Hardware VPN for Home

NSimone621

n00b
Joined
May 20, 2014
Messages
15
Hello Everyone,

I'm off to college in a week and want to set up a VPN from my laptop at college to my home. I have a FreeNAS setup at home and multiple servers. To simplify things and still let me manage all my servers and access my NAS, I think a VPN is the best option, and I can avoid the college from monitoring my internet traffic. Hardware based would be best for the home end, possibly a router with this. And my only college internet access is a wireless one, so my college end of the network would have to be software based. Any help or ideas are greatly appreciated!

-Nico
 

timta2

[H]ard|Gawd
Joined
Feb 3, 2010
Messages
1,393
I would make sure that they won't slow your encrypted traffic, since they can't spy on it, first, otherwise you might just end up wasting time and/or money. Some universities are notoriously bad about this, they want to protect those Federal dollars they receive. You can probably do some research online or contact the IT department and ask if they slow encrypted traffic.
 

diizzy

2[H]4U
Joined
Nov 6, 2008
Messages
2,602
Just go with the TP-Link TL-WDR3600, it'll do about 10-15mbit/s encrypted traffic using OpenVPN. You can accomplish this by using OpenWRT instead of vendor provided firmware.
//Danne
 

/usr/sbin

Successfully Trolled by Megalith
Joined
Jul 18, 2010
Messages
3,927
Do you have a PC on all the time at home? You can run openvpn AS in a VM such as vmware player. Cost would be free.
 

NSimone621

n00b
Joined
May 20, 2014
Messages
15
I have a 50/15 connection at home, I doubt the school cares about encrypted traffic as its an outdated state school. I have computers that run, but I'd prefer a hardware setup. I have a cheap netgear wireless router, but I also have a rack setup, and a rack mount or standalone piece of hardware would be best for me. I have no problem buying used Cisco or sonicwall or other enterprise hardware.
 

dmolter

Limp Gawd
Joined
Sep 30, 2009
Messages
290
I would make sure that they won't slow your encrypted traffic, since they can't spy on it, first, otherwise you might just end up wasting time and/or money. Some universities are notoriously bad about this, they want to protect those Federal dollars they receive. You can probably do some research online or contact the IT department and ask if they slow encrypted traffic.
^This. You may get there and have them rate limit not only encrypted traffic, but all traffic coming from your device. Chances are you might be able to connect, but file shares will be slow especially during peak usage time.
 

diizzy

2[H]4U
Joined
Nov 6, 2008
Messages
2,602
...although using a computer/pfsense as a VPN gateway is just way overkill/waste of money.
//Danne
 

marsboer

n00b
Joined
Dec 3, 2010
Messages
58
I do not know any embedded solution that costs less than a computer that allows me to run OpenVPN at 100/100 mbit/s.

OpenVPN at full throughput is very important if you not only are using it for connecting to your home, but use it as a common VPN gateway for hosts in your network for sharing a single anonymousing VPN service (often used for torrenting etc). This is much more flexible than establishing a VPN connection from each host in your network as the hosts do not have to be configured for VPN in any way. I use policy routing and iptables for this at home.
 

diizzy

2[H]4U
Joined
Nov 6, 2008
Messages
2,602
Last time I checked 15mbit wasn't 100mbit but I might be behind times these days....
//Danne
 

marsboer

n00b
Joined
Dec 3, 2010
Messages
58
He has a 50 mbit/s downlink. Why limit yourself to anything but the full line potential in any direction? With that said there are some new routers that can actually manage 50 mbit/s in one direction that I have seen.
 

jadams

2[H]4U
Joined
Mar 14, 2010
Messages
4,086
...although using a computer/pfsense as a VPN gateway is just way overkill/waste of money.
//Danne

Please dont spread misinformation. The router you mentioned is $70 new. pfsense-capable hardware can be found for much less than this especially if we consider an existing, unused pc.

Overkill/reliability/value is subjective.I presented a solution. You can leave that up to him.
 

FlangeMonkey

Limp Gawd
Joined
Sep 11, 2010
Messages
161
If your using FreeNAS, why don't you just install openVPN within a Jail or use the the new VirtualBox Jail to deploy pfsense or something similar?

If you also have other boxes, are they visualized? This can be done on anything virtual.

