VPN Client



  • Hey :)

    I want to build a router/firewall to replace the current commercial router I have because it does not support VPN very well.
    I currently have an Asus N16 router with DD-WRT. I can use OpenVPN and PPTP, but the speeds are VERY slow indeed.
    After looking around at various commercial router options I have discovered that the only real way to get what I need which is a
    software router/firewall that I'm hoping will offer a good alternative to a commercial router and full VPN client support.

    WHAT I WANT TO ACHIEVE:

    • Basic router/firewall set up just like any ready avail router for the home user

    • Full VPN client support with OpenVPN, PPTP, L2TP options if possible or at least one of them that I can set up at the router end using a 3rd party VPN service like IPVanish and have ALL PCs and devices connected to the router go through the VPN.

    I have been told on another forum that software routers/firewalls don't cut the mustard when it comes to comparing them to commercial hardware routers like the Asus N16 for example.

    I would be using something like an Atom and a Mini ITX board that would have 2 x on board 1GB LAN and I have optionally add on a further 4 1GB LAN ports to the motherboard as a daughter card.

    I know when it comes to bandwidth through put that I need to consider the CPU. I would typically be passing 100mb of bandwidth across the whole network at any one time. But when taking into consideration the extra resource that a VPN connection will add, I guess extra overhead is the way to go.
    So I'm not even sure that an Atom processor will do it.

    I plan to link up my current Asus N16 router to the PC router for wireless capabilities for mobile devices etc.

    So, what I'd love to hear are peoples recommendations.

    The main focus here is the VPN part.
    I'm not sure exactly when it comes to the router what the differences are between VPN server and VPN client.
    I know in the DD-WRT it's refered to as Client. And for PPTP for example I just pop in the VPN server address, username and password and change a few other settings and that's pretty much it.

    The router connects to the VPN server and allows me to send all the traffic through it.
    But I was only seeing a maximum of 1mb running the VPN at the router. Where as on a VPN client on my PC… it would be around 10mb (I have 100mb braodband)

    thanks



  • Hi Jimmybob:

    First off to refute anything you heard about "software" firewalls-  http://doc.pfsense.org/index.php/Comparison_to_Commercial_Alternatives

    I have a company with a couple of remote locations. I have the primary data-center here attached to my residence. (great commercial ISP here)

    I have the remote locations including a couple of my customers VPN'd back here via OpenVPN. All using pfSense.  Company locations can see here as well as each other. I can see customers locations but they can not see me.

    So very doable!  Id suggest using OpenVPN myself as that and several solutions are natively supported.

    Start out by reading the forums including the VPN section below and ask away.



  • hi,

    thanks for your reply.

    I'd like to start with hardware specs. Is here a good place to ask?
    Like what kind of CPU power is advised to never hit bottle necks of the set up caused by lack of CPU power
    on an average home PC setup.



  • @jimmybob:

    hi,

    thanks for your reply.

    I'd like to start with hardware specs. Is here a good place to ask?
    Like what kind of CPU power is advised to never hit bottle necks of the set up caused by lack of CPU power
    on an average home PC setup.

    How much bandwidth do you have and what do you want to do other than VPN?



  • @Jason:

    @jimmybob:

    hi,

    thanks for your reply.

    I'd like to start with hardware specs. Is here a good place to ask?
    Like what kind of CPU power is advised to never hit bottle necks of the set up caused by lack of CPU power
    on an average home PC setup.

    How much bandwidth do you have and what do you want to do other than VPN?

    Internet: 100mb (soon to be 120mb)
    Network: 100mb

    All I want to be able to do is set up static IPs using NIC MAC addresses.
    Use general port forwarding.

    I think that is about it other than the important VPN.
    I will be hooking up my existing router to the PC firewall/router.

    Am I correct in thinking that if I run one cable feed from the PC firewall/router to a switch, the DHCP will allocate IPs
    to all connected devices?


  • Netgate Administrator

    @jimmybob:

    Am I correct in thinking that if I run one cable feed from the PC firewall/router to a switch, the DHCP will allocate IPs
    to all connected devices?

    Yes.

