Menu
What's new
By:
Filters Better Search

Whole House VPN setup

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

N

NATE1372

New Around Here
Can anyone recommend a good tutorial that can walk you through on creating a whole house VPN setup. Given that our Congress has just voted to allow ISPs to sell all your browsing habits, its time to fight back.

Also any suggestions on wireless routers that work well with a VPN setup.
Thanks, Nathan
 
NATE1372 said:
Can anyone recommend a good tutorial that can walk you through on creating a whole house VPN setup. Given that our Congress has just voted to allow ISPs to sell all your browsing habits, its time to fight back.

Also any suggestions on wireless routers that work well with a VPN setup.
Thanks, Nathan
Click to expand...

One problem with whole house VPN is that you can't always run everything on a VPN. Netflix and other video streaming services attempt to block people from using them.

While you can block your ISP from knowing what web sites you are browsing they will know what movies and TV shows you are streaming.

Also remember that while your local ISP can be prevented from knowing what you are doing the VPN provider knows so if they want to sell that information nothing stopping them from doing so to make a few bucks.

Newer ASUS routers running Merlin do a good job handling VPN clients, but even with a very good SOHO router your bandwidth will be reduced considerably.
 
NATE1372 said:
Also any suggestions on wireless routers that work well with a VPN setup.
Click to expand...
Hi (Ian) Nathan:rolleyes:,

I would recommend to look into www.perfect-privacy.com (PP) for a multi-hop/cascading setup - the guys there are very helpful if case you need support - but the Android config should work out of the box with your OpenVPN capable router (I - of course - recommend Asus as you seed from my footer)!

And PP is not logging anything - proven in several cases where the authorities asked for logs or even seized servers: As the VPN serves run fully in memory only, no data is saved to disk (beside the stored OS-image to start from the the usernames and passwords of the users). :D
 
Last edited:
Keep in mind that you are hiding from your ISP, yet handing out EVERYTHING to another third party company, who might very well do the same thing you are afraid your ISP might do. Those VPN providers aren't bound by any law either preventing them from reselling browsing habits.
 
I am starting to look at this as well for the same reason. I just started reading up more this past week so I haven't gotten too far.

Current Needs:
- despise the ISPs being allowed to freely track, report, and sell my info

Solution Concerns:
- want network level not client level (don't want to have to maintain clients on every device (30+ in the house)
- speed...I have 1Gbps Internet...and desire low latency and at least 100Mbps speeds
- if using 3rd party, determine if their contract has clear Privacy statement regarding the data they collect and use (not bullet proof by any means, but better than nothing)

I am considering looking to see what the costs are to host my own in AWS or Azure....or somewhere else. Just not so sure if the data transit charges will make that just not too cost effective.
 
There is no privacy - hasn't been for years...

VPN's don't provide privacy, neither does TOR - and this data has been collected for years - and monetized..

See a Social Network button on a page? (look down are "Share this page" right here) - yep, application layer just said you viewed this page and that data is going somewhere..
 
VPN can provide privacy from the local ISP....but not from the others on the far end of the VPN. It all depends on who you are trying to hide your details from.

If you want full end-to-end privacy? That requires a lot more work and compromises to functionality to achieve. I mostly just want to stop the prying eyes of local ISP that has visibility of all of my traffic. Not just the handful of sites that have tracking. The fact that I use services from Google, Apple, Amazon, Netflix, and Facebook clearly means I am being tracked pretty much 24/7. I just don't need my local ISP easily knowing that I am shopping for a car, expecting a baby, what shows I watch on Netflix, or some other random search/browsing of the day.
 
MichaelCG said:
- speed...I have 1Gbps Internet...and desire low latency and at least 100Mbps speeds
- if using 3rd party, determine if their contract has clear Privacy statement regarding the data they collect and use (not bullet proof by any means, but better than nothing)
Click to expand...

Good luck on finding a router that will give you at least 100Mbps on a VPN connection. Up until Comcast increased my provisioned speed from 75/10 to 150/20 I was running my VPN client on a VPN accelerator which has a 1.8 Ghz Atom processor and normally getting download speeds of 70- 75 on the VPN connection.

After the speed increase the best the VPN accelerator can do is 65 Mbps. Running a VPN client app on my PC with 2.8Ghz I7 processor I can get 170 Mbps download speeds. I have changed all the VPN settings, tried various servers and even experimented with other VPN providers and my conclusion is that the increased bandwidth from Comcast just over loads what the processor in the VPN accelerator can do. As another point of reference running the VPN on AC1900P with 1.4 Ghz processor can only download using the VPN at 55 Mbps.

