OpenVPN Home Appliance
#31
FlyerTalk Evangelist
Join Date: Nov 2002
Location: ORD
Posts: 14,231
Can anyone recommend a solid VPN appliance to setup on a home network but to use simply for EXTERNAL VPN access and security?
I've got a netgear nighthawk AC1900 router/AP, and the VPN solution on it is pretty poor. Doesn't enable the WAN IP as the access point for any external clients (known issue) and that is what I'd really like, to be able to connect to it and have all my traffic routed through my home network and connectivity (I have 100/25 connection)
I know I could flash the AC1900 with DD-WRT and probably get what I am looking for, but I'm loath to go down the irreversible path YET since everything else is work so well.
I'd like to just stick a VPN appliance on the network, use it to enable REMOTE WAN VPN security and have the solution isolated to the device.
I've got a netgear nighthawk AC1900 router/AP, and the VPN solution on it is pretty poor. Doesn't enable the WAN IP as the access point for any external clients (known issue) and that is what I'd really like, to be able to connect to it and have all my traffic routed through my home network and connectivity (I have 100/25 connection)
I know I could flash the AC1900 with DD-WRT and probably get what I am looking for, but I'm loath to go down the irreversible path YET since everything else is work so well.
I'd like to just stick a VPN appliance on the network, use it to enable REMOTE WAN VPN security and have the solution isolated to the device.
I bet you could also do it cheaply with a Raspberry Pi.
Else, a lot of home routers now come with VPN capability...I know Asus puts a PPTP server in at least some of its firmwares.
#32
FlyerTalk Evangelist
Join Date: Jul 2000
Location: in the vicinity of SFO
Programs: AA 2MM (LT-PLT, PPro for this year)
Posts: 19,781
The "real" VPN appliances start pretty cheaply by business standards (about $300 on Amazon for a 2-user bundle and $350 on NewEgg for a ten user bundle for the cheapest Cisco ASA if I'm reading it right) but setting them up is not going to be a task for a non-technical person.
If you have a spare cheap PC sitting around you can just use that as a VPN server. Put Ubuntu on it and install OpenVPN if you're looking for something more secure or PopTop if you just want a PPTP VPN.
Of course, depending on the electric price where you live (PG&E in my part of CA is particularly high at over-baseline rates like 35c/kwhr!) it may not matter.
As you note,
I bet you could also do it cheaply with a Raspberry Pi.
There are quite a number of similar small embedded-linux boxes, some of them intended for networking use, and some of them faster than the Raspberry Pi, all with a price range between $50-$200, and all probably a better choice than a dedicated PC.
There are also quite a number of small PC designs with low power consumption, starting around $130, which may be easier for some people to use and a bit more versatile. Prices go up quickly for more powerful ones, and I don't know of a cheap one with two ethernet ports (there probably is one, though.)
Else, a lot of home routers now come with VPN capability...I know Asus puts a PPTP server in at least some of its firmwares.
#33
Join Date: Feb 2000
Location: Menlo Park, CA, USA
Programs: UA 1MM 0P, AA, DL, *wood, Lifetime FPC Plat., IHG, HHD
Posts: 6,912
great!
There's a huge class of small business routers that work for VPN, and which start no more expensive than the better wireless routers, for one example this (no endorsement of the present model intended, although I set up an ancestor of that years ago for friends and it's worked well.) I don't know how well it would work behind an ISP-provided router.
The "real" VPN appliances start pretty cheaply by business standards (about $300 on Amazon for a 2-user bundle and $350 on NewEgg for a ten user bundle for the cheapest Cisco ASA if I'm reading it right) but setting them up is not going to be a task for a non-technical person
For a regular PC, you're going to be wasting a LOT of electricity leaving it running just as a VPN appliance (or even as the firewall/router/web server/vpn/nas) unless you take some time to build one for lower power consumption.
Of course, depending on the electric price where you live (PG&E in my part of CA is particularly high at over-baseline rates like 35c/kwhr!) it may not matter.
As you note,
Almost certainly, if the performance doesn't matter a lot (and it will likely still be better than what's in most cheap routers.) The lack of a 2nd ethernet port makes it harder to use this as a firewall at the same time, although USB Ethernet might work.
There are quite a number of similar small embedded-linux boxes, some of them intended for networking use, and some of them faster than the Raspberry Pi, all with a price range between $50-$200, and all probably a better choice than a dedicated PC.
There are also quite a number of small PC designs with low power consumption, starting around $130, which may be easier for some people to use and a bit more versatile. Prices go up quickly for more powerful ones, and I don't know of a cheap one with two ethernet ports (there probably is one, though.)
Indeed. For that matter, any one which can take OpenWRT or DD-WRT can be used.
The "real" VPN appliances start pretty cheaply by business standards (about $300 on Amazon for a 2-user bundle and $350 on NewEgg for a ten user bundle for the cheapest Cisco ASA if I'm reading it right) but setting them up is not going to be a task for a non-technical person
For a regular PC, you're going to be wasting a LOT of electricity leaving it running just as a VPN appliance (or even as the firewall/router/web server/vpn/nas) unless you take some time to build one for lower power consumption.
