Dedicated wired VPN router

[RDziuba]

I am a newbie to this forum & routers in general.
At the moment I am using ASUS RT -AC68U (wireless off) WAN connected to LAN Port 2 on Netgear C6300BD modem (in bridge mode & wireles off) to access Open VPN in USA from Australia for media streaming on my Roku3 - LAN wired.
Also connected to the modem LAN Port 1 is ASUS RT-AC87U WAN to take care of wireless & other network peripherals such as desktop PC, Tablets, laptops etc.
I am looking for a wired router with a faster throughput WAN -LAN / LAN - WAN to replace the RT-AC68U as a dedicated VPN router. Someone suggested a Cisco - NHC-RV042G-K9.
I do understand that I am still limited by the speed of the internet connection -but i want to eliminate as many choke points as I can.
Does anyone have a better solution?
Richie

 

[MichaelCG]

pfSense on a small desktop. Way faster, cheaper, and easy. I have been running for the past 2 years on a $50 retired HP Enterprise Desktop with an additional NIC. My OpenVPN speeds are pretty much only limited by the speed of the connection I can get to my laptop or phone. Running locally, I can get several hundred Mbps. The best I have gotten remote is about 150Mbps.

 

[RDziuba]

With pfSense - does that mean i have to be running a PC all the time to watch Netflix?
why is this better that a wired router? if i go down this path - what model?
Richie

 

[MichaelCG]

Not sure if I am following your Netflix statement....this PC is dedicated as a router. It does nothing else...it has no monitor, no keyboard, and no mouse.

Why is this better than a standard router? Depends on your needs and requirements. From a power perspective...it isn't better since more than likely a PC will use more power. However from a price, performance, and feature perspective, the PC will usually win.

In my specific scenario, my requirements are:
- able to route 1Gbps symmetric Internet connection
- terminate OpenVPN clients
- terminate IPSEC VPN
- granular Firewall controls
- filtering HTTP proxy
- host a DMZ

I ran m0n0wall for many years and was quite happy. Then I wanted to add some more features and moved over to pfSense a couple years back. This allowed me to consolidate some other systems into a single FW/router. Getting the VPN performance I wanted out of a standard consumer device was also proving to be a challenge as is one that provides granular firewall controls.

As for what model? Depends on what you can find. I happen to be running a retired HP Business desktop picked up as a "refurb" from MicroCenter. I think it may be a dc5800, but don't quote me on that. It was a basic lower wattage Core2 based system with 4GB of RAM, on-board Gigabit, and then I added a dual-port Intel Pro Gigabit card to it. It can route close to 950Mbps, provides me an AV scanning HTTP proxy, and provides OpenVPN services to my mobile devices in the 100Mbps+ range.

Biggest drawback of using pfSense? It is a desktop...with hardware that will fail eventually. There is a hard drive and a couple of fans I have to worry about. An appliance would be better from that perspective....but finding one at the sub-$100 range that has flexibility and features is quite the challenge. The beauty of pfSense...it is stupid simple to setup, backup, and restore quickly. I got to pfSense because my m0n0wall system puked due to a failed power supply. I'm sure in another year or two, something will fail on this desktop and I will go pick up another $50 used PC and be back up and running within 30 minutes.

 

[RDziuba]

Basically the purpose of the router is to access USA channels eg netflix, hulu etc via USA VPN location from Australia.
Is Cisco - NHC-RV042G-K9 a better option than ASUS RT-AC68U? (wireless not required)?

 

[System Error Message]

the RV042G is a horrible option. Never ever get a VPN router even for VPN as every VPN router from every brand is absolutely horrible. i know @Samir here would disagree with his experience but i have seen way too many complaints and ubiquiti's early edgerouter days are proof that this platform is terrible. It took ubiquiti years just to get stable firmware and with ubiquiti edgerouters both price, performance and function wise they are much better to consider than any vpn router as its the same hardware but with a flexible firmware, faster CPU clocks and more cores, and in some cases more ram and even SFP in the higher end model. Still not the ideal solution though.

x86 is the best option for VPN especially if it has hardware AES. I know mikrotik CCRs can easily route 1Gb/s symmetrical (NAT not route) and also do 1Gb/s VPN but mikrotik doesnt support UDP based openVPN and setting up VPN on mikrotik other than PPTP is extremely difficult. the CCRs dont support 1Gb/s VPN through a single tunnel, this is the flaw in their design as each tunnel will use at most 1 core and CCR each core is capable of 300-500Mb/s of AES accelerated VPN, 100Mb/s or less of software based VPN (such as SSTP or openVPN).

