Supplementing my router with a desktop PC

[spider]

I've signed up at ExpressVPN and have set up my Asus AC66U (with Merlin 380.65_0) as a client to their service so now every client connected to that router is also routed via the VPN service.

There are a number of things I do not like about my setup and a number of things I'd like to have in addition.

Firstly, the speed I get when using OpenVPN is under 10MBs download and under 5Mbps upload - switching to L2TP I get practically full speed 60Mbps download (Also full speed using the ExpressVPN desktop client on OpenVPN). I understand Open VPN is the better protocol so I'd like to solve this. After much searching it seems that I may be limited on VPN performance due to the CPU of the router not being able to cope with the intensity of the encryption process - more on this in a bit...

Secondly, When I am not at home I'd like to be able to make use of my ExpressVPN service - perhaps set up a home VPN server I can connect to which will subsequently route all my traffic through ExpressVPN.

Thirdly, I have a numer of devices which I'd like to have a direct connection to the internet - which I could accomplish with policy based routing using OpenVPN.

I have an Asus VM60 Mini Desktop PC which I'm willing to sacrifice to the cause - an always on device which can supplement the router (AC66U). I also have an Asus AC51U cheapy which I'm currently using as an Access Point when in the garden.

So using the available hardware I'm just wondering how I can accomplish these goals - I'd prefer to use the hardware I have got, however I am open to other purchases I may need.

I'm most curious about the idea of using my Mini PC to accomplish all my VPN requirements and then using my AC66U simply as a router - perhaps sending all traffic through the mini PC as a gateway and then using my AC51U as an access point as I currently am.

(I do also own a HP N54L with 4GB RAM which could be repurposed)

However I am open to all sorts of ideas

Thanks

 

[spider]

In the past I have set up something called PiHole on a raspberry pi which enables you to block adverts network wide by configuring the router to force clients to use the Raspberry Pi with Pi-Hole installed as the DNS server.

Using my Asus VM60 (Intel® Core™ i3-3217U Processor, 4GB RAM, 10/100/1000 ethernet) could I acheive something similar, but for VPN.

i.e. Install Linux, install and configure an Open VPN client on the PC and set it up so all clients are forced through it - perhaps even setting up some specific routing so some clients bypass the VPN.

Then set up the AC66U with a basic VPN server so I can connect from the outside world, and once connected subsequent traffic is routed through the VM60

Or am I talking a load of trash

 

[John Ottestad]

I have some of the same thoughts and needs, but my hardware is slightly different:

I have a Minix Neo X8-h android streaming box which I want to connect via VPN tunnel using the services of SmartDNSproxy, which I have found to give consistent high speeds and uptime at a reasonable subscription fee.

I started out installing openvpn on the minix, connecting it to wan via my ASUS RT-N66U. Results were good, with speeds over VPN of 40 MBs (down), probably reflecting the CPU power of the minix of 2,0 GHz quad-core.

Next step: I wanted to run selective VPN routing on my Asus RT-N66U, running merlin 380.65. Experienced significant drop in speed down to 10 MBs (up and down), reflecting the lower CPU power of the router. Like you I am thinking of adding CPU power from a local miniPC running openvpn.

My minix is 2.5 years old, and a new minix u9 with 4K streaming capabilities has just been launched (cost USD 160). I will probably upgrade my minix to u9, which frees up the small and handy X8-h for other use, like taking on the VPN processing as a small dedicated local server connected directly to the router. The X8-H would be running as VPN client connected to wan via VPN tunnel to the smartDNSproxy server. I am not sure this will be possible on a unit running android, but have seen that the minix can be rooted and linux installed.

So this is how far I have got. But I have no experience whatsoever from setting up local server, not even windows, and no experience from setting up and programming android or linux devices. So I follow with interest your approach and what advise you might get from this forum. But I will most likely be a follower rather than a pioneer.

PS. I am very satisfied with my ASUS router running merlin, but have encountered one problem running selective VPN routing. Everything works perfectly, with one exeption. I have selected the option "start with wan" under the client tab. The router is then supposed to launch VPN when booted. The router attempts to establish a VPN tunnel when booting, but the VPN connection does not work (no wan access over the smartDNSproxy server). Could you be so kind to check whether "start with wan" works on your router. We are running the same firmware, and I suspect it can be a bug in the new firmware. Everything works perfectly when I start VPN manually from the GUI.

 

[spider]

Hi John,

I can confirm mine does work with the "start on wan" option enabled.

It sounds like we have similar requirements for sure! I've been thinking about this and I think I can condense my original question down to this:

Can I outsource the VPN processing onto an always on desktop and have certain traffic routed via the VPN gateway PC?