Of course, depending on the electric price where you live (PG&E in my part of CA is particularly high at over-baseline rates like 35c/kwhr!) it may not matter.
As you note,
Almost certainly, if the performance doesn't matter a lot (and it will likely still be better than what's in most cheap routers.) The lack of a 2nd ethernet port makes it harder to use this as a firewall at the same time, although USB Ethernet might work.
There are quite a number of similar small embedded-linux boxes, some of them intended for networking use, and some of them faster than the Raspberry Pi, all with a price range between $50-$200, and all probably a better choice than a dedicated PC.
There are also quite a number of small PC designs with low power consumption, starting around $130, which may be easier for some people to use and a bit more versatile. Prices go up quickly for more powerful ones, and I don't know of a cheap one with two ethernet ports (there probably is one, though.)
Indeed. For that matter, any one which can take OpenWRT or DD-WRT can be used.
yes, I don't really want to leave a dedicated pc just for the vpn solution. it would be a bunch of wasted energy and hardware to maintain.
I might just move to a different router that has a better VPN implementation. I just wish netgear could get theirs working right, it WAS a reason I picked up that model in the first place. I could always put DD-WRT on an older 54G and use it as the VPN gateway but it's not GIGE and would slow everything else down unless it was just a dedicated VPN server. not sure how to do that.
#34
Join Date: Jun 2011
Location: NYC
Programs: SPG Gold, Hyatt Plat, PC Plat, Hilton Gold
Posts: 612
Revisiting an old thread, as I recently bought a Raspberry Pi 3 to play with at home. I setup Pi-Hole to block ads on my network for all devices, works really well and super simple to get going. I then came across PiVPN and that was easy to add on as well - this was just out of curiosity, as I run an OpenVPN server on my Asus RT-N66U router with Merlin software.
As mentioned upthread, one can also create an AWS t2.micro instance on the free tier with an Ubuntu 16.04 image and install PiVPN on it, works just fine.
The Raspberry Pi 3 with PiVPN is a great and relatively inexpensive solution to adding an OpenVPN server on your network. Use TCP 443 and you should be able to bypass most VPN port blocks, unless the network is using Deep Packet Inspection.
As mentioned upthread, one can also create an AWS t2.micro instance on the free tier with an Ubuntu 16.04 image and install PiVPN on it, works just fine.
The Raspberry Pi 3 with PiVPN is a great and relatively inexpensive solution to adding an OpenVPN server on your network. Use TCP 443 and you should be able to bypass most VPN port blocks, unless the network is using Deep Packet Inspection.
#35
Join Date: Feb 2000
Location: Menlo Park, CA, USA
Programs: UA 1MM 0P, AA, DL, *wood, Lifetime FPC Plat., IHG, HHD
Posts: 6,912
Revisiting an old thread, as I recently bought a Raspberry Pi 3 to play with at home. I setup Pi-Hole to block ads on my network for all devices, works really well and super simple to get going. I then came across PiVPN and that was easy to add on as well - this was just out of curiosity, as I run an OpenVPN server on my Asus RT-N66U router with Merlin software.
As mentioned upthread, one can also create an AWS t2.micro instance on the free tier with an Ubuntu 16.04 image and install PiVPN on it, works just fine.
The Raspberry Pi 3 with PiVPN is a great and relatively inexpensive solution to adding an OpenVPN server on your network. Use TCP 443 and you should be able to bypass most VPN port blocks, unless the network is using Deep Packet Inspection.
As mentioned upthread, one can also create an AWS t2.micro instance on the free tier with an Ubuntu 16.04 image and install PiVPN on it, works just fine.
The Raspberry Pi 3 with PiVPN is a great and relatively inexpensive solution to adding an OpenVPN server on your network. Use TCP 443 and you should be able to bypass most VPN port blocks, unless the network is using Deep Packet Inspection.
#36
Join Date: Mar 2016
Location: CPT,AMS
Posts: 4,412
Revisiting an old thread, as I recently bought a Raspberry Pi 3 to play with at home. I setup Pi-Hole to block ads on my network for all devices, works really well and super simple to get going. I then came across PiVPN and that was easy to add on as well - this was just out of curiosity, as I run an OpenVPN server on my Asus RT-N66U router with Merlin software.
As mentioned upthread, one can also create an AWS t2.micro instance on the free tier with an Ubuntu 16.04 image and install PiVPN on it, works just fine.
The Raspberry Pi 3 with PiVPN is a great and relatively inexpensive solution to adding an OpenVPN server on your network. Use TCP 443 and you should be able to bypass most VPN port blocks, unless the network is using Deep Packet Inspection.
As mentioned upthread, one can also create an AWS t2.micro instance on the free tier with an Ubuntu 16.04 image and install PiVPN on it, works just fine.
The Raspberry Pi 3 with PiVPN is a great and relatively inexpensive solution to adding an OpenVPN server on your network. Use TCP 443 and you should be able to bypass most VPN port blocks, unless the network is using Deep Packet Inspection.