If you want throughput from your 1 gig connection to be 100Mbps you are going to need a box with a very powerful processor. Whether it needs to be a quad core I7 or not I can't tell you for sure but my older PC with a 1.6Ghz I5 processor running the VPN client can only get a download speed of 50 Mbps.
 
You will most likely not find any VPN provider that will give anything near to 1 Gbps. Even if you were to rent your own VPS to do the same thing (which, personally, is what I would do if my intent was just to hide from my ISP), a VPS providing 1 Gbps of throughput will cost you more than your ISP charges you.
 
CaptainSTX said:
Good luck on finding a router that will give you at least 100Mbps on a VPN connection. Up until Comcast increased my provisioned speed from 75/10 to 150/20 I was running my VPN client on a VPN accelerator which has a 1.8 Ghz Atom processor and normally getting download speeds of 70- 75 on the VPN connection.

After the speed increase the best the VPN accelerator can do is 65 Mbps. Running a VPN client app on my PC with 2.8Ghz I7 processor I can get 170 Mbps download speeds. I have changed all the VPN settings, tried various servers and even experimented with other VPN providers and my conclusion is that the increased bandwidth from Comcast just over loads what the processor in the VPN accelerator can do. As another point of reference running the VPN on AC1900P with 1.4 Ghz processor can only download using the VPN at 55 Mbps.

If you want throughput from your 1 gig connection to be 100Mbps you are going to need a box with a very powerful processor. Whether it needs to be a quad core I7 or not I can't tell you for sure but my older PC with a 1.6Ghz I5 processor running the VPN client can only get a download speed of 50 Mbps.
Click to expand...
I am running pfSense on an old HP desktop with a 2.4GHz Core2 E4600 and I can get around 100Mbps today via openVPN. This is a reverse of what I am wanting to look at since pfSense is currently the server and my iPhone is the client....but getting 100Mbps performance is attainable even with older x86 hardware. I have not tested IPSEC performance on this box. My previous m0n0wall boxes (Atom N230) could easily handle my Internet connection of the time which topped out at 24Mbps doing IPSEC.

RMerlin said:
You will most likely not find any VPN provider that will give anything near to 1 Gbps. Even if you were to rent your own VPS to do the same thing (which, personally, is what I would do if my intent was just to hide from my ISP), a VPS providing 1 Gbps of throughput will cost you more than your ISP charges you.
Click to expand...
Yep...part of my issue/concern. Do I punish my performance or bank account for the sake of a bit of privacy....I am probably too cheap to make this really work out for me and will just have to live with it. :(
 
MichaelCG said:
I am running pfSense on an old HP desktop with a 2.4GHz Core2 E4600 and I can get around 100Mbps today via openVPN. This is a reverse of what I am wanting to look at since pfSense is currently the server and my iPhone is the client....but getting 100Mbps performance is attainable even with older x86 hardware. I have not tested IPSEC performance on this box. My previous m0n0wall boxes (Atom N230) could easily handle my Internet connection of the time which topped out at 24Mbps doing IPSEC.

Yep...part of my issue/concern. Do I punish my performance or bank account for the sake of a bit of privacy....I am probably too cheap to make this really work out for me and will just have to live with it. :(
Click to expand...
I think there will be more people wanting this so I feel in time there will be some solution eventually.

Sent from my SM-G930V using Tapatalk
 
MichaelCG said:
I am running pfSense on an old HP desktop with a 2.4GHz Core2 E4600 and I can get around 100Mbps today via openVPN. This is a reverse of what I am wanting to look at since pfSense is currently the server and my iPhone is the client....but getting 100Mbps performance is attainable even with older x86 hardware. I have not tested IPSEC performance on this box. My previous m0n0wall boxes (Atom N230) could easily handle my Internet connection of the time which topped out at 24Mbps doing IPSEC.
Click to expand...

Used to run L2TP/IPSec on a Core2Duo P8800 (2.66GHz) on OSX server, and 100Mbps was definitely achievable and reliable...

pfSense on C2358 (Atom, Netgate 2440) - OVPN is pretty much the same, 100Mbps, LT2P/IPSec is similar, but lower CPU load compared to OVPN.

I'm on a 150/10 cable connection, so 100Mbps is good enough... if I were on Gigabit fiber, I would look at something like a high clocked Intel Core i3 or similar with an Intel i350 gigabit card... Keeping in mind that clock speed is more important than number of cores with OVPN since it's single threaded - and fast memory helps here.