Current Setup
Currently my network is setup as follows. Router 1 (AC66U - 192.168.1.1) connected to modem, Router 2 (AC51U - 192.168.1.254) connected to Router 1. Router 1 running VPN client on OpenVPN with policy based routing (192.168.1.254 - WAN, 192.168.1.0/24 - VPN)

Anything connected to router 1 goes through VPN
Anything connected to router 2 goes by passes VPN

This setup is perfect albiet the slow VPN speeds <10Mbps

Idea 1
Since the only issue with the above is the VPN speed, and after realizing it has to do with the 'less-than-optimal' CPU in the AC66U my thoughts are if I can outsource all of the VPN activities onto an 'always-on' Mini PC (Intel i3, 4GB RAM, 1 Gigabit Ethernet)

Theoretically I am 'hoping' to set it up so in this instance router 2 will become the VPN router, except it does none of the VPN activities itself but simply Router 1 will send all traffic from router 2 through the VPN PC which will handle the encryption, etc then pass it back to Router 1 which will then send it out in to the world wide web...

However I have a feeling that this would probably be an awkward setup so after some thinking I have an alternative idea

Idea 2
The idea I now have is to purchase a managed switch and connect this to the modem and to the 1 gigabit ethernet port of my Mini PC, setup my Mini PC as a simple router with VPN Client. then plug router 1 and router 2 into the managed switch and have two separate VLANS. All traffic coming from router 1 will be sent on to the world wide web as is and all traffic from router 2 would be sent via the VPN client.


Thoughts, criticisms, suggestions, prods in the right direction.... lashings?

Thanks

 

[spider]

Ahah, Perhaps this is how I should be doing it.


Modem to Router 1, standard wifi no VPN
Router 1 Port to Managed Switch to act as WAN port for Mini PC
Mini PC Running VPN Client and acting as a gateway for Router 2
All traffic from Router 2 will be passed through the Mini PC which is running the VPN client and performing all the necessary encryption and so on.

One of my original requirements was to be able to use my VPN Client over the internet. I have access for 3 simultaneous clients however I am trying to have one client and then being able to have as many clients as I wish communicating via this one client at my house wherever I am, whether at work, in a cafe, on holiday.

So I'd need to run a VPN server somewhere to make use of the VPN client but I'm not sure where, if I ran it on router 1 it wouldn't be behind the VPN Client, if I ran it on router 2 I'd need to be connected to the VPN to see it or I could run it on router 1 and then have an ssh tunnel to the VPN Client PC but I'd like a setup where all I have to think about is connecting to my VPN Server anywhere and then everything gets routed via my VPN client.

 

[John Ottestad]

First of all, thank you for testing "start with wan" on your router. Confirms I should be able to make it on mine too. I will have to og over my setup once more, and maybe attempt some tweaks.

Secondly, I am by no means a routing/switch/VPNserver/VPNclient expert, but even so I belive it will be possible to meet your needs in a simpler and less hardware intensive manner. Consider the following:

1) I am much impressed by the capabilities, the GUI and user-friendlyness of the ASUS router, like:
a) Selective routing - assigning MACs for connection through VPN tunnel.
b) Option to automatically shut-off wan access for LAN clients routed over VPN tunnel, if tunnel
goes down (fool-proof security). Plus Automatic VPN restart attempts at defined time intervals.
c) VPN "start with wan" when booting (fool-proof security)
d) VPN server for remote access to LAN clients
e) Routing and WIFI capabilities are excellent, at least for my needs
f) very stable and reliable operation

2) The only limitation is the CPU when running VPN, which is what we both want to remedy by adding
mini PC, which I believe in your case can be solved as follows:
a) Use only the ASUS router, no additional router or switch. Thereby you reduce complexity, you
avoid DDNS, WIFI interference and other conflicts, and you reduce power consumption
b) Connect the devices you want to run through the VPN tunnel to your server mini-PC,
either by ethernet or WIFI over your ASUS router (maybe you will have to use port forwarding).
(REMEMBER: I AM NOT AN EXPERT !)
c) Run your mini-PC as VPN client through VPN tunnel to remote VPN server
over WAN through the ASUS router .

However, I believe the solution under 2) may suffer from the following:
I doubt whether you on your PC-server will be able to replicate the versatility and user-friendliness
of the ASUS router as listed under 1).

In my case I will do the following:

1. Follow your efforts with interest
2. Resolve my "start with wan " issue
3. 10 MBs just meets my present VPN speed requirement, so no immediate concern. I will continue enjoying the ease of installation and user friendliness of the ASUS router for selective routing and as VPN server for Remote access
4. When speed becomes an issue, I may follow in your footsteps........

PS ! There is an easy best-of-both-worlds solution to your problem, maintaining merlin functionality while significantly increasing VPN speed. But it will cost you USD 370:
https://www.sabaitechnology.com/vpn-accelerator/