VPN router *Server* vs Cloud *service*

keratos

keratos

keratos

Associate
Joined
21 May 2014
Posts
3
I’m puzzled. Overclockers to the rescue !

My router LinkSys WRT3200ACM has a VPN Client option as stock; however, it can be flashed with DD-WRT and with a bit of manual effort and configuration, OpenVPN *server* installed.

Now, I want to prevent my ISP from snooping, blocking content, hide my IP and son on; what I do not undertstand is if I’m running a VPN *Server* on the Router, why do I need a VPN *service* in the cloud? Isn't the VPN Server on the router doing this? If not then what’s the difference between Server on the Router and service in the cloud. Why bother with a Server on the router.

If i do need a VPN Service, in the cloud, would it not be better for me to have a small hosted server in the cloud, something like Digital Ocean’s “droplets” and install OpenVPN server in that. This way I’d have a VPN of *my own* AND be able to have static IP and so on. The cheapest way would be 1GB RAM, 1xCPU, 25GB SSD, 1TB transfer droplet at $0.007 per/hour. I only use it maybe 8 hrs a day.

**
Please Note:
**

i understand VPN *client* on the router, but this question is about a *server* on the router.
 
You'd expect a vpn server to be there so you can securely dial-in to your home network from outside.

Blindly routing everything through a vpn can cause problems.

I can't see the point of recreating something you can get so cheaply from the multitude of vpn providers.
 
When you pay for a VPN service you are paying for access to a VPN server. A VPN client on your router will encrypt all your traffic and route it via this server protecting your privacy and stopping your ISP from knowing what you are doing.

Having a VPN server on your router allows you to connect securely to your home network when you are not home. For example, you could connect to your home VPN server when in a hotel to stop the hotel from knowing what you are doing, or you could simply want access to files or servers on your home network when away from home. Any traffic to the internet from your home network will still be visible to your ISP in this case unless you are also coupling this setup with a separate VPN service as above.

I use a VPN Service from Nord which I have set up on my router to selectively route certain IPs to a VPN server for privacy reasons. I also run a VPN Server on my router which lets me connect when I'm away from home as if I'm still at home, allowing me access to all my network shares and files.

Similar names, but 2 completely different use cases for a VPN Client & VPN Server.

Your suggestion of just having a Hosted Server would work, but the main advantage of a dedicated service is that they are generally hosted in countries where privacy laws are different and will happily delete all logs and refuse requests by ISPs and Authorities for your information.
 
Last edited:
Mate, that is a brilliant reply. Most insightful and I now understand the difference and also understand why dedicated VPN services pan-globe are better than 1 host cloud instance.

Could you just please clarify one small element,
If my VPN *server* on the router was running, how come my ISP can still "see" traffic? And I suspect this means blocked content would still be blocked by them?


neodude said:
When you pay for a VPN service you are paying for access to a VPN server. A VPN client on your router will encrypt all your traffic and route it via this server protecting your privacy and stopping your ISP from knowing what you are doing.

Having a VPN server on your router allows you to connect securely to your home network when you are not home. For example, you could connect to your home VPN server when in a hotel to stop the hotel from knowing what you are doing, or you could simply want access to files or servers on your home network when away from home. Any traffic to the internet from your home network will still be visible to your ISP in this case unless you are also coupling this setup with a separate VPN service as above.

I use a VPN Service from Nord which I have set up on my router to selectively route certain IPs to a VPN server for privacy reasons. I also run a VPN Server on my router which lets me connect when I'm away from home as if I'm still at home, allowing me access to all my network shares and files.

Similar names, but 2 completely different use cases for a VPN Client & VPN Server.

Your suggestion of just having a Hosted Server would work, but the main advantage of a dedicated service is that they are generally hosted in countries where privacy laws are different and will happily delete all logs and refuse requests by ISPs and Authorities for your information.
Click to expand...
 
VPN server on the router is so you can dial back into your home network. Nothing more than that.

If you want to prevent your ISP from snooping on your data etc etc then you need a VPN client on your router and applicable (usually paid for) VPN service from a company with a VPN server in the cloud.

A lot of these VPN services should come with free foil hats to be fair, what is it you're scared of them snooping on that the VPN provider is fine to have access to?
 
Steveocee said:
VPN server on the router is so you can dial back into your home network. Nothing more than that.

