Router with VPN Support or go DIY?

IC3

IC3

Soldato
Joined
3 Dec 2011
Posts
9,830
I basically want a separate WiFi SSID to mask my connection and pin point it to a different country.

What's the best way around it? I need it to be able to handle video streaming.

1. Asus or Linksys Router with aftermarket firmware like DD-WRT, Tomato or OpenWrt?
2. Build a PFSense Router using Rassberry Pi? (My only concern is performance, would have to research more. lol )
3. Get one of those mini desktop PC's, add antenas and put PFSense on?

The network will have to handle two connected devices which will mainly be using known streaming sites such YT, Netflix etc. so just looking for the most cost effective option without going completely overkill. Open to any other suggestions :)
 
Last edited:
Soldato
Joined
13 Jul 2005
Posts
19,205
Location
Norfolk, South Scotland
Supermicro Superserver with AMD EPYC processor and 16Gb RAM and a 128Gb SSD running Untangle Home Plus with Wireguard VPN included in the annual fee. Sure, it’ll be £1000 but it will do what you want easily.
 
Soldato
Joined
5 Oct 2009
Posts
13,823
Location
Spalding, Lincs
1. I wouldn't recommend a raspberry pi for pfsense, it's not officially supported and could be way more hassle.

2. A cheap/low end pc is ideal for pfsense. But you want to be using a proper WiFi access point rather than built in WiFi like a pcie card.
 
Soldato
Joined
29 Dec 2002
Posts
7,175
How the devices connect to the LAN is largely irrelevant, what is relevant is the way the traffic leaves the LAN and that only certain clients use the VPN.

To deal with your points:

1. Generally not great, routers generally don’t have hardware acceleration and therefore suck at doing encryption/decryption in software, this is further complicated by the likes of OpenVPN being single threaded.

2. This a the thing of nightmares. Stop and back away, slowly.

3. Could work, but when even the pfsense dev’s say ‘our WiFi implementation sucks’, you know they are serious. You would need a PC, AP and to set-up PBR.

The much simpler, cheaper and faster option is to set-up a VPN on a Pi4, OpenVPN performance will be more than adequate for your needs (100Mbit ish) and it’s simple to set-up (bonus: use pi-hole). Wireguard performance will be near gigabit and the cost of a Pi4 4GB is under £40, add another £20 for a suitable PSU/MicroSD card and a cheap case and you’re done in about 10 minutes with bugger all ongoing power costs. Just point the ‘clients’ to the Pi and it’ll do the rest, wired or wireless.
 
Last edited:
Associate
Joined
24 Jul 2009
Posts
2,070
Location
-
When you say VPN connection, do you mean to mask your IP or to access your network from outside network? I have a Linksys WRT1900ACS using DD-WRT that has a separate SSID that runs through a VPN so my location id Germany when using it.
 

IC3

IC3

Soldato
OP
Joined
3 Dec 2011
Posts
9,830
When you say VPN connection, do you mean to mask your IP or to access your network from outside network? I have a Linksys WRT1900ACS using DD-WRT that has a separate SSID that runs through a VPN so my location id Germany when using it.
Good point, I'm only looking to mask my IP. Only two devices will be connected to this network. Sorry, should have been more clear.
 
Associate
Joined
24 Jul 2009
Posts
2,070
Location
-
Good point, I'm only looking to mask my IP. Only two devices will be connected to this network. Sorry, should have been more clear.

The Linksys WRT1900ACS using DD-WRT I have does this for me. Two WiFi networks, one main and one with VPN, I use the policy based routing to ensure that VPN only goes through one network. I'm not the best at networking, managed to find guides on all of it to set it up.
 
Associate
Joined
27 Dec 2003
Posts
1,212
Location
Preston, Lancs
Custom pfsense box using with at least a dual port intel nic unit. Will easily do what you need reliably, with plenty of horsepower for faster connections in future. You can even run snort or suricata for even more protection.
 
Soldato
Joined
18 Oct 2002
Posts
10,042
I've just made a Raspberry pi vpn, it took some learning of doing the wrong thing before I found a very simple way to do it..

Cost breakdown.
RPI 3 @ 35quid.
Mullvad vpn @ 60quid for the year.

That's it.
Installed Noobs raspien onto a micro sd. Let that install newest desktop version. When on Mullvads help pages to get their install guide for Wireguard, installed that and then installed RaspAP, which setup a Hotspot automatically...

I now have a cheap vpn hotspot server and I'm getting very quick speeds. Installation time, about 2hrs.
 

IC3

IC3

Soldato
OP
Joined
3 Dec 2011
Posts
9,830
I've just made a Raspberry pi vpn, it took some learning of doing the wrong thing before I found a very simple way to do it..

Cost breakdown.
RPI 3 @ 35quid.
Mullvad vpn @ 60quid for the year.

That's it.
Installed Noobs raspien onto a micro sd. Let that install newest desktop version. When on Mullvads help pages to get their install guide for Wireguard, installed that and then installed RaspAP, which setup a Hotspot automatically...

