Router for VPN

[Shou Miko]

I am wondering if I should try a proper VPN router instead of using software VPN and my current router a Asus RT-AC66U can't even give me 10 Mbps both ways when I use Merlin firmware so I wonder if a SMB router from Cisco would be better?

I am currently been looking at Cisco's RV220W and RV320. For VPN i am using UDP Protocol and Cipher is BF-CBC with HMAC SHA128.

Cisco RV220W is rated to 90mbps for IPsec VPN throughput and costs around 322 USD / €305 / £265 but I seen second handed go for around 70-100 USD.

Cisco RV320 is rated to 100mbps for IPsec VPN throughput and is cheaper at around $182 / €172 / £150


I know that "rated" speed ain't always what u will get but what should I expect to get?

My connection is 100/25 mbps and I current with OpenVPN doing around 100-110/25-28 mbps according to speedtest.

 

[Kursah]

Hmm...I'd be more apt to build a PFSense router in that price-range TBH. Those Cisco's are decent...but I feel you could achieve better VPN speeds and have more processing power.

I run an IPSec AES256/SHA256/RSA2048 tunnel and an OpenVPN (same encryption levels) tunnel on my PFSense router as well. Granted mine cost me closer to $250 because I wanted extra RAM and SSD storage...but if you don't plan to run web caching or IDS/IPS services, you could get away with closer to $150 or less and have a solid PFSense build that'll do what you need IMHO.

I love OVPN, excellent stuff! The Asus router struggles for sure...single 600MHz core and no hardware accelleration kills it.

My PFSense build uses Intel's AES-NI acceleration and that really makes a difference. I wish I had your bandwidth though! Sadly can't afford to do that yet.

With encryption overhead you could lose a few mpbs or a handful, more-so because of the processing it takes to handle the encryption and decryption of the traffic. I use an Asus N3150-C with a quad core Celeron SoC for the platform for my PFSense router at home and it is a beast!

I've setup tons of OVPN tunnels on lower-end PFSense and Netgear SG-2440's with excellent results...though the fastest WAN was rated for 50/50, but it achieved that without issues.

Otherwise, I'd look at the RV320 if you are only sticking to your Cisco options. But really you'll get better performance from PFSense if you build your own option at near the same price as those devices in my experience.

 

[Shou Miko]

Ty Kursah, I dunno much about PFSense and I think it's too much for only myself (also mean learning it) and to be honest also too complicated since I know so little about Linux and I am not a fast learner and gave up on Linux long time ago.

My last servers I had was running Windows XP Pro (CS 1.6) and Windows 7 Pro (Aion server) and that I managed oki, I do a little linux at work but nothing to be proud of.

 

[Kursah]

Well it is free, there's TONS of documentation on it, and its GUI is more useful and user-friendly than Cisco's. Along with the fact that you really don't need to do much CLI, but you absolutely can if you prefer. It runs iptables as it's backend firewall, similar to what Cisco and other devices use a variant of. But if you want to do it all through the webGUI there's wizards to setup stuff, tons of videos, step-by-step guides. Really you should try it, it would be worth the challenge and you might be happier with your investment.

PFSense 2.3.x has a VERY friendly and easy-to-read GUI, and in my experience with Sophos, Cisco, Fortinet, SonicWall, Draytek, D-Link, Cradlepoint, I prefer PFSense and learned it far faster than the rest.

Do yourself a favor and at least watch a video or go find a couple of articles. There's so much help for PFSense that you'll likely find you can either easily locate the answer to your question or have it fairly quickly answered. If you buy a PFSense router form them, you get 1-year of Gold Support which is fantastic BTW.

I wouldn't make it stressful, and if you needed help I'd gladly assist!

I run 2 PFSense routers, my physical unit and a virtual unit for my test lab. Both run excellent! If you run any kind of virtualization, spool up a small VM, 1 core, .5-1GB RAM, 20-50GB HDD, and give it a go. I think you'll find it isn't that hard to deal with, and you'll be able to find your way around fairly easily after a little bit of screen time with it.