OpenVPN is probably the way to go, be it hardware or software...
 

NSimone621

n00b
Joined
May 20, 2014
Messages
15
Hey Everyone, thanks for all the help so far. All my stuff is physical boxes, no virtuization. For this openVPN setup, could I just reuse a business-class desktop and throw an extra NIC? I am not sure if openVPN is a pass through appliance or just one sided. I have some old Fireboxes and a BlueCat appliance I planned to put pfSense on, but i've been working 7 days a week so never got around to deploying it. I'll most likely run openVPN, just a matter of what I need to do so.
 

FlangeMonkey

Limp Gawd
Joined
Sep 11, 2010
Messages
161
You don't need a second NIC, but it depends if you intend to use the desktop as a router/firewall. If its just OpenVPN you can PAT the ports to the box on the inside and route accordingly depending how you configure OpenVPN. It also doesn't need to be something powerful, but memory will help. Checkout the pfsense site for hardware requirements.

On the FreeNAS front you can still deploy a jail or VirtualBox. I have done a jail on my freenas with OpenVPN installed. It works... I didn't have hardware at the time and I needed something quick. I won't get hardware specifically for this because I'm happy, but if I had a router that supported OpenVPN, I'd do it from there.
 

diizzy

2[H]4U
Joined
Nov 6, 2008
Messages
2,602
@ jadams
Please do tell in this case using 15mbit connection how it would be justified to run pfsense. A full blown computer (x86/x64) would be inefficient in power usage, much larger not to forget dispatch a lot more heat (having needed performance in mind). The only positive would be if it were free but in 2 years you would've paid that money due to electricity costs (at least here in Sweden).

The router is btw about 15$ cheaper than what you quoted...
56.99 at B&H Photo, 49.99 excl shipping over at ncixus.com etc :)

//Danne
 
Last edited:

NSimone621

n00b
Joined
May 20, 2014
Messages
15
Hey Everyone, I think due to time constraints (Gone next Wednesday) and to simplify switching out equipment, I'll just add in an old desktop to run openVPN. Can I just hook it up to one of my existing switches?, since you say it only needs one NIC it shouldn't be hard for me to grab one. I am new to most of this and networking and computing is just a hobby of mine. I go to school for Marine Transportation, fancy lingo for how to drive a cargo/cruise ship. If someone could pinpoint me a tutorial for setting up openVPN on a windows machine I would be greatful, as well as recommended hardware specs, just need to know if 2GB of ram will be enough, or should I up it to 4, 8 etc. Not sure how to deploy this so all help is greatly appreciated. I would run the Jail setup, but I am unfamiliar with that and need the LAN access to my servers so I can power them on when I need. Planned on setting up full remote access and have an ideal pfSense setup, but I never got around to it.

Thanks!
Nico
 

diizzy

2[H]4U
Joined
Nov 6, 2008
Messages
2,602
Exactly what do you want to do? Replace your current router with one that also does OpenVPN?
//Danne
 

Nicklebon

Gawd
Joined
May 22, 2006
Messages
819
Find a cheap used small fortigate on ebay and use the free forticlient for ipsec or ssl vpn. Most of them include two free fortitokens so you install the app on your smart phone and have the added security of token authentication for two users.
 

NSimone621

n00b
Joined
May 20, 2014
Messages
15
Dont really have the time to replace, I'm looking more to add in something at this point. The fortigate sounds good down the line, but I need this implemented within a week so I'll likely go the desktop openVPN route.
 

marsboer

n00b
Joined
Dec 3, 2010
Messages
58
Hey Everyone, I think due to time constraints (Gone next Wednesday) and to simplify switching out equipment, I'll just add in an old desktop to run openVPN. Can I just hook it up to one of my existing switches?, since you say it only needs one NIC it shouldn't be hard for me to grab one. I am new to most of this and networking and computing is just a hobby of mine. I go to school for Marine Transportation, fancy lingo for how to drive a cargo/cruise ship. If someone could pinpoint me a tutorial for setting up openVPN on a windows machine I would be greatful, as well as recommended hardware specs, just need to know if 2GB of ram will be enough, or should I up it to 4, 8 etc. Not sure how to deploy this so all help is greatly appreciated. I would run the Jail setup, but I am unfamiliar with that and need the LAN access to my servers so I can power them on when I need. Planned on setting up full remote access and have an ideal pfSense setup, but I never got around to it.