If you want to prevent your ISP from snooping on your data etc etc then you need a VPN client on your router and applicable (usually paid for) VPN service from a company with a VPN server in the cloud.

A lot of these VPN services should come with free foil hats to be fair, what is it you're scared of them snooping on that the VPN provider is fine to have access to?
Click to expand...

Most VPN providers claim not to log, the down side is you don’t own the hardware, so any legal notice is served to its owner, a little awkward if your VPN provider rents servers. Perhaps you haven’t noticed the snoopers charter coming into law last year? In very simple terms your online activity must be logged and can be accessed by pretty much any government agency without any judicial oversight. Same with court ordered blocking of sites and various issues reguarding regional content access, take Netflix for example, the US version is a lot bigger/better.

Those are just a few examples of why someone may want to use a VPN, other much more serious reasons exist.
 
keratos said:
Could you just please clarify one small element,
If my VPN *server* on the router was running, how come my ISP can still "see" traffic? And I suspect this means blocked content would still be blocked by them?
Click to expand...

Your internet traffic in this example goes DEVICE >> ROUTER AT HOME >> WHATEVER YOU ASKED FOR ON THE INTERNET

The traffic will be encrypted between your device and your router at home, but not between the router at home and whatever you asked for. Thus your ISP sees the traffic going to your home on one leg of the journey.

If you wanted that hidden as well you'd need both the VPN server and VPN client on your router. In that instance you'd have:

DEVICE >> ROUTER AT HOME >> CLOUD VPN PROVIDER EXIT POINT >> WHATEVER YOU ASKED FOR ON THE INTERNET

then the leg of the journey into your router at home and out of your router at home are both encrypted and thus the ISP can't see you in the equation.

Be very careful before doing that though. Putting your entire home behind a VPN can have complications and I doubt any consumer router can de/encrypt traffic as both a server and client at any reasonable speed. Hence for most people in that situation having the client on your device connected straight to the Cloud VPN provider is an awful lot faster and more convenient.
 
perfect understood now .

so the VPN cloud service becomes my WAN gateway instead of the ISP?

yes, I would only tunnel IPTV through VPN and the iptv client is on a VLAN circuit in the home

BigT said:
Your internet traffic in this example goes DEVICE >> ROUTER AT HOME >> WHATEVER YOU ASKED FOR ON THE INTERNET

The traffic will be encrypted between your device and your router at home, but not between the router at home and whatever you asked for. Thus your ISP sees the traffic going to your home on one leg of the journey.

If you wanted that hidden as well you'd need both the VPN server and VPN client on your router. In that instance you'd have:

DEVICE >> ROUTER AT HOME >> CLOUD VPN PROVIDER EXIT POINT >> WHATEVER YOU ASKED FOR ON THE INTERNET

then the leg of the journey into your router at home and out of your router at home are both encrypted and thus the ISP can't see you in the equation.

Be very careful before doing that though. Putting your entire home behind a VPN can have complications and I doubt any consumer router can de/encrypt traffic as both a server and client at any reasonable speed. Hence for most people in that situation having the client on your device connected straight to the Cloud VPN provider is an awful lot faster and more convenient.
Click to expand...
 
keratos said:
perfect understood now .

so the VPN cloud service becomes my WAN gateway instead of the ISP?
Click to expand...

I can’t talk for all routers but basically yes that’s how it would appear. So on my pfSense box I set up an OpenVPN client interface that talks to my VPN provider’s server. This defines an interface and gateway that I route traffic through instead of my WAN even though the VPN tunnel is itself using my WAN.

I don’t know the capabilities of DD-WRT but what you’re looking for is policy based routing if it supports it. So you set a policy like ‘route my IPTV box through the VPN gateway and everything else via WAN’ or ‘route all traffic asking for my IPTV provider’s server via VPN and everything else via regular WAN’ if you Access IPTV on multiple devices.
 
keratos said:
perfect understood now .

so the VPN cloud service becomes my WAN gateway instead of the ISP?

yes, I would only tunnel IPTV through VPN and the iptv client is on a VLAN circuit in the home
Click to expand...

Yep, my setup for example gives me 3 WAN interfaces on my router. My standard ISP WAN where most of my traffic goes, A NordVPN UK WAN which my IPTV box is routed through, and a NordVPN NL WAN which "other" services are routed through.

