What's new

What do you guys rock for your VPN Router Setup ?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

If you want price and performance, build a pfSense box. You trade off on heat, noise, and power consumption over a typical router.

My basic pfSense firewall could easily do 100Mbps VPN. That is a 5+ year old Core2 DUI box.
 
technically the heat, noise and power consumption are relative and not much different. The intel atom CPU uses only a couple more watts than ARM. Drives, devices, even the ethernet and wifi do use more power than the ARM CPU itself. The whole reason many routers pick ARM is simply cost, its just cheaper vs x86 in giving their targeted performance.

VPN routers are crap, dont buy one, not even the cisco RV. They're outdated and very slow, come with slow hardware too. a x86 box running pfsense or some linux server OS will always be faster and cheaper for the VPN performance with the exception of the rare TileGx found in mikrotik CCRs, those things will do VPNs in the multi gigabit speeds but pfsense is easier to set up than that.

you can build your box totally fanless, i once ran a bulldozer quad core with just the heatsink, so no noise.
 
Another approach would be to do VPN offload to a dedicated box inside the LAN, taking the load off the gateway Router/AP device...
 
I've used everything from an APU2C4 through a USFF box rocking a G4560. My latest router was only bought yesterday. It's a reconditioned (i.e. business pull) Dell Optiplex off eBay for £180. It sports an i7 3770 @3.4GHz, 8GB RAM and a 128GB SSD with an Intel Pro 1000 VT quad port server NIC. That certainly doesn't choke on VPNs. I get my max ISP throughput (380Mbps) using WireGuard without even breaking double digits CPU usage.

As for software I've used most over the years. IPFire, pfSense, OPNsense, VyOS, Sophos, Untangle, you name it. I'm currently running a base Arch install with dnscrypt-proxy for DNS, dhcpd for DHCP, Shorewall for NAT and firewall and WireGuard for the VPN (as I said). Wireless is handled by my Ubiquiti Unifi UAC AP Pro. I run three subnets to segregate my public facing servers/NAS/Hikvision 4k CCTV system from my trusted LAN, wifi and captive portal/guest wifi. Only my trusted LAN gets routed via my WireGuard VPN provider.

Once you do it 'properly' it's impossible to go back to a consumer grade box and be happy lol. Honestly decide on your use-case, decide how many interfaces you need (two Intel NICs, unless you need a separate DMZ/wifi/whatever subnet) and decide on your budget. Almost anything x86 will run VPN at the speeds you require. As for the easiest that's an 'it depends'. If you're not comfortable with BSD or Linux then likely something like OPNsense or pfSense is best. They have a nice GUI and lots of guides online.
 
If you want price and performance, build a pfSense box. You trade off on heat, noise, and power consumption over a typical router.

My basic pfSense firewall could easily do 100Mbps VPN. That is a 5+ year old Core2 DUI box.

NanoPI NEO2 - Allwinner H5 Quad Cortex-a53....

Code:
$ openvpn --genkey --secret /tmp/secret
$ time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-128-gcm
Sun Dec 16 15:48:33 2018 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode

real 0m17.919s
user 0m17.897s
sys 0m0.019s

3200/17.919 = 178Mbit/Sec....

IMG_1832.jpg
 
Hi All,

I'm currently wondering what you guys rock for your VPN Router Setups ? I myself currently have a DD-WRT router bought for around £150. I have 50mb fibre optic internet and without VPN I get full speed and 6.1/6.5mbps when I download any file. However, when I'm on the VPN I get between ~10mb and ~15mb and around 650kbps or 1.1mbps when downloading a file, this is quite bad and I don't get the full speed that I pay for. I know that in my case encryption and processor in the said router are limiting my speeds a lot.

I was thinking about getting a better setup for my VPN which I could easily and very fast set it up without spending many hours on it.
I converted an old Win 7 PC to a router running pfSense. Cost a few bucks for a second NIC. 6x faster OpenVPN performance than my AC88U. Details on my blog site.....
https://x3mtek.com/openvpn-performance/
 
Is that 50 Mbps for all users on the network at the same time or when only one user is using it ?

That's the maximum throughput that OpenVPN clients will be able to achieve. LAN users are unaffected.
 
What I meant was that all users would be capable of achieving full speeds of downloads from the internet at the same time.

Let me rephrase my answer differently.

All OpenVPN users will only be able to achieve a maximum of 50 Mbps in total (so, two users downloading at the same from two OpenVPN clients will get 25 Mbps each).
All your LAN clients who aren't going through the VPN tunnel are completely unaffected, and will always hit the max speed of your Internet connection (minus what is currently in use by the remote users, of course).

Also, have there been any router made ever that was able to handle VPN's properly ?

Depends what you mean by "properly". These routers do support it "properly". It's a matter of CPU power versus throughput. VPNs involve encryption, which is CPU intensive. The throughput reached will depend on the power of your CPU. An OpenVPN client connected to an RT-AC86U for instance on a 100 Mbps Internet connection would be able to max out the connection (minus the encryption overhead of course - encrypted data is slightly bigger). But if you have an Internet connection in the 500-1000 Mbps range, you will need a desktop-class CPU to be able to get anywhere close to the max throughput allowed by your Internet connection.
 
All OpenVPN users will only be able to achieve a maximum of 50 Mbps in total (so, two users downloading at the same from two OpenVPN clients will get 25 Mbps each).

Might want to retract that one... while the VPN pipe size is 50Mbps in your example, each client will not be cut by N clients...

Depends on what each client is doing...
 
Might want to retract that one... while the VPN pipe size is 50Mbps in your example, each client will not be cut by N clients...

Depends on what each client is doing...

I stand by what I wrote. If two clients are downloading at the same time, the throughput will be cut in half because the bottleneck is the CPU - regardless of the type of client activity, the encryption process will be the same.

The bottleneck isn't the bandwidth, it's the CPU doing the encryption.
 
I stand by what I wrote. If two clients are downloading at the same time, the throughput will be cut in half because the bottleneck is the CPU - regardless of the type of client activity, the encryption process will be the same.

The bottleneck isn't the bandwidth, it's the CPU doing the encryption.

Two different clients - two application flows - one might only be 3Mbit, and the other 20Mbit...

With OpenVPN, yes, it's one pipe, and the core is doing the hard work, that's granted, but at the same time - if one has a 50Mbit pipe, it's shared ad-hoc between the clients... and the clients don't know they are on a tunnel...
 
Two different clients - two application flows - one might only be 3Mbit, and the other 20Mbit...

With OpenVPN, yes, it's one pipe, and the core is doing the hard work, that's granted, but at the same time - if one has a 50Mbit pipe, it's shared ad-hoc between the clients... and the clients don't know they are on a tunnel...

His concerns were about the limitation, therefore in my example scenario I used two clients who were hitting that limitation. Obviously if clients aren't each trying to push as much as they can, the total usage will be split differently, and the 50 Mbps hard limit won't be reached.
 
I’m using pfSense running on a Qotom i3 box; works great. If you go with Sophos or Untangle, you can get away with one of their less expensive Celeron 3215 boxes. The 3215 has better single core performance compared to the popular J1900 which helps with OpenVPN performance. An i3 of course is better as it also has AES-NI onboard.


Sent from my iPhone using Tapatalk
 
If VPN is the intended goal,, then you must go for a CPU that has AES-NI, otherwise the performance will be lacking.
 
I’ve gotten the J1900 up around 100Mbps using OpenVPN; the 3215 does better. That might be enough for many, but I agree AES-NI makes a huge difference.


Sent from my iPhone using Tapatalk
 
Similar threads

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top