I normally would not do it this way if you want to deploy this as a VPN into your network. The smoothest networking experience will come from using VPN at the actual gateway in a small home setup.

Unless you do some magic on the VPN server you will get the following scenario:

1. To reach the VPN-connected hosts (or reply to packet requests) your hosts would send the packets to their configured default gateway, as the VPN-clients are on a different subnet.
2. Since the VPN-server is not running on the gateway, the traffic has to be routed to the VPN host. This is done by using static routes that you manually add on the gateway.
3. If you place the VPN-server on anything but a dedicated subnet, hosts on the same subnet as the VPN-server will not be routed through the gateway to the VPN-server, but will actually just get a ICMP redirect message from the gateway as the VPN-server is on the same LAN and hence it is faster to connect directly to it, and it is normally not allowed to route traffic out the same logical interface it came in in any router.
4. In other words you first send a packet to the gateway, then get a redirect response, then resend the packet to the VPN-server, for each and every network connection. This is very suboptimal.

There are three ways to solve this without redirecting:
1. Ideal solution: Place the VPN-server on a dedicated subnet with only the gateway and the VPN-server, just like you would with a router to router connection.
2. Worst solution: Ensure each and every host on the same subnet as the VPN-server has a static route to the VPN-server for the VPN-subnet, alternatively use OSPF or other dynamic routing on all hosts on the VPN-server's subnet.
2. Compromise solution: NAT all traffic on the VPN-server to use the single internal address when talking to the LAN. This will cause issues if you want to reach services from LAN to the VPN-clients, but you seem to only want to use the VPN as a client, not server to network or network to network, i.e a roadwarrior setup.
 
Last edited:

jadams

2[H]4U
Joined
Mar 14, 2010
Messages
4,086
@ jadams
Please do tell in this case using 15mbit connection how it would be justified to run pfsense. A full blown computer (x86/x64) would be inefficient in power usage, much larger not to forget dispatch a lot more heat (having needed performance in mind). The only positive would be if it were free but in 2 years you would've paid that money due to electricity costs (at least here in Sweden).

The router is btw about 15$ cheaper than what you quoted...
56.99 at B&H Photo, 49.99 excl shipping over at ncixus.com etc :)

//Danne

You sir dont seem to be up to date on either hardware, or pfsense.

But I'll humor you. Any machine that runs this in this setup will remain mostly idle. Meaning the cpu will be using virtually no power. As for peripherals? The hard drive will spin up on startup and after the pfsense OS is loaded it doesnt get used again. Additionally pfsense can adjust the clock speed dynamically depending on load. Its very difficult to give exact numbers, but I've had kill-o-watt's hooked up to various pfsenses and you're incorrect. A pfsense box used like this would sit mostly idle and even while in use would use very little cpu processing power to encrypt/decrypt 15Mbit of traffic. You wont come close to 50kwh/year which in my area is $6/year.

Additionally OP already said he has an old PC to donate to this. Problem solved. In this instance those fancy dancy Intel NIC's arent required. A simple realtek NIC will do. That bring this project to a total of $10 investment.

Lastly, you're left with a very expandable and flexible system. Once OP sees what else it can do he'll probably be hooked. Even if he doesnt.... so what? What else can you do with this router you suggested? Paper weight? Gun range target? Toy for the dog?

Lastly, lastly.... you forget what forum you're on? We dont suggest no stinkin crappy SOHO's round these parts!
 

FlangeMonkey

Limp Gawd
Joined
Sep 11, 2010
Messages
161
I normally would not do it this way if you want to deploy this as a VPN into your network. The smoothest networking experience will come from using VPN at the actual gateway in a small home setup.

Unless you do some magic on the VPN server you will get the following scenario:

1. To reach the VPN-connected hosts (or reply to packet requests) your hosts would send the packets to their configured default gateway, as the VPN-clients are on a different subnet.
2. Since the VPN-server is not running on the gateway, the traffic has to be routed to the VPN host. This is done by using static routes that you manually add on the gateway.
3. If you place the VPN-server on anything but a dedicated subnet, hosts on the same subnet as the VPN-server will not be routed through the gateway to the VPN-server, but will actually just get a ICMP redirect message from the gateway as the VPN-server is on the same LAN and hence it is faster to connect directly to it, and it is normally not allowed to route traffic out the same logical interface it came in in any router.
4. In other words you first send a packet to the gateway, then get a redirect response, then resend the packet to the VPN-server, for each and every network connection. This is very suboptimal.