So what you need is x86 with intel NICs with a CPU that has hardware AES so not only can you do 1Gb/s symmetric NAT but you can also do QoS, filtering, run firewall softwares and do VPN all at your WAN speeds. Even a dual core i3 will easily handle the job. A fun suggestion for you however is to get the 1st gen iseries xeons (32nm) and stuff them into consumer x58 boards and overclock them over 50% with a decent cooler and have the whole thing stuff into a 1U or 2U chasses. For 1U you will need PCIe right angle brackets though for your intel server quad port NIC. Tripple channel ram is also needed though i would suggest 1600mhz of performance ram. I use scythe in mine as they have good 1U and 2U coolers cheaper than noctua for the same or better performance. I have mine running above 4Ghz using a 6 core xeon (32nm ones have hardware AES) and it only uses less than 100W normally and 150W during load. You can reuse parts to make things cheaper but even getting a more recent iseries platform is something you can consider. Even AMD ryzen can be used as long as you use an intel NIC but memory performance is also a limiting and the 1st gen iseries overclocked by more than 50% via bus is a huge boost not only to frequency but to memory performance, CPU cache and bus bandwidth too which will let you handle 10Gb/s WAN as well but they lag behind in power consumption compared to the most recent iseries.

There are many 2U chassis that let you use standard ATX PSUs as well but you may need holes for the PSU fan or you can use one with a rear fan (seasonic has one).

If you wish to get mikrotik the RB1100AHx2 is the cheapest they have that will do what you ask without any sort of hardware acceleration or tricks for NAT but still has hardware acceleration for AES. The CCR1009 though would be better.

 

[RDziuba]

the RV042G is a horrible option. Never ever get a VPN router even for VPN as every VPN router from every brand is absolutely horrible. i know @Samir here would disagree with his experience but i have seen way too many complaints and ubiquiti's early edgerouter days are proof that this platform is terrible. It took ubiquiti years just to get stable firmware and with ubiquiti edgerouters both price, performance and function wise they are much better to consider than any vpn router as its the same hardware but with a flexible firmware, faster CPU clocks and more cores, and in some cases more ram and even SFP in the higher end model. Still not the ideal solution though.

x86 is the best option for VPN especially if it has hardware AES. I know mikrotik CCRs can easily route 1Gb/s symmetrical (NAT not route) and also do 1Gb/s VPN but mikrotik doesnt support UDP based openVPN and setting up VPN on mikrotik other than PPTP is extremely difficult. the CCRs dont support 1Gb/s VPN through a single tunnel, this is the flaw in their design as each tunnel will use at most 1 core and CCR each core is capable of 300-500Mb/s of AES accelerated VPN, 100Mb/s or less of software based VPN (such as SSTP or openVPN).

So what you need is x86 with intel NICs with a CPU that has hardware AES so not only can you do 1Gb/s symmetric NAT but you can also do QoS, filtering, run firewall softwares and do VPN all at your WAN speeds. Even a dual core i3 will easily handle the job. A fun suggestion for you however is to get the 1st gen iseries xeons (32nm) and stuff them into consumer x58 boards and overclock them over 50% with a decent cooler and have the whole thing stuff into a 1U or 2U chasses. For 1U you will need PCIe right angle brackets though for your intel server quad port NIC. Tripple channel ram is also needed though i would suggest 1600mhz of performance ram. I use scythe in mine as they have good 1U and 2U coolers cheaper than noctua for the same or better performance. I have mine running above 4Ghz using a 6 core xeon (32nm ones have hardware AES) and it only uses less than 100W normally and 150W during load. You can reuse parts to make things cheaper but even getting a more recent iseries platform is something you can consider. Even AMD ryzen can be used as long as you use an intel NIC but memory performance is also a limiting and the 1st gen iseries overclocked by more than 50% via bus is a huge boost not only to frequency but to memory performance, CPU cache and bus bandwidth too which will let you handle 10Gb/s WAN as well but they lag behind in power consumption compared to the most recent iseries.