 

[Shou Miko]

I do have my old Lenovo ThinkPad E540 laying around with i5-4200M, 16gb ram, 250GB EVO 840 laying around doing nuth so I could give it a try, but problem just is not much time to do smth huge.

 

[Kursah]

Well with a single NIC you'd wanna either do a virtual PFSense, or if you want more performance, run it as the OS on the laptop, and possibly add a second USB (3.0) NIC so that way you have a WAN and LAN. Otherwise you'll have to do some VLANning to use a single NIC for multiple services.

But those specs would be pretty epic for a virtual or physical PFSense router and really overkill for anything a home user would accomplish.

 

[Shou Miko]

I might look into PFSense but again I think it will be too overkill just for a single person with only my desktop and smartphone going online.

But reason for considering a router or something other than software is because I have too many issues with Kaspersky using OpenVPN my connection speed with a client running various too much from 20-50 mbps and if I do a reinstall like once a month I get fill speed but I don't to reinstall my system every month to keep my speed.

I tested without vpn on the same servers I get full speed and using vpn without Kaspersky I also get full speed 99% of the time but I want to be secured and I got a subscription for Kaspersky I don't want to waste.

 

[Solaris17]

I run RV320s at work and am looking to replace them. they do nowhere NEAR 100mbps VPN tunneling and they are a cluster ruck to work with.

They also have serious issues with SNMP if your into monitoring at all.

 

[Shou Miko]

I run RV320s at work and am looking to replace them. they do nowhere NEAR 100mbps VPN tunneling and they are a cluster ruck to work with.

They also have serious issues with SNMP if your into monitoring at all.

U r using IPSec?

 

[Solaris17]

U r using IPSec?

Yes I run IPsec VPN connecting 5 different satellite connections.

 

[Easy Rhino]

would i be bragging if i said i setup a raspberry pi with ipsec client, routed all local traffic through it, and then purchased a VPS and setup StrongSwan as the vpn server?

 

[silkstone]

Load your current router with DD-WRT and perform a light overclock on your router. That may improve things.

The processor is a little weak and that might be your bottleneck, but an overclock will tell you if that's the case.
You could also expand the ram using a fast usb drive or Ext-HDD as a page file for it.

Easy Rhino's suggestion of a RPi is also an excellent one. They are powerful little computers for the price and they work well.

Edit - My apologies, I missed that you were already using Merlin. You might still try an overclock.
The RPi idea is a good one still. I've read that you can use external USB > Gigabit Lan ports to increase the speed past 100/100 if needed.

 

[Shou Miko]

@silkstone doesn't it have to be a fast usb stick to be able to handle the job?

 

[silkstone]

@silkstone doesn't it have to be a fast usb stick to be able to handle the job?

They don't get gigabit speeds, but I've read of them achieving over 200 mbps (The theoretical limit is 480 mbps). It's highly dependent on the brand.

http://www.jeffgeerling.com/blogs/jeff-geerling/getting-gigabit-networking
https://www.raspberrypi.org/forums/viewtopic.php?f=36&t=160270

For the cost of the RPi compared to a high powered router, it's worth researching to see if other people see decent VPN speeds with the setup.
The RPi 3 is pretty powerful for what it is.

I have mine running as a NAS, Book Server, Torrent Server, Plex Server and Minecraft server simultaneously and it doesn't even blink at the workload. The only thing it can't do is Transcode videos in Plex, but that's expected.

 

[Rhyseh]

You could always try a MicroTik or EdgeRouter.

Microtik I've not done much with, but works really well by all accounts:
https://routerboard.com/RB750Gr3

EdgeRouter has a hardware offload function for IPSec networking, however you may have to drop to the CLI to get the config up and running:
https://www.ubnt.com/edgemax/edgerouter-lite/

 

[Shou Miko]

@Rhyseh I was thinking about mby trying out the EdgeRouter Lite from Ubiquiti but I wasn't 110% sure it could handle it.

