VPNs: Recommend something to handle VPNing all my network traffic

Skripka

Skripka

[H]F Junkie
Joined
Feb 5, 2012
Messages
10,791
Like the title says I want something to handle the VPN tunneling for all my network traffic on my LAN....I'm only tunneling to my payware VPN service which then connects me to the internet. Currently do not have plans for other tunneling....

My VPN SP allows IPSEC, L2TP, or PPTP or OpenVPN connections.

Some facts about my setup:
-LAN has a few desktops on it, plus phones, and a pair of laptops at times....currently those devices are WPA2 connecting to DD-WRT wifi router--->Motorola cable modem--->Wide world
-I have a 20MBit-down/2-MBit up cable modem service. I almost always get said rated speeds.
-Even on my VPN provider, I can get those speeds with minimal impact on ping-using dedicated clients on each device.
-I've tried doing the VPNing on my DD-WRT wifi router...and it is severely computationally challenged...instead of 20/2, and I get 4/2 max when having my wifi router tunnel. It is simply not up to the job. I consulted my VPN SP, and they too agreed it is simply the slow-ass wifi router being inadequate to the task.


I'd like to do this on the cheap, and maintaining throughput speeds and ping....I know, I know, I get what I pay for.

What would y'all recommend...cheapest option I may have...is turning an old HP Pentium III 750mHz tower (that isn't good for anything else) into a VPN box and having it be a network DMZ. My worry is simply that said tower isn't up to the job of doing the VPN encryption fast enough either....OTOH this option only requires some time, as the tower is on hand and not doing anything else right now.


Someone locally is selling one of these cheap ($70USD), alternatively:
http://www.amazon.com/NETGEAR-FVS318-ProSafe-Firewall-8-Port/dp/B00006B9HC

But from what I've read, that device won't be able to handle the VPN throughput without bottlenecking either...due to being only moderately less computationally limited than the wifi router I have now. And I sure as hell don't want to spend money on something that does VPN worse than anything I already have....hell even my cellphone can VPN and get me my rated ISP adverted speeds.

What would y'all do, if you were me?
 
As an Amazon Associate, HardForum may earn from qualifying purchases.
I would start by using the old PIII 750 system to test out pfSense or a similar distro. If it works then you either keep that running or upgrade to a low power solution such as an AMD Fusion or Intel Atom solution. I do not use the VPN capabilities of pfSense but have loved its ease of use and functionality in place of my own custom solution (Fedora and iptables) that I used to run.

Additionally others may suggest using a UTM distro such as Untangle that allows for greater capabilities.

Here is a list of the Linux distros (not all are PC based):
http://en.wikipedia.org/wiki/List_of_router_or_firewall_distributions
 
Zyxel USG units are the best inexpensive hardware VPN devices I know of.

A USG 50 should allow you to use IPSEC, L2TP, or PPTP

You can even use LDAP integration if you want.
 
bbenz33 said:
I would start by using the old PIII 750 system to test out pfSense or a similar distro. If it works then you either keep that running or upgrade to a low power solution such as an AMD Fusion or Intel Atom solution. I do not use the VPN capabilities of pfSense but have loved its ease of use and functionality in place of my own custom solution (Fedora and iptables) that I used to run.

Additionally others may suggest using a UTM distro such as Untangle that allows for greater capabilities.

Here is a list of the Linux distros (not all are PC based):
http://en.wikipedia.org/wiki/List_of_router_or_firewall_distributions
Click to expand...

Linux isn't a problem, I use to run my desktop on Arch. Before I root-canal that box and spend a few hours trying to make it work, I was wondering how badly it might do at the VPN task.

Thx tho.

Mackintire said:
Zyxel USG units are the best inexpensive hardware VPN devices I know of.

A USG 50 should allow you to use IPSEC, L2TP, or PPTP

You can even use LDAP integration if you want.
Click to expand...

Heck...it looks like even the USG20 would work. Question though regarding the max everything specs, and their relation to what I'm doing...I presume the "Max Throughput" spec is the total VPN traffic going across the device and not each connection? I also presume their "recommended user #" spec is just a recommendation?

Also the "max concurrent VPN session", in my scenario even with my relative plethora of devices would still only be one VPN session (presuming the VPN was running on this device), correct?...reading reviews makes me a cautious since lots of the featureset you have to pay a subscription fee to turn on according to reviews.

In terms of setup Something like a Zyxel unit would be placed like: wifi-devices->Wifi router->Zyxel unit-->cable modem-->wide world?
 
Anything running OpenWRT would do what you want, most likely a lot cheaper than getting a USG20 or similar.
//Danne
 
diizzy said:
Anything running OpenWRT would do what you want, most likely a lot cheaper than getting a USG20 or similar.
//Danne
Click to expand...

It might do it, but would it do it well?

Looking at the OpenWRT website they support many devices no more powerful computationally than the Wifi router I have now...that due to computing power constraints can only manage 4Mbit down/2Mbit up in VPN on a 20/2 connection....I presume as such that in terms of throughput performance that OpenWRT would at best provide marginal gains over my 200mHz DD-WRT router I have now, that doesn't provide acceptable performance in VPN.

If I'm wrong on the above assertions, please correct me.
 
I'm not sure the USG 20 can do all three formats I listed.

The USG series is listed as a security gateway device. Not quite a UTM.

The rated user load is specified when all subscriptions are active.

Example of this is the USG 100 is listed for 20ish users. It can also support 200 ipsec tunnels, if my memory serves me correctly. The point is, if you are not using the UTM functions this same box can act as a VPN WAN router for 200-300 users with no problems.

Comparing a USG 100 to ANY consumer grade router running OpenWRT is laughable.

I replaced a Cisco ASA5505 with a Zyxel USG 100. There's no way in hell I'd drop a consumer grade box in that kind of deployment.
 
I wasn't trying to imply that the problem was with Linux (pfSense is BSD based) as I had a rather robust iptables setup with a custom kickstart script to automatically install if necessary. The bigger problem was keeping up with the patches and such along with no web interface to do anything. Combine that with it being a home setup that just needed to work the move to pfSense was just easy.

Your situation seems like you would either benefit from the either a UTM *nix distro or possibly one of the USG setups.

I personally have a OpenWRT and a Tomato based routers acting as access points and they are wired to my LAN that has a pfSense box as the gateway. I have a few of the modules that pfSense has available installed for web filtering for the kidos, but for the most part I am not using it for anything but the basic firewall and routing capabilities. It is an old VIA 800Mhz ITX system with an extra nic installed and I run it from a CF card. I have never seen my CPU load go above a few % and usually that is only when I am using the web interface for management.
 
@ Skripka
TP-Link TL-WDR3600/4300 or 4900 are a lot faster, Netgear WNDR4300 also comes to mind.
//Danne
 
You must log in or register to reply here.
Back
Top