There are many 2U chassis that let you use standard ATX PSUs as well but you may need holes for the PSU fan or you can use one with a rear fan (seasonic has one).

If you wish to get mikrotik the RB1100AHx2 is the cheapest they have that will do what you ask without any sort of hardware acceleration or tricks for NAT but still has hardware acceleration for AES. The CCR1009 though would be better.

I sort of follow that VPN routers are not much chop.

Can you spell out in simple words what hardware i need to find - I was about to look at pfSense SG2220.

 

[System Error Message]

it very much depends on throughput but pfsense already is a good choice. It would be better and cheaper for you to buy/build the PC instead as there are many options with faster CPUs and install pfsense on it. The first thing is to make sure the CPU has hardware AES which if you look at the CPU on intel ark is right below. Going with a full CPU like the iseries rather than intel atom architectures are also much faster. For the NIC intel server NICs are the best for pfsense because of drivers and CPU load.

 

[MichaelCG]

We have already laid out what hardware to find......a Desktop....with multiple NICs in it. Or, you can buy a pfsense appliance for a bit more. Your choice on how much you want to spend vs piece together.

For what you are doing....and taking Gigabit speeds out of the picture...just about any desktop with a CoreDuo or higher CPU will be fine. I am running a Core2 E4600 and it can handle my 1Gbps Internet + VPN just fine.

By your posts, it sounds like you want the least amount of hassle and questions. I would stick to the appliances then...they will cost more, but they will have less question/guessing on getting it right. I'm sure the SG-2220 is just fine for this...although I have zero experience using that hardware.

 

[System Error Message]

Its certainly up to you what hardware you get. There are many mini PCs that you can consider as long as they use the full iseries architecture. If its an intel atom based one you might as well get from pfsense as they already know the performance for it.

The naming can sometimes be confusing so always look up the CPU on intel ark. What you need is a dual core CPU that isnt a cut down core that has the AES instruction set. This should be your minimum that you look for. at 1Gb/s only CPU and NICs are what you need to worry about. for 10Gb/s you also have to consider CPU cache, bus bandwidth and also memory bandwidth as well (such as choosing 3 or 4 memory channels, DDR4 and even overclocking).

Hyperthreading is a big performance boost for routing too.

 

[abailey]

Building a router with x86 hardware is probably your best option (using something like pfsense), as others have stated. You will have to decide between power, size and cost. To get power in a small size it will cost more. If you have a little room to spare, this HP mini server is a good deal. It comes with dual broadcom nics. I think they would be fine, but if you find they can't keep up you could always add Intel nics. It is a nice machine for the price but you have to have a little room.

 

[MichaelCG]

I re-read the original post a bit as well as some of the other comments and I think we need to take a step back. Realizing the OP is a true network newbie and is still asking for clarification, I think we are all still answering in too complex/vague of a manner.

So....let's start over.

Here is what we know:
- User is currently in Australia
- User primary use case is OpenVPN to US for access to streaming services from a Roku
- WiFi is not required in this solution

I think there is a bit more detail missing before we can give any better responses.

1.) What is terminating the VPN on both ends?
- It isn't clear to me what equipment is in the US vs what is in Australia (other than the Roku)
- Trying to understand what is the OpenVPN server and what is the actual OpenVPN client
- Are you using an OpenVPN service in the US and your Asus router is the OpenVPN client in AU?

2.) What are the speeds you are trying to obtain?
- What are you currently getting?
- What is the speed of the Internet connections?
- Please be aware that the latency from AU to the US will severely limit your max speed on a single stream

3.) What is your expected budget?
- $100?
- $500?

4.) Does the size of the device/solution matter?
- Are you expecting a small 8"x5"x1" device?
- Is a small desktop PC ok?

5.) Do you care about the noise level of the device/solution?
- a server will be loud, a desktop will have a slight fan hum, an appliance may be fanless

6.) Do you care about the power consumption of the device/solution?
- thinking more about heat output here
- a 100W server will heat up a room, a 40W desktop won't be as bad, but a 10W device won't be noticable

7.) Who/How are you remotely supported the device/solution?
- Is there someone "technical" in the US that will help setup and maintain it?
- Or are you using a "service" that is hosted in the US and this question is pointless?