    Do you need to get 100/120Mbps of VPN traffic?

    Steve



  • @stephenw10:

    @jimmybob:

    Am I correct in thinking that if I run one cable feed from the PC firewall/router to a switch, the DHCP will allocate IPs
    to all connected devices?

    Yes.

    Do you need to get 100/120Mbps of VPN traffic?

    Steve

    Hi,

    Yes, in fact the better buffer over head the better so that I never experience any throttling would be cool.


  • Netgate Administrator

    Ok, well that rules out any Atom based board at least without an encryption accelerator card. That would max out at ~60Mbps in OpenVPN.

    Steve



  • @stephenw10:

    Ok, well that rules out any Atom based board at least without an encryption accelerator card. That would max out at ~60Mbps in OpenVPN.

    Steve

    I see.
    So this is not going to be as easy as I thought.

    How do they achieve it on this…..?
    http://www.sabaitechnology.com/VPN-Accelerator-for-fast-VPN-routing-p/acc1st.htm


  • Netgate Administrator

    I can't see what bandwidth they are claiming for that box. The video shows 38Mbps, well within the capabilities of an Atom.
    There are a number of things that could be in their favour. They aren't doing any routing or firewalling with that, its purely a VPN box. There are a number of cheap vpn encryption chips they could be using which are only supported via Linux binaries, no support in FreeBSD.

    Steve

    Edit: Typo



  • @stephenw10:

    I can't see what bandwidth they are claiming for that box. The video shows 38Mbps, well within the capabilities of an Atom.
    There are a number of things that could be in their favour. They aren't doing any routing or firewalling with that, its purely a Von box. There are a number of cheap vpn encryption chips they could be using which are only supported via Linux binaries, no support in freebsd.

    Steve

    So does anyone have any idea what kind of approach I should take to resolving this issue?

    What kind of hardware specs I'm looking at?



  • Truthfully Im hoping as the week starts some with more experience in this arena will see this and also respond.

    But- http://doc.pfsense.org/index.php/Are_cryptographic_accelerators_supported

    looks like the Core i7 970 has been discontinued. Im not sure about the others out there..      spendy!   :o



  • Don't know if this will help, but I built my pfSense box with:

    Motherboard - Intel BOXDQ77MK LGA 1155
    http://www.newegg.com/Product/Product.aspx?Item=N82E16813121623

    Processor - Intel Core i3-2100 Sandy Bridge 3.1GHz LGA 1155 65W
    http://www.newegg.com/Product/Product.aspx?Item=N82E16819115078

    I have a persistent IPSec tunnel up and occasionally have OpenVPN connections come up.  There are 4 NICs on the box with two WANs (60/8 each) and two LANs (both switched Gbit).  4GB of RAM.  CPU never goes over 20%.

    I went with the LGA 1155 motherboard in the event I need to scale.  I can pop out the CPU and replace it with something more powerful (I have a Intel Core i7-2600K Sandy Bridge 3.4GHz on my shelf, new in the box "just in case").  The Q77 chipset has some nice features if you decided to go with an Ivy Bridge CPU.

    For what my pfSense installation does it's probably overkill, but it came in handy the other day when I launched a vulnerability test from behind it.  The state table size peaked out around 280K states.  It was fun to watch!


  • Netgate Administrator

    If you are looking at building a new box it's hard to recommend anything other than a low-end Sandybridge/Ivybridge based board. As Tim suggests above, using an socket 1155 board gives you lots of upgrade options. This board:
    http://www.newegg.com/Product/Product.aspx?Item=N82E16813121622
    Is slightly more but gives you a smaller footprint and DC power for greater efficiency.
    Even a low-end Celeron will firewall/NAT at Gigabit wire speed so should be good for 120Mb of OpenVPN (I have no test results to confirm this). http://www.newegg.com/Product/Product.aspx?Item=N82E16819116889
    If you want less building then maybe something like the Shuttle DS61: http://forum.pfsense.org/index.php/topic,56950.0.html

    To be honest you could probably get 120Mb VPN with a far less powerful system but it's probably easier and cheaper to go with something such as the systems above.

    Steve


Log in to reply