I now have a cheap vpn hotspot server and I'm getting very quick speeds. Installation time, about 2hrs.
What are you using for wireless, how's the range and speeds?
 
Soldato
Joined
18 Oct 2002
Posts
10,042
What are you using for wireless, how's the range and speeds?
The RPI 3b i have, has built in wireless, otherwise you'll have to buy a small wireless adapter for like a few quid.
I would guess the more you splash out on a Wireless receiver for it the better (obviously). I however am using it for my tv which is a metre away (I'm using TP links to get a cat5 from the router to the RPI).
I tried it from the bedroom next door and there was a drop from about 30mbit to about 15mbit. I could still use the internet as normal but i'd imagine 4k or FHD would suffer.
 
Soldato
Joined
29 Dec 2002
Posts
7,175
PFsense and VPNs really needs AES-NI capable CPU or VPN throughput will be dire (appreciate the threads a little old now).

Neither of those are really true anymore. Pfsense ditched the AES-NI plan (though it's still slated for a future release, not convinced it'll be a thing any time soon) and Wireguard does near gigabit on a Pi4 or 100Mbit on OpenVPN without AES-NI or any other crypto acceleration.
 

IC3

IC3

Soldato
OP
Joined
3 Dec 2011
Posts
9,830
I missed an auction of Linksys WRT1900ACS which annoyingly sold for a bargain price, being frustrated I rushed into buying Asus RT-AC87U which popped up locally the same day. I should have done my research first before going for it, but thankfully Merlin was available! Looking at DD-WRT's firmware, it would have been much easier to do what I did on Merlin; writing/editing scripts to make it work. Modifying stuff via GUI would be nice, but I guess doing everything via terminal using SSH connection is easier on the resources. :o

At the moment I'm running 2 separate SSID's which both run different VPN connections, eth ports and non-guest networks are not routed via VPN. Next thing on my list will be trying out diverse to see how it handles ad blocking. I might look into adding a Pi-Hole at some point, even if its just to see what the hype is about. In the end it does what I need it to do and its night & day compared to my ISP's router, so I can't complain...
 
Last edited:
Associate
Joined
25 Jun 2004
Posts
1,276
Location
.sk.dkwop.
Neither of those are really true anymore. Pfsense ditched the AES-NI plan (though it's still slated for a future release, not convinced it'll be a thing any time soon) and Wireguard does near gigabit on a Pi4 or 100Mbit on OpenVPN without AES-NI or any other crypto acceleration.

100Mbit is dire, though I totally appreciate this is subjective.
 
Soldato
Joined
18 Aug 2007
Posts
9,688
Location
Liverpool
100Mbit is dire, though I totally appreciate this is subjective.

:D

I'm in your camp. I ditched one otherwise excellent provider because I could 'only' get 550Mbps on average. No thanks, I want as close to my gigabit as possible lol. Of course in reality, 100Mbps is ample for everything from browsing to streaming 4K. It's just that 'knowing' that there's so much left in the tank that you can't access...
 
Soldato
Joined
29 Dec 2002
Posts
7,175
100Mbit is dire, though I totally appreciate this is subjective.

Dire is a tad harsh, op didn’t ask for gigabit line speed using OpenVPN, if they had the replies would be very different.

:D

I'm in your camp. I ditched one otherwise excellent provider because I could 'only' get 550Mbps on average. No thanks, I want as close to my gigabit as possible lol. Of course in reality, 100Mbps is ample for everything from browsing to streaming 4K. It's just that 'knowing' that there's so much left in the tank that you can't access...

Preaching to the choir and you know it ;)

I literally ordered the replacement for my existing i3 7100u Zotac USFF router set-up at lunch time. It’s been faultless, but the onboard Realtek’s don’t fill me with happy thoughts when Gig1 eventually arrives here - those extra Mbits are important :D
 
Soldato
Joined
18 Aug 2007
Posts
9,688
Location
Liverpool
Preaching to the choir and you know it ;)

I literally ordered the replacement for my existing i3 7100u Zotac USFF router set-up at lunch time. It’s been faultless, but the onboard Realtek’s don’t fill me with happy thoughts when Gig1 eventually arrives here - those extra Mbits are important :D

Haha! Yeah decent Intel NICs are always a plus, they're all I use. I keep meaning to grab a LP quad port i350T4(v2) for its extra queues. However, the ultra SFF box I now have running OpenBSD just won't die; and it's so freakishly simple to administrate I feel guilty killing it and going back to something Linux just because I'm bored... It 'only' has an i210 and i219V but they're doing the job nicely so far. With the upcoming FreeBSD 13 including a WireGuard kernel module I'm tempted to see what *Sense offers in their new versions at that time (Q2 2021 iirc). It'd be very weird going back to using a GUI though.

What did you order to replace the Zotac? Feel free to PM me rather than derail the thread if you prefer. Have a good Christmas either way.

Everyone else: As you were... :)
 
Back
Top Bottom