What do you guys rock for your VPN Router Setup ?

[Green_Goblin]

bbbbbbbbbbbbbb

 

[degrub]

https://www.smallnetbuilder.com/google-search-results?q=vpn router

RTF.

 

[MichaelCG]

If you want price and performance, build a pfSense box. You trade off on heat, noise, and power consumption over a typical router.

My basic pfSense firewall could easily do 100Mbps VPN. That is a 5+ year old Core2 DUI box.

 

[System Error Message]

technically the heat, noise and power consumption are relative and not much different. The intel atom CPU uses only a couple more watts than ARM. Drives, devices, even the ethernet and wifi do use more power than the ARM CPU itself. The whole reason many routers pick ARM is simply cost, its just cheaper vs x86 in giving their targeted performance.

VPN routers are crap, dont buy one, not even the cisco RV. They're outdated and very slow, come with slow hardware too. a x86 box running pfsense or some linux server OS will always be faster and cheaper for the VPN performance with the exception of the rare TileGx found in mikrotik CCRs, those things will do VPNs in the multi gigabit speeds but pfsense is easier to set up than that.

you can build your box totally fanless, i once ran a bulldozer quad core with just the heatsink, so no noise.

 

[RMerlin]

Depends on the cipher used. An Asus RT-AC66U_B1 should be able to get close to 50 Mbps with OpenVPN and AES-128-CBC. For higher speed, see this thread:

https://www.snbforums.com/threads/openvpn-performance-of-the-rt-ac86u.41217/

 

[sfx2000]

Another approach would be to do VPN offload to a dedicated box inside the LAN, taking the load off the gateway Router/AP device...

 

[mikeekimmike]

What sfx2000 said.

If you have an extra box laying around: https://openvpn.net/software-packages/
You get 2 free users.
Comes with 2FA out of the box.

 

[Rainmaker]

I've used everything from an APU2C4 through a USFF box rocking a G4560. My latest router was only bought yesterday. It's a reconditioned (i.e. business pull) Dell Optiplex off eBay for £180. It sports an i7 3770 @3.4GHz, 8GB RAM and a 128GB SSD with an Intel Pro 1000 VT quad port server NIC. That certainly doesn't choke on VPNs. I get my max ISP throughput (380Mbps) using WireGuard without even breaking double digits CPU usage.

As for software I've used most over the years. IPFire, pfSense, OPNsense, VyOS, Sophos, Untangle, you name it. I'm currently running a base Arch install with dnscrypt-proxy for DNS, dhcpd for DHCP, Shorewall for NAT and firewall and WireGuard for the VPN (as I said). Wireless is handled by my Ubiquiti Unifi UAC AP Pro. I run three subnets to segregate my public facing servers/NAS/Hikvision 4k CCTV system from my trusted LAN, wifi and captive portal/guest wifi. Only my trusted LAN gets routed via my WireGuard VPN provider.

Once you do it 'properly' it's impossible to go back to a consumer grade box and be happy lol. Honestly decide on your use-case, decide how many interfaces you need (two Intel NICs, unless you need a separate DMZ/wifi/whatever subnet) and decide on your budget. Almost anything x86 will run VPN at the speeds you require. As for the easiest that's an 'it depends'. If you're not comfortable with BSD or Linux then likely something like OPNsense or pfSense is best. They have a nice GUI and lots of guides online.

 

[sfx2000]

If you want price and performance, build a pfSense box. You trade off on heat, noise, and power consumption over a typical router.

My basic pfSense firewall could easily do 100Mbps VPN. That is a 5+ year old Core2 DUI box.

NanoPI NEO2 - Allwinner H5 Quad Cortex-a53....

$ openvpn --genkey --secret /tmp/secret
$ time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-128-gcm
Sun Dec 16 15:48:33 2018 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode

real 0m17.919s
user 0m17.897s
sys 0m0.019s

3200/17.919 = 178Mbit/Sec....

 

[Xentrk]

Hi All,

I'm currently wondering what you guys rock for your VPN Router Setups ? I myself currently have a DD-WRT router bought for around £150. I have 50mb fibre optic internet and without VPN I get full speed and 6.1/6.5mbps when I download any file. However, when I'm on the VPN I get between ~10mb and ~15mb and around 650kbps or 1.1mbps when downloading a file, this is quite bad and I don't get the full speed that I pay for. I know that in my case encryption and processor in the said router are limiting my speeds a lot.

