VPN options

RockLobster

RockLobster

RockLobster

Associate
Joined
2 Sep 2007
Posts
2,001
I'm currently have fibre with Zen and I'm using a TP-Link AC1900 router. At the time I purchased this I didn't realise it didn't support DD-WRT. What are my options for having all my devices go through a VPN? I've seen some people talk about using a Raspberry Pi although I'm unsure whether it is powerful enough. I was hoping I would signup to one of the VPN providers buy a dedicated device and pop in the VPN details into the device. Anything available?
 
RockLobster said:
I'm currently have fibre with Zen and I'm using a TP-Link AC1900 router. At the time I purchased this I didn't realise it didn't support DD-WRT. What are my options for having all my devices go through a VPN? I've seen some people talk about using a Raspberry Pi although I'm unsure whether it is powerful enough. I was hoping I would signup to one of the VPN providers buy a dedicated device and pop in the VPN details into the device. Anything available?
Click to expand...

Your best bet, while not the easiest, is to build or buy a simple pfSense or IPFire box or similar. You can then use a decent CPU with AES-NI (e.g. Pentium G4560) which won't bottleneck your speeds when you set up an IPSEC (IKEv2 / L2TP) or OpenVPN connection to the remote server with it. A normal consumer box router will be pants, as they tend to have very low powered MIPS CPUs which rely on hardware acceleration for packet filtering and forwarding. Even a £300 one will likely only get you about 50Mbps throughput for OpenVPN. That said, IIRC some of the Ubiquiti stuff has IPSEC hardware acceleration on some of their MIPS boxes (Edgerouter series?) so that could be worth a look if you don't want to build to spec, but again won't help for proper OpenVPN.
 
Mikrotik RB750Gr3

Small, cheap and can do 450Mb throughout of encrypted traffic.

Steep curve to get started but a Mikrotik can do anything (if you research hard enough).
 
If you want cheap/easy why not look at a pre-built docker? VPN, proxy and application(s) of your choosing (news/torrent etc) all in a self contained package that can serve your whole LAN. Config is minimal and speeds are decent, iptables take care of failover issues so data that should be encrypted never passes the WAN, set client's up to use Privoxy and you get the same for any other box without the overhead on the device.
 
RockLobster said:
What's a prebuilt docker?
Click to expand...

A virtual machine that's usually been built with minimal applications to perform a specific function. For example I use a torrent docker, it comes with deluge, the web interface activated, a preconfigured VPN with iptables set-up to only allow traffic via the VPN connection and the ability to activate Privoxy which (amongst other things) allows me to set any device that supports a proxy (pretty much anything) to use the correct IP/Port to benefit from a fully encrypted VPN connection without the overheads of having to deal with the encryption itself. In my case I run multiple dockers with different VPN end point locations and purposes, so if I want to change where my VPN end point is eg from NL to USA to perhaps benefit from a geographically restricted offer or service, all I have to do is change the port the client uses - it literally takes seconds and allows devices that couldn't manage to run strong encryption themselves to benefit from it (pi's or low end TV boxes for example).

The beauty of this is it's simple, free, runs on hardware I have running anyway and it's able to handle near line speed - I have a 52mbit line profile and achieve near that, the last two speed tests i've just done came in at 51.13 and 51.06. If I was on a significantly faster connection i'd probably look at a custom pfsense build or a hardware pass through pfsense vm (generally a bad idea, but with hardware pass through on the NIC's it'll work at near bare metal speeds though not best practice).
 
I'd go the Mikrotik route. And yes you can use it just as a VPN client if you wish. There are lots of different models so pick one that does hardware crypto offloading if you need more than 50mbps throughput.
 
GTiPUG said:
Any way to use that without the routing functions? I.e alongside my main router?
Click to expand...
Yes of course. It would require some static routes or static IP with the 'Tik as the gateway to work but in essence the answer is Yes of course you can. My reply would be Why? Why bother using it as an addon when you could allow it to do the routing and then set up static routes within it to allow for a really seamless and easy to administer network?


RockLobster said:
Had a look at these although some people are reporting poor throughput. What are your experiences?
Click to expand...

Make sure the review and reports you are reading are definitely the r3 version not the r2, the r2 was pretty urine poor and was only a very basic SOHO router however the r3 is a monster. Quoted figure for VPN throughput are 450Mb, and it can quite happily NAT gigabit. It's a quad core CPU in those things. Price for performance is phenomenal!

I've had one on my bench at work and whilst I didn't push VPN throughput to the full, they are extremely brilliant and consider this as a challenge, find me a bad online review of one!
 
Steveocee said:
Make sure the review and reports you are reading are definitely the r3 version not the r2, the r2 was pretty urine poor and was only a very basic SOHO router however the r3 is a monster. Quoted figure for VPN throughput are 450Mb, and it can quite happily NAT gigabit. It's a quad core CPU in those things. Price for performance is phenomenal!

I've had one on my bench at work and whilst I didn't push VPN throughput to the full, they are extremely brilliant and consider this as a challenge, find me a bad online review of one!
Click to expand...

Okay you've sold it. Any guides you have handy? I'm open to learning but I'm no networking guru.
 
RockLobster said:
Okay you've sold it. Any guides you have handy? I'm open to learning but I'm no networking guru.
Click to expand...

I can't think of a guide to hand as such as I'm quite familiar with routerOS but youtube was a great help for me (and still is) when I need to learn a new feature, also the mikrotik user forum is absolutely packed with multiple ways of doing things.
 
Can anyone post a link or model number of the Mikrotik i need. There seem to be quite a few to choose from. Basically looking at setting this up if it can get 200mb throughput from my virgin media connection.
Im currently running a Raspberry pi VPN router but due to the speed of the PI i get 27mb most over the vpn.
If the mikrotik is capable of close to the 200mb then i may have to look into getting one of these.
 
Not many people I know have touched Mikrotik so I never went near their stuff. Since you guys have great things to say about them, I will order some kit tonight.
 
A lot of high end consumer kit is over priced rubbish, the lower end business kit can throw up some decent options. Ubiquiti are a decent example and have got a lot of love in here for the AP side, less so the routing side as they've not pushed the hardware encryption capabilities that the Mikrotik has (yet), but are arguably a lot easier to live with as a consumer, a few years back they weren't, but things have improved a lot.
 
You must log in or register to reply here.
Back
Top Bottom