 

[swetoast]

made one today from a old hummingboard using a wifi usb not that great 150mbit/sec and ethernet has 450mbit/sec, using Debian and hostap, bind, openvpn and some basic iptables works just fine for my needs

 

[Xentrk]

I bought a pfsense appliance from a pfsense partner in Bangkok last June. Specs are:
- CPU:Intel ATOM D2550 Dual Core 1.86Ghz
- D2550 4-Ports Gigabit Routing Industrial Machine
- DC+USB*2+Lan*4+VGA
- size 21*31*4.4CM/5KGS
- Memory 4 GB (maximum)
- MSATA 8 GB

While I was waiting for it to arrive, I purchased an AC88U and flashed it with Merlin FW. I found the AC88U worked great for my streaming needs. I got similar speed tests on both devices. I found distance from VPN provider plays a huge roll in download speeds. I ended up using no encryption to get the best performance.

With the pfsense appliance, I get fan noise. But not with the AC88U. It sits on a USB cooling pad.

Not a lot of vpn providers can get around vpn blocks put in place by Netfluckus and Hula Hoops. Torguard is able to if you pay extra for private IP. Combined with Roku 4 player, I am greatly pleased with my streaming performance. I think the processor in the Roku 4 helps.

I just started working on my pfsense and plan to devote more time to it the next month. I want to add additional packages to enable UTM features. I can run some updated speed test for you next week.

 

[RDziuba]

I re-read the original post a bit as well as some of the other comments and I think we need to take a step back. Realizing the OP is a true network newbie and is still asking for clarification, I think we are all still answering in too complex/vague of a manner.

So....let's start over.

Here is what we know:
- User is currently in Australia
- User primary use case is OpenVPN to US for access to streaming services from a Roku
- WiFi is not required in this solution

Yes this is the case - the Roku3 cannot be configured.

I think there is a bit more detail missing before we can give any better responses.

[/QUOTE]=1.) What is terminating the VPN on both ends?
- It isn't clear to me what equipment is in the US vs what is in Australia (other than the Roku)
- Trying to understand what is the OpenVPN server and what is the actual OpenVPN client
- Are you using an OpenVPN service in the US and your Asus router is the OpenVPN client in AU?[/QUOTE]

Connecting to Express OpenVPN server in Hollywood USA. My end in Australia is ASUS RT-AC68U router configured for Client OpenVPN

[/QUOTE]=2.) What are the speeds you are trying to obtain?
- What are you currently getting?
- What is the speed of the Internet connections?
- Please be aware that the latency from AU to the US will severely limit your max speed on a single stream[/QUOTE]

Current download speed through Hollywood approx 6.5 Mbps.
If i disable VPN & connect via local ISP - 115Mbps
I understand there is latency - but that much?

[/QUOTE]=3.) What is your expected budget?
- $100?
- $500?[/QUOTE]

up to $500

[/QUOTE]=4.) Does the size of the device/solution matter?
- Are you expecting a small 8"x5"x1" device?
- Is a small desktop PC ok?[/QUOTE]

the smaller the footprint the better. small desktop probably OK depending on where i hide it.

[/QUOTE]=5.) Do you care about the noise level of the device/solution?
- a server will be loud, a desktop will have a slight fan hum, an appliance may be fanless[/QUOTE]

desktop with small hum ok as i already have a PC running in the room. can can quieter fans.

[/QUOTE]=6.) Do you care about the power consumption of the device/solution?
- thinking more about heat output here
- a 100W server will heat up a room, a 40W desktop won't be as bad, but a 10W device won't be noticable[/QUOTE]

least would be better

[/QUOTE]=7.) Who/How are you remotely supported the device/solution?
- Is there someone "technical" in the US that will help setup and maintain it?
- Or are you using a "service" that is hosted in the US and this question is pointless?[/QUOTE]

service is ExpressVPN who have been helpful.

I have attached a txt file with configuration settings.

I suppose that a small desktop would be most cost effective.

Rich.