BTW, I prefer UDP port 53
#37
Join Date: Jun 2011
Location: NYC
Programs: SPG Gold, Hyatt Plat, PC Plat, Hilton Gold
Posts: 612
I haven't noticed much overhead speed loss, if any, in my brief tests. In any case, it's meant mainly as security while on public networks and no major video streaming etc will be done so it's plenty good for now. More of an experiment to see what's possible; in fact, I'll probably use a more robust instance of the EC2 Ubuntu setup and just use that for ~$5/month.
Hmm, will have to try UDP 53, good idea - what has your experience been on being blocked on that vs TCP 443?
#38
Join Date: Mar 2016
Location: CPT,AMS
Posts: 4,412
The Raspberry Pi 3 has been excellent for Pi-hole and PiVPN use so far, more than enough hardware for these things in a home/SMB environment I think.
I haven't noticed much overhead speed loss, if any, in my brief tests. In any case, it's meant mainly as security while on public networks and no major video streaming etc will be done so it's plenty good for now. More of an experiment to see what's possible; in fact, I'll probably use a more robust instance of the EC2 Ubuntu setup and just use that for ~$5/month.
Hmm, will have to try UDP 53, good idea - what has your experience been on being blocked on that vs TCP 443?
I haven't noticed much overhead speed loss, if any, in my brief tests. In any case, it's meant mainly as security while on public networks and no major video streaming etc will be done so it's plenty good for now. More of an experiment to see what's possible; in fact, I'll probably use a more robust instance of the EC2 Ubuntu setup and just use that for ~$5/month.
Hmm, will have to try UDP 53, good idea - what has your experience been on being blocked on that vs TCP 443?
I don't have any experience of 443 being blocked, but I also have a web server running, so I just cannot use it for openvpn, to be fair I also never had issue with the default openvpn port (1194)
For 5$ a month you only get a t2.nano in AWS, I have a t2.micro as part of the free tier usage, maybe if I get enough spare time I would put openvpn on it just to test the speed
#39
Join Date: Jun 2011
Location: NYC
Programs: SPG Gold, Hyatt Plat, PC Plat, Hilton Gold
Posts: 612
They do have a t2.micro AMI with OpenVPN server installed already; but it was even easier to use an Ubuntu 16.04 server and run the PiVPN install script - piece of cake really, give it a try
#40
FlyerTalk Evangelist
Join Date: Nov 2002
Location: ORD
Posts: 14,231
My router (EdgeRouter X SFP) provides IPSec and OpenVPN servers. Works well for untrusted public networks but throughput is limited to ~10Mbit/s. My home connection is only 30/5, though, so it's fine.
I also have ssh publicly exposed using port 443 on the router, since port 22 is sometimes blocked.
I also have ssh publicly exposed using port 443 on the router, since port 22 is sometimes blocked.
#41
Join Date: Mar 2016
Location: CPT,AMS
Posts: 4,412
hmmm so using the PiVPN script on AWS server is indeed very easy, throughput test is a bit weird though.
I first uploaded a file from my home to AWS, with no VPN, it uploaded 3GB with an average speed of 12.9MB/s and took a total of 3:48.
Then, connected via VPN and did the same test, while the max speed was over 11MB/sec at some points, it also dropped and seemed to be stalling at some point, so the total time to transfer the file was 4:56 with an average speed of 9.9MB/sec
Good enough I guess
I first uploaded a file from my home to AWS, with no VPN, it uploaded 3GB with an average speed of 12.9MB/s and took a total of 3:48.
Then, connected via VPN and did the same test, while the max speed was over 11MB/sec at some points, it also dropped and seemed to be stalling at some point, so the total time to transfer the file was 4:56 with an average speed of 9.9MB/sec
Good enough I guess
#42
Join Date: Jun 2011
Location: NYC
Programs: SPG Gold, Hyatt Plat, PC Plat, Hilton Gold
Posts: 612
I think the t2.micro instances can have some bandwidth issues at times right? I don't know if a certain throughput is guaranteed, much like how the shared-CPU works, but not sure?
In any case, a free-tier AWS instance and PiVPN make for a very quick and easy setup for anyone to have access to a free OpenVPN endpoint.
In any case, a free-tier AWS instance and PiVPN make for a very quick and easy setup for anyone to have access to a free OpenVPN endpoint.
#43
Join Date: Mar 2016
Location: CPT,AMS
Posts: 4,412
I'm not sure how throughput works in AWS, I know that for t2 instances you get a 'shared' CPU with a certain amount of CPU credits per hour, but I was far from using my CPU credits, it went down from 144 to 142 during my tests (openvpn was using ~30-35% CPU)
I also tried speedtest now, from AMS to a test server in Ireland (where my t2 instance is), without VPN I could get 114Mb/sec down and 117 up, and with the vpn 75 down and 72 up.
I also tried speedtest now, from AMS to a test server in Ireland (where my t2 instance is), without VPN I could get 114Mb/sec down and 117 up, and with the vpn 75 down and 72 up.