Best hardware/software/VPN setup?



  • Hello everyone,

    You guys are clearly very knowledgeable, so if you are feeling charitable today, then please read on…

    I am not very tech savvy, so please excuse if I am posting this in the wrong place (suggestions welcome!).

    What would be the best combination of hardware, software, VPN provider for this purpose:

    The idea is for everyone in the house, particularly the kids, to have all of their traffic from their tablets, laptops, etc. automatically routed through a VPN router/device, where it is encrypted and sent through a tunnel to a VPN provider.

    Internet connection > wired VPN router/device > wireless router

    Ideally, the VPN provider and the software run on the local VPN router/device supports:

    • robust tunneling (data authentication >= SHA256, handshake >= rsa-4096 or equivalent, data encryption >= aes-256)
    • vpn killswitch (if the vpn disconnects for any reason, then internet traffic halts immediately until the vpn reconnects)
    • vpn automatically reestablishes connection of failures
    • IPv6 leak protection
    • DNS routed through VPN (no dns leakage) so that traffic enters the open internet under a shared IP address
    • fast throughput: 50-100+ mbps

    As mentioned above, I am not particularly tech savvy. I've lurked a lot and picked up some lingo, but I know just enough to know I understand very little compared to you guys.

    Thank you for helping!



  • Any of the C2000 Atom systems should be able to do that with OpenVPN. IPSec should work fine too. Although I am not too sure on exactly how you would configure it. I think the real challenge is going to be finding a VPN server out there on the internet to connect to without paying a bunch of money. I think the C2558 would be ideally suited to the task. Even the C2358 could probably pull it off.


  • LAYER 8 Netgate

    • robust tunneling (data authentication >= SHA256, handshake >= rsa-4096 or equivalent, data encryption >= aes-256)

    SHA1, RSA-1024, and AES-128 are fine for the home.  In fact they're fine for most purposes.  Okay, maybe RSA-2048.



  • I use RSA-2048, AES-256, and SHA2-256 on my personal OpenVPN setup. Its not like there is much of a performance impact from using modern cryptography vs the slightly older stuff, and the security is demonstrably better, mostly with regards to the larger RSA key size and the better hashing. AES-128 vs AES-256 is probably a wash for home use but its not like AES-256 is all that much slower on an AES-NI CPU so there really isn't any reason not to use it.

    To be honest 1024 bit RSA keys make me nervous.



  • @antillie:

    To be honest 1024 bit RSA keys make me nervous.

    Totally agree



  • @antillie:

    Any of the C2000 Atom systems should be able to do that with OpenVPN. IPSec should work fine too. Although I am not too sure on exactly how you would configure it.

    Thanks for posting, antillie. Are you saying that you aren't too sure exactly how to configure IPSec to achieve the goals, but that you know how to configure OpenVPN to achieve them?



  • Both VPN methods can do what you are wanting. But my only experience with OpenVPN is with my personal remote access setup with pfSense acting as the server. I have extensive experience with IPSec VPNs, both client to site and site to site, but not on pfSense.

    So I'm afraid I don't really know how to configure either one on pfSense to do what you are wanting. Now if we were talking about IPSec on a Cisco ASA things would be different. But that is neither here nor there.



  • @antillie:

    I think the real challenge is going to be finding a VPN server out there on the internet to connect to without paying a bunch of money.

    I don't mind paying for peace of mind. What VPN services do you think would be good for this purpose?



  • With pfSense, you can setup rules in order to route specific IP to use VPN only. So, map as static IP any client you need to be routed through VPN. Set outbound and firewall rules accordingly.
    If you want, like me, build a separate subnet, dedicated to VPN. You can also use VLAN approach.
    As VPN provider I suggest AirVPN.



  • @Wolf666:

    With pfSense, you can setup rules in order to route specific IP to use VPN only. So, map as static IP any client you need to be routed through VPN. Set outbound and firewall rules accordingly.
    If you want, like me, build a separate subnet, dedicated to VPN. You can also use VLAN approach.
    As VPN provider I suggest AirVPN.

    Wolf666, thank you for the ideas and VPN suggestion


Log in to reply