 

[unclebuk]

I bought a pfsense appliance from a pfsense partner in Bangkok last June. Specs are:
- CPU:Intel ATOM D2550 Dual Core 1.86Ghz
- D2550 4-Ports Gigabit Routing Industrial Machine
- DC+USB*2+Lan*4+VGA
- size 21*31*4.4CM/5KGS
- Memory 4 GB (maximum)
- MSATA 8 GB

While I was waiting for it to arrive, I purchased an AC88U and flashed it with Merlin FW. I found the AC88U worked great for my streaming needs. I got similar speed tests on both devices. I found distance from VPN provider plays a huge roll in download speeds. I ended up using no encryption to get the best performance.

With the pfsense appliance, I get fan noise. But not with the AC88U. It sits on a USB cooling pad.

Not a lot of vpn providers can get around vpn blocks put in place by Netfluckus and Hula Hoops. Torguard is able to if you pay extra for private IP. Combined with Roku 4 player, I am greatly pleased with my streaming performance. I think the processor in the Roku 4 helps.

I just started working on my pfsense and plan to devote more time to it the next month. I want to add additional packages to enable UTM features. I can run some updated speed test for you next week.

can you give me the name and location of the pfsense shop in bkk?
Thanks.

 

[MichaelCG]

To check latency, find the hostname or IP that your OpenVPN is connecting to. From outside the VPN, ping it and report back the average response time. You would be amazed at how high the latency is from AUS to the US and how much it will really hurt your max single stream throughput. You also may want to check to see if ExpressVPN has termination points in Washington or Oregon. Sometimes the overseas links your traffic is traversing may actually be coming in up North....just depends on what direction your ISP happens to route.

I am not sure what speeds an RT-AC68U can attain before maxing out CPU, but I am assuming it is more than 6.5Mbps. If I were in making a recommendation to one of my less technical friends/family members, I would probably push them to one of the pfSense appliances. It will probably be less hassle than trying to explain what PC and NIC to go buy, as well as trying to walk them through making a bootable USB stick to load it up.

Will the pfSense appliance help your use case? We won't know that until you report back your ping times to your VPN provider. But if we can prove it is the AC68U that is bottlenecking you, then yes the pfSense box will help out for sure. But if the latency is just high in general (150ms+) and packet loss is above .5%, there won't be any improvement.

Check these sites to do some calculations to see how much packet loss and latency will impact your speeds.
http://wintelguy.com/wanperf.pl
https://www.silver-peak.com/calculator/throughput-calculator

 

[RDziuba]

Some speed test results: Using Australian Servers - I am based in Perth, Australia:

Laptop connected direct to cable modem C6300BD - No router.
Telstra Perth (Local) server: 12ms / down 115Mbps / Up 2.35Mbps.
Telstra Melbourne (3000km away) : 48ms / down 107Mbps/ Up 2.35Mbps.

Laptop connected to cable modem C6300BD & RT-AC68U - No VPN.
Telstra Perth (Local) server: 12ms / down 115.25Mbps / Up 2.28Mbps.
Telstra Melbourne (3000km away) : 48ms / down 106.52Mbps / Up 2.36Mbps.

Laptop connected direct to modem / No router / using ExpressVPN app on laptop.
ExpressVPN Melbourne Server (no Perth server) : 51ms / down 9.23Mbps / Up 1.88Mbps.

Laptop connected to RT-AC68U using OpenVPN client ExpressVPN Melbourne server profile.
ExpressVPN Melbourne Server (no Perth server) : 48ms / down 10.08Mbps / Up 1.8Mbps.

I suppose all the above means that the VPN provider is the issue and not the hardware.

Any connection to USA is even slower.

When connecting via VPN, I would have thought there may 20 - 30% drop in speed - not 90%, & this is at a local level.

Maybe VPN provider needs changing.

Rich.

 

[MichaelCG]

I agree it sounds like your VPN provider has some speed challenges. Just for reference, using my iPhone on AT&T LTE, via OpenVPN back to my pfSense firewall, I got 85Mbps down and 3.36Mbps up with 73ms of latency. If I can do this over cellular data, there isn't any reason you shouldn't be able to do better than your 10Mbps via your home Internet connection....at least in-country.

 

[RDziuba]

Possibly the local ISP provider limiting speeds on overseas connections through VPN etc