider based on absence of evidence is not the best idea.

 

[Avalon]

I mentioned virgin because they represent the fastest connections typically available for consumers, ie. he doesn't need to worry about the router handling the throughput of his connection.

He has not specified a budget.

The reason I am telling you why VPN's are used is because you brought up the fact that PIA aren't known to have given logs to law enforcement, which is irrelevant if you want privacy from mass surveillance at the ISP level. The OP has not specified what he uses the VPN for.

I would also suggest that putting trust in a VPN provider based on absence of evidence is not the best idea.

Why does this feel like another thread where you made statements that it was clear you didn’t understand and later backtracked on?

You have the PIA point backwards, PIA have filed legal responses in several different jurisdictions/cases stating they have no logs and as such can’t provide them, that’s very different to not being known to hand over logs to law enforcement. Assuming you haven’t got leaky DNS, use insecure encryption, or permit failover to unencrypted interfaces, then your ISP only knows you have x amount of data going to/from your chosen VPN end point for a given period. The ‘mass surveillance at the ISP level’ is irrelevant if you use a VPN, what exactly do you think they are going to log?

 

[Energize]

Why does this feel like another thread where you made statements that it was clear you didn’t understand and later backtracked on?

You have the PIA point backwards, PIA have filed legal responses in several different jurisdictions/cases stating they have no logs and as such can’t provide them, that’s very different to not being known to hand over logs to law enforcement. Assuming you haven’t got leaky DNS, use insecure encryption, or permit failover to unencrypted interfaces, then your ISP only knows you have x amount of data going to/from your chosen VPN end point for a given period. The ‘mass surveillance at the ISP level’ is irrelevant if you use a VPN, what exactly do you think they are going to log?

Because you have misunderstood what I have said which seems to be a common problem on these forums...

ISP's log all websites you visit and a VPN prevents that from happening, so preventing ISP's logging data is one use case for a VPN, whereas being anonymous to websites you visit is another use case with different requirements and relies on trust that the VPN provider doesn't provide logs to 3rd parties. You didn't state that PIA have provided legal notices that they can't provide logs, I profusely apologise for not being clairvoyant...

 

[Avalon]

Because you have misunderstood what I have said which seems to be a common problem on these forums...

ISP's log all websites you visit and a VPN prevents that from happening, so preventing ISP's logging data is one use case for a VPN, whereas being anonymous to websites you visit is another use case with different requirements and relies on trust that the VPN provider doesn't provide logs to 3rd parties. You didn't state that PIA have provided legal notices that they can't provide logs, I profusely apologise for not being clairvoyant...

The op mentions PIA, a company who have a well known and proven track record of not logging and as such not providing those logs to 3rd parties, anyone with a passing interest in VPN providers would know.

Perhaps you’re right and the problem is with me, I expect someone willing to post about VPN providers (or QLC) to have a basic knowledge of what they are discussing, obviously in your case I got that wrong, though perhaps that says more about you than me?

 

[Energize]

I have used a variety of VPN services and have never heard of them, so that statement is just nonsense.

It seems in every thread you are trying to create arguments with me where you misrepresent what I say, I can't understand your motive but you're certainly not helping the OP by creating these digressions so I'm not going to involve myself in this any further as it's not helping anyone. Good luck OP.