Anyways...

With OVPN and OpenSSL - one can tell what engines are really available with the following command

openssl engine -t -c

on my current pfSense box - Atom C2358
Code: 
(cryptodev) BSD cryptodev engine
 [RSA, DSA, DH, AES-128-CBC, AES-192-CBC, AES-256-CBC]
    [ available ]
(rsax) RSAX engine support
 [RSA]
    [ available ]
(rdrand) Intel RDRAND engine
 [RAND]
    [ available ]
(dynamic) Dynamic engine loading support
    [ unavailable ]

Certain chips do OpenSSL very nicely... most ARM's in the consumer space don't.
 
Last edited:
thiggins said:
As Captain said, VPN's aren't a magic bullet.
https://arstechnica.com/security/20...ymity-ars-assesses-the-state-of-vpns-in-2016/

The Streisand DIY VPN mentioned toward the end of the article is intriguing, though.
Click to expand...

One of the concerns with using VPN is that while one might bypass the ISP's data keeping, there's no guarantee that the VPN provider - or the DNS provider, isn't doing the same - in some ways - commercial VPN providers are a much more valued target as they do tend to concentrate traffic from multiple ISP's into a single point of focus - this would also perhaps apply towards DNS providers.

Tor here isn't much help either - as there's always an exit node, and exit nodes with high bandwidth will carry obviously more traffic - not to mention the risk of Layer 7 opportunities (the applications themselves).

Another concern is the CDN's - as the Amazon, Google, Akamai, Level 3 and others - they use DNS and packet source/dest for route optimization - so that's another problem...

Hard nut to break...

So yes, one can try VPN/TOR - TOR over VPN and inverse - all it's likely going to do is compromise performance and reliability, along with usability...

This data has always been there - and it really comes down to the contractual terms of service, and buried down in the very fine print that nobody ever reads as items like this are couched in legalese terminology rather than plain language.
 
Last edited:
sfx2000 said:
Used to run L2TP/IPSec on a Core2Duo P8800 (2.66GHz) on OSX server, and 100Mbps was definitely achievable and reliable...

pfSense on C2358 (Atom, Netgate 2440) - OVPN is pretty much the same, 100Mbps, LT2P/IPSec is similar, but lower CPU load compared to OVPN.

I'm on a 150/10 cable connection, so 100Mbps is good enough... if I were on Gigabit fiber, I would look at something like a high clocked Intel Core i3 or similar with an Intel i350 gigabit card...

(clock speed is more important than number of cores with OVPN since it's single threaded - and fast memory helps here as well)
Click to expand...

There definetly will be need for higher speed processors used in routers as people move toward higher speed internet connections. The demands on the router for WAN to LAN processing of 500 Mbps - 1 Gig dowload speed plus handling the VPN processing even if the VPN is capped at 300 - 400 Mbps by the providers backbone this is more than currently marketed SOHO routers are capable of.

As I mentioned in previous posts processing on my PC with a 2.8 Ghz processor loads it up to 73% to give me a 170 Mbps VPN download speed.

As for using other protocols of VPN I really didn't notice much difference between OpenVPN and LT2P when I tried it on my VPNA which has just 1.8 Ghz processor. They both were maxed out at around 65 Mbps down. When Comcast incrased my speed to 180/22 (over provisioned 150/20 plan) my VPN processing actually got slower as the router and VPNA were busier handling the faster WAN - LAN speed.
 
Clock speed matters with OVPN - mostly due to the context shift between kernel and userland (OVPN is a userland app, but the tunnel driver is kernel space).

Probably a good reason why Intel J1900/J1800's are popular with many of the OpenVPN crowd - they're not the stoutest processors (compared to other x86), but they're clocked fairly fast at 2.4/2.53 GHz respectively on turbo clocks - which definitely helps with the userland/kernel jumps...

Going with Airmont - Braswell does offer AES-NI, which is always appreciated over Silvermont on Baytrail-D (which doesn't have AES-NI) - with OVPN, J1800 still wins over N3700 at high bandwidths - depends on the configs, but generally...

That's why I mentioned Core-i3 - there are a couple of chips there that are close to i7 on single core performance, and OVPN will definitely win - higher clocks, and Core-i3 also does AES-NI for Ivy and later...

Clocks are also the reason why many over in the AsusWRT community do try to overclock there - the broadcom SoC's are a bit compute bound on the OpenSSL side, but more of a problem with context switching and memory performance - and there, overclocking helps more on the mem and context switches..