You could redirect to these WANs based on local IP address ranges. i.e...

172.16.20.1 - 172.16.20.150 --> ISP WAN
172.16.20.151 - 172.16.20.200 --> NL VPN
172.16.20.201 - 172.16.20.255 --> UK VPN

Personally, I use Aliases in PfSense but I don't think other routers support this.
 
neodude said:
Yep, my setup for example gives me 3 WAN interfaces on my router. My standard ISP WAN where most of my traffic goes, A NordVPN UK WAN which my IPTV box is routed through, and a NordVPN NL WAN which "other" services are routed through.

You could redirect to these WANs based on local IP address ranges. i.e...

172.16.20.1 - 172.16.20.150 --> ISP WAN
172.16.20.151 - 172.16.20.200 --> NL VPN
172.16.20.201 - 172.16.20.255 --> UK VPN

Personally, I use Aliases in PfSense but I don't think other routers support this.
Click to expand...

That would aggravate the life out of me!
My entire home network sits on 10.10.10.0/24
I have address lists set up such as "Work from home devices", "Work locations", "VPN needed links", "VPN users"

I then mark packets which are going from, to or both with the relevant markings before putting them out of 1 of the main internet connection, work VPN or my TigerVPN.

It gives immense flexibility as it means my phone can go out the normal internet connection for normal stuff, the work vpn when i need to manage infrastructure and the tiger VPN if I want to view something geo-locked without any messing around changing IP addresses and gateways.

**I use a MikroTik to do this
 
Interesting. I end up mixing and matching both approaches.

So my address list (in pfSense land it's Aliases) to your equivalent "VPN links needed" @Steveocee has my Usenet servers listed and then firewall rules that say it goes out via VPN if I'm downloading Linux distros no matter what network device is doing the downloading.

But conversely lots of my media devices like my Smart TVs and Freesat box I don't want to ever be behind a VPN because I just want iPlayer etc. to work as normal. Those I reserve LAN IP addresses for, create an address list (Alias) for them and set the firewall rule to send those devices out to the normal WAN all the time.

I guess the latter approach is a pain if your network devices are used for multiple purposes. Other than my server, for which I adopt your approach @Steveocee , it is actually less hassle for me to define policy based routes based on the LAN device IP rather than the traffic type or destination IP/FQDN like @neodude .
 
@BigT
It's one of the biggest reasons I can't/won't move away to a USG or pfSense and believe me I've tried! I just keep coming back to this set up as it works so well for me. I inspect every packet anyway due to how I QoS my LAN so adding policy based routing is barely any more work.
'Tik is brilliant for allowing you to have a src-address-list and dst-address-list in the same matching rule and then any combination thereof. It may be possible to do what I do in pfSense though, I'm fortunate enough to be very MT capable so use it to my advantage.
 
I don't know about USG but certainly in pfSense it is the same. A firewall rule has a source and a destination, both of which can be a single IP, an FDQN or an Alias which is basically a list. You can mix and match usage of both or ignore them. Plus obviously you can throw into the mix all manner of other variables like the obvious port and protocol as well as more unusual things like schedules. I don't need it but the schedules thing is really useful for people with Satellite connections who can use a time based policy to route download traffic out overnight when there's no data caps. So you have a Pass rule say for newsgroup traffic over the Satellite WAN at night and a Block rule for newsgroup traffic at all other times. Then your SAB/Sonarr automated stuff can just do its thing without intervention but it will only download when it doesn't cost you.

I don't know MT at all but everything I hear or see about it says it is equally as capable if not more so. It's just the OS and using the thing has a steep learning curve so if you're already a master I would see no reason to change. Heck of a lot cheaper too once you factor in the hardware costs of pfSense!
 
BigT said:
Heck of a lot cheaper too once you factor in the hardware costs of pfSense!
Click to expand...

You'd think that. I use an upgraded Dell R210II rackmount with SSD for ESXI & VM's, 4c/8t CPU, additional dual port NIC, I was restrained on RAM at 8GB but still that's 4GB for RouterOS and 4GB for ESXi.
For RouterOS I use a CHR image which is licensed however I thankfully got the licence from one of my courses otherwise it would have cost extra.

LOTS more power than any residential router would ever need but some times you just NEED to get your geek on.
 
You must log in or register to reply here.
Back
Top Bottom