There are three ways to solve this without redirecting:
1. Ideal solution: Place the VPN-server on a dedicated subnet with only the gateway and the VPN-server, just like you would with a router to router connection.
2. Worst solution: Ensure each and every host on the same subnet as the VPN-server has a static route to the VPN-server for the VPN-subnet, alternatively use OSPF or other dynamic routing on all hosts on the VPN-server's subnet.
2. Compromise solution: NAT all traffic on the VPN-server to use the single internal address when talking to the LAN. This will cause issues if you want to reach services from LAN to the VPN-clients, but you seem to only want to use the VPN as a client, not server to network or network to network, i.e a roadwarrior setup.

I'm sorry but I don't fully agree with you and this isn't the place to get into it, if you like we can discuss on another thread. But please feel free to comment on the below.

OpenVPN can be configured using TUN or TAP, which are Layer 3 and Layer 2. TAP would be the way to go, therefore no routes needed and the VPN would effectively become an extension of your local network.

There is a guide on the forum somewhere, I think someone recommended it in an earlier post. However without looking at that config, I could assume it would need some additional config.

Its a hard one, I would be uncomfortable replacing your router so close to leaving. But this would be the most straightforward and 'reliable to work' solution for you. Considering your statements on your technical ability. Its ultimately up to you.

However, I can tell you what I did! as I was also under a small time-frame. I configured a 'poor mans vpn' using SSH tunneling to hit my equipment on the inside. I then used it for SOCKS proxy to browse from my home ISP and configured OpenVPN remotely. You could do something similar like RDP on a different port or even SSH like I did. SSH might even be a good solution instead of OpenVPN.

Whatever you decide, a backdoor into your network can be a security concern, but with your time constraints, if might not be a bad idea.
 

marsboer

n00b
Joined
Dec 3, 2010
Messages
58
Layer 2 is never the way to go when using VPN, unless as a point to point between routers to be able to use interior gateway routing protocols. GRE over IPsec is a commonly used alternative for this.

Bridging whole networks into the same broadcastdomain over WAN is just bad network design and should only be used if you have absolutely no choice.

You can look this up in every design guide at Cisco etc.
 

FlangeMonkey

Limp Gawd
Joined
Sep 11, 2010
Messages
161
Your talking about concepts and use case here. By design there are requirement and solutions. You appear to be bundling what is acceptable for Enterprise (with there requirements) with what he is asking for. Its scale, requirements and defiantly isn't bad design.

OpenVPN with TAP (Layer 2) will have its advantages of disadvantages under any configuration.
 

marsboer

n00b
Joined
Dec 3, 2010
Messages
58
If you can do things according to professional best practice for free and without a significantly bigger time investment or configuration overhead, I do not see your argument for "home usage" vs "enterprise requirements".
 

TCM2

Gawd
Joined
Oct 17, 2013
Messages
572
Any machine that runs this in this setup [...] wont come close to 50kwh/year which in my area is $6/year.

That's a usage of 5.71W. NO common PC hardware has such a low power draw. You need to go embedded for this (ALIX et.al.)

Additionally OP already said he has an old PC to donate to this.

"Old" = certainly not 6W, most probably not 30W, more like 50W+.

I'm all for self-building, but you need to stick to reality.
 

Nicklebon

Gawd
Joined
May 22, 2006
Messages
819
^^^^^ THIS ^^^^^^

When solutioning a project without clear requirements to the contrary one should always follow best practices.
.
If there are requirements that are contrary to best practices the solution provider should understand why those requirements exist and what the ultimate goal is. Not understanding the client's end goal is a sign of the worst kind of amateur. Often time requirements are set by those who have a little understanding of the technology but lack true expertise and are simply unaware of other option. Remember if the client actually knew how to accomplish what they wanted you likely would not be there. If possible explain other ways to accomplish the stated goal that fall within best practice scope. If that is not possible then the risks should be well documented and explained so the client understands them along with any mitigation strategies that may be available.
 