My preference has always been l2tp/ipsec - mostly because we don't have to do the kernel/userland jump, so it's more efficient, but even there - it will leverage CPU features and clock/mem speeds...
 
sfx2000 said:
Clock speed matters with OVPN - mostly due to the context shift between kernel and userland (OVPN is a userland app, but the tunnel driver is kernel space).

Probably a good reason why Intel J1900/J1800's are popular with many of the OpenVPN crowd - they're not the stoutest processors (compared to other x86), but they're clocked fairly fast at 2.4/2.53 GHz respectively on turbo clocks - which definitely helps with the userland/kernel jumps...

Going with Airmont - Braswell does offer AES-NI, which is always appreciated over Silvermont on Baytrail-D (which doesn't have AES-NI) - with OVPN, J1800 still wins over N3700 at high bandwidths - depends on the configs, but generally...

That's why I mentioned Core-i3 - there are a couple of chips there that are close to i7 on single core performance, and OVPN will definitely win - higher clocks, and Core-i3 also does AES-NI for Ivy and later...

Clocks are also the reason why many over in the AsusWRT community do try to overclock there - the broadcom SoC's are a bit compute bound on the OpenSSL side, but more of a problem with context switching and memory performance - and there, overclocking helps more on the mem and context switches..

My preference has always been l2tp/ipsec - mostly because we don't have to do the kernel/userland jump, so it's more efficient, but even there - it will leverage CPU features and clock/mem speeds...
Click to expand...

It will be interesting to see when someone with a 1 Gig connection and a VPN provider that will handle 300Mbps + can come up with or builds a box to handle a 950+ WAN - LAN and a very fast VPN connection using a secure protocal. Hope they post the specs here all on line so we can all be inspired.
 
CaptainSTX said:
It will be interesting to see when someone with a 1 Gig connection and a VPN provider that will handle 300Mbps + can come up with or builds a box to handle a 950+ WAN - LAN and a very fast VPN connection using a secure protocal. Hope they post the specs here all on line so we can all be inspired.
Click to expand...
Building the box isn't the biggest challenge...it is finding a cost effective VPN provider that can handle 300Mbps.
 
MichaelCG said:
finding a cost effective VPN provider that can handle 300Mbps.
Click to expand...

Up until recently, that wasn't anything I really needed to worry about... ;)

(having direct access to a carrier grade data center with a load balanced 100Gbe connectivity across telco grade connections with redundant failover across three locations - my little 100Mbps connect was a small drop in the barrel there - nice to be on the backbone however)

But this is a very valid point for many...
 
sfx2000 said:
Up until recently, that wasn't anything I really needed to worry about... ;)

(having direct access to a carrier grade data center with a load balanced 100Gbe connectivity across telco grade connections with redundant failover across three locations - my little 100Mbps connect was a small drop in the barrel there - nice to be on the backbone however)

But this is a very valid point for many...
Click to expand...

The search for a VPN provider that can handle or will handle for a price a 300 Mbps will have to be done by someone with the 1 Gig connection and a box that can handle it. I'm sure that some of those fortunate enough to have a 1 Gig connection could run some experiements connecting to various VPN providers running the VPN providers app on their PC and see what they can get. With Astrill I can get 170 Mbps to a server 1,000 miles distant but that is maxing out my 150/20 connection

I'm sure most VPN providers have the same opinion that ISPs have why does anyone need a 1 Gig connection with a superfast VPN connection? Once the demand is there probably some VPN provider will use their ability to provide very fast VPN connections as a selling point.
 
You must log in or register to reply here.

Similar threads

F
Question re: router that doesn't require compromising security
Replies
4
Views
593
sfx2000
sfx2000
M
WiFi AP with Mesh Setup?
Replies
5
Views
486
MJW75
M
A
5G modem/router with VPN support?
Replies
5
Views
539
glens
G
gdgross
Setting up VPN server (router?) for offsite access
Replies
13
Views
821
gdgross
gdgross
D
How to restrict VPN network access to certain IP Range or Hosts for specific VPN client
Replies
8
Views
501
ZebMcKayhan
Z
Similar threads
Thread starter Title Forum Replies Date
V Wired router with VPN performance similar to Ax88u Pro? Routers 7
jebnz Merlin VPN Director question Routers 2
E Asus AX88U (388.2.2) vpn not turning on Routers 2

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 607 (members: 10, guests: 597)
Top