I was thinking about getting a better setup for my VPN which I could easily and very fast set it up without spending many hours on it.

I converted an old Win 7 PC to a router running pfSense. Cost a few bucks for a second NIC. 6x faster OpenVPN performance than my AC88U. Details on my blog site.....
https://x3mtek.com/openvpn-performance/

 

[RMerlin]

Is that 50 Mbps for all users on the network at the same time or when only one user is using it ?

That's the maximum throughput that OpenVPN clients will be able to achieve. LAN users are unaffected.

 

[RMerlin]

What I meant was that all users would be capable of achieving full speeds of downloads from the internet at the same time.

Let me rephrase my answer differently.

All OpenVPN users will only be able to achieve a maximum of 50 Mbps in total (so, two users downloading at the same from two OpenVPN clients will get 25 Mbps each).
All your LAN clients who aren't going through the VPN tunnel are completely unaffected, and will always hit the max speed of your Internet connection (minus what is currently in use by the remote users, of course).

Also, have there been any router made ever that was able to handle VPN's properly ?

Depends what you mean by "properly". These routers do support it "properly". It's a matter of CPU power versus throughput. VPNs involve encryption, which is CPU intensive. The throughput reached will depend on the power of your CPU. An OpenVPN client connected to an RT-AC86U for instance on a 100 Mbps Internet connection would be able to max out the connection (minus the encryption overhead of course - encrypted data is slightly bigger). But if you have an Internet connection in the 500-1000 Mbps range, you will need a desktop-class CPU to be able to get anywhere close to the max throughput allowed by your Internet connection.

 

[sfx2000]

I converted an old Win 7 PC to a router running pfSense. Cost a few bucks for a second NIC. 6x faster OpenVPN performance than my AC88U. Details on my blog site.....
https://x3mtek.com/openvpn-performance/

I think one of the key take aways is that for some users - offloading OpenVPN to an external box is going to offer a lot of performance gain...

 

[sfx2000]

All OpenVPN users will only be able to achieve a maximum of 50 Mbps in total (so, two users downloading at the same from two OpenVPN clients will get 25 Mbps each).

Might want to retract that one... while the VPN pipe size is 50Mbps in your example, each client will not be cut by N clients...

Depends on what each client is doing...

 

[RMerlin]

Might want to retract that one... while the VPN pipe size is 50Mbps in your example, each client will not be cut by N clients...

Depends on what each client is doing...

I stand by what I wrote. If two clients are downloading at the same time, the throughput will be cut in half because the bottleneck is the CPU - regardless of the type of client activity, the encryption process will be the same.

The bottleneck isn't the bandwidth, it's the CPU doing the encryption.

 

[sfx2000]

I stand by what I wrote. If two clients are downloading at the same time, the throughput will be cut in half because the bottleneck is the CPU - regardless of the type of client activity, the encryption process will be the same.

The bottleneck isn't the bandwidth, it's the CPU doing the encryption.

Two different clients - two application flows - one might only be 3Mbit, and the other 20Mbit...

With OpenVPN, yes, it's one pipe, and the core is doing the hard work, that's granted, but at the same time - if one has a 50Mbit pipe, it's shared ad-hoc between the clients... and the clients don't know they are on a tunnel...

 

[RMerlin]

Two different clients - two application flows - one might only be 3Mbit, and the other 20Mbit...

With OpenVPN, yes, it's one pipe, and the core is doing the hard work, that's granted, but at the same time - if one has a 50Mbit pipe, it's shared ad-hoc between the clients... and the clients don't know they are on a tunnel...

His concerns were about the limitation, therefore in my example scenario I used two clients who were hitting that limitation. Obviously if clients aren't each trying to push as much as they can, the total usage will be split differently, and the 50 Mbps hard limit won't be reached.

 

[rnatalli]

I’m using pfSense running on a Qotom i3 box; works great. If you go with Sophos or Untangle, you can get away with one of their less expensive Celeron 3215 boxes. The 3215 has better single core performance compared to the popular J1900 which helps with OpenVPN performance. An i3 of course is better as it also has AES-NI onboard.


Sent from my iPhone using Tapatalk

 

[RMerlin]

If VPN is the intended goal,, then you must go for a CPU that has AES-NI, otherwise the performance will be lacking.

 

[rnatalli]

I’ve gotten the J1900 up around 100Mbps using OpenVPN; the 3215 does better. That might be enough for many, but I agree AES-NI makes a huge difference.


Sent from my iPhone using Tapatalk