FlangeMonkey

Limp Gawd
Joined
Sep 11, 2010
Messages
161
My argument is never under any circumstances "home usage" vs "enterprise" its designing something to suite requirements. These titles normally generalized requirements.

Do you see what he is asking for? Please correct me, he appears to not have the time or resources to deploy a new firewall/router (but he has this option). He requires something quick, VPN like for communication and has specific resources available. Do you see any other solutions for him?

My opinion, is having no problem with using a Layer 2 tunnel technology. It doesn't suite all requirements and there are advantages and disadvantages between L2 and L3. It doesn't mean they are bad.
 
Last edited:

diizzy

2[H]4U
Joined
Nov 6, 2008
Messages
2,602
@ jadams

Since I do use FreeBSD I do know how its power management works and you haven't looked at its power management. It's simply not as good as you describe it and certainly not out of the box running pfsense (feel free to look this up on the freebsd mailinglists and the wiki). Not to mention that old hardware have higher power usage in general, less efficient PSUs and as with all kind of electronics age is a factor that will affect reliability. I'll give your opportunity at least try to convince anyone excluding yourself that "idle" equals close to no power usage at all for a regular PC or something that equals 12V 1A. The Atheros/QCA SoCs is probably also shit as Mikrotik uses it in pretty much their complete product range, UBNT uses it in their APs etc.

As for Realtek NICs it's never been an issue regarding speed since the days of P2s (yes, you read that right). It's all about reliability, driver and hardware quirks which are a lot less on Intel NICs for instance but since you seem to doubt me I'll quote the rl-driver in FreeBSD...

"* It's impossible given this rotten design to really achieve decent
* performance at 100Mbps, unless you happen to have a 400Mhz PII or
* some equally overmuscled CPU to drive it."

@ TCM2
Thanks for clearing it up =)

@ NSimone621
As others have mentinoed you're better off running this on your gateway, you can use bridge mode but it requires your be use the same C-net.
//Danne
 

zerodamage

Limp Gawd
Joined
May 18, 2007
Messages
171
What I did before setting up my pfsense router was purchase a Raspberry Pi and SSH to it via port forwarding. I wanted to be able to "VPN" into my home network and browse the web if I wanted to without hitting my work web filters. I also wanted to do all of this and still be able to access my work resources which would not be possible with your standard OpenVPN client. A Raspberry Pi is $35 for the better B-model. Once you throw in a case, SD Card, and power adapter, you are talking less than $60 US.
 

diizzy

2[H]4U
Joined
Nov 6, 2008
Messages
2,602
Huh what?
What you describe is perfectly doable given that port X is open or that it's not forced though a layer 7 proxy/firewall.
//Danne
 

ciggwin

Supreme [H]ardness
Joined
May 30, 2006
Messages
4,861
Find a cheap used small fortigate on ebay and use the free forticlient for ipsec or ssl vpn. Most of them include two free fortitokens so you install the app on your smart phone and have the added security of token authentication for two users.

I use this method with a little WatchGuard XTM 25W at my house. Since it comes with I think one license for SSL VPN and I am the only one connecting, it works great.

 

zerodamage

Limp Gawd
Joined
May 18, 2007
Messages
171
I use this method with a little WatchGuard XTM 25W at my house. Since it comes with I think one license for SSL VPN and I am the only one connecting, it works great.


I have one that I am not using at the moment. Brand new (taken out of box but never implemented). It's a few years old. It powers on but I haven't tried very hard to log into it.. yet....
 

Nate7311

2[H]4U
Joined
Jan 11, 2001
Messages
3,320
Find a cheap used small fortigate on ebay and use the free forticlient for ipsec or ssl vpn. Most of them include two free fortitokens so you install the app on your smart phone and have the added security of token authentication for two users.

Beautiful solution. That or a cheap Zyxel USG20 or 50 unit. Cheap bulletproof SSL VPN.
 

nodle

[H]ard|Gawd
Joined
Apr 9, 2001
Messages
1,557
I really like Asus routers with built in VPN. Was so easy to setup.
 

zerodamage

Limp Gawd
Joined
May 18, 2007
Messages
171
I really like Asus routers with built in VPN. Was so easy to setup.

pptp is not the best solution though. It's actually pretty bad. It may be better than nothing but I wouldn't depend on it if my life depended on it.
 
Top