 

[brandonwh64]

PFsense again is the best/cheapest option. My first PFsense setup was on a core2duo E5200 with 1 stick of 2GB DDR2 and a extra gig nic threw in. Hooked up I got 998mbps down and 978mbps up

 

[remixedcat]

Edge router or USG...

Note on the USG VPN https://help.ubnt.com/hc/en-us/articles/204953054-UniFi-USG-Remote-User-VPN-with-Local-Users

But what is your total budget?

You could get a Meraki z1 if you can go as high as 350-450

It has an easy VPN server

 

[Shou Miko]

Just for myself nuth that costs a billion, that Cisco looks nice, but I can only find Licenses for it in my country but I will try to look locate it at work we have some distributors that sells Cisco.

Srsly who in their right mind on ebay sells stuff ex. vat?

Link: http://www.ebay.co.uk/itm/CISCO-MER...070381?hash=item25cca3b3ad:g:SVgAAOSwA3dYblCd

 

[TheGuruStud]

Pfsense b/c you're never going to get high throughput with a little ARM.

 

[Shou Miko]

Pfsense b/c you're never going to get high throughput with a little ARM.

Properly not but I am not a big Linux Guru and I don't want to be depended on others when there is a mistake, wrong input or an update.

 

[remixedcat]

Untangle?

 

[Kursah]

@Rhyseh I was thinking about mby trying out the EdgeRouter Lite from Ubiquiti but I wasn't 110% sure it could handle it.

You're likely going to need to do some CLI work to get OpenVPN setup right. While the newest firmware does (that I've tested, which was 1.9.0, 1.9.1 was released 12/22/16 and I have not upgraded yet) add more stuff to GUI on the ERL, the best way to manage that router is via CLI IMHO. I still have one, I use it as my physical drop-in failover should my PFSense unit fail...or until I setup CARP with another PFSense unit (more for testing than anything).

http://www.forshee.me/2016/03/16/ubiquiti-edgerouter-lite-setup-part-5-openvpn-setup.html

But with that said, command line interface can be kinda fun IMHO and it really isn't all that scary when you have guides and a basic understanding of networking.

PFSense would be easier to setup as it is all done in the GUI. There was a project a couple years ago for getting PFSense onto the ERL, but it kinda fizzled out...which is a shame...but in the same breath the ERL has its own limitations for processing power but would would still perform better for VPN server services than the Asus unit.

Also you keep mentioning Linux with PFSense...sure it is built on Linux, mostly for iptables, which many other devices use that you've likely already used. The ONLY time you'll see Linux is during the installation process which is pretty much all CLI, kind of like an older version of Windows being installed by CMD/DOS. It is very painless...after that point you've set your IP, your WAN and LAN.

You access the WebGUI from there forward, just like you access your current router, via web browser. I run my PFSense box headless and have only hooked a screen up to follow the boot procedure which has never failed or had issues.

I really think you need to research and look into PFSense...the Linux excuse really isn't one here IMHO. I have several techs that have 0 admitted Linux experience working on PFSense routers all day long...and they love it. Honestly the Linux CLI installation is fast, smooth and painless...probably more-so than a Windows 7, 8 or 10 installation. It's all in English...and as I said before....there's LOTS of guides, articles, forums, threads, etc. all that you can find help in or an issue that someone else has already ran into and likely gotten resolved.

Untangle is another free Linux-based router OS derivative. It is more limited than PFSense but I know a few people that prefer it and its GUI to PFSense's. Though I really do like PFSense's 2.3.x GUI. It is another good option that can be used on hardware or in a virtual machine much like I suggested you try with PFSense.

Here take a look at this video series on PFSense, just click through some of the 2.3 ones, get an idea of what is going on. Give it a chance. My AC66R has been an AP for a long time now...and won't ever be a router again in my house. It was a decent router, but decent wasn't good enough.



Edit: The update process is also performed via the GUI and it is done only by official updates that are for the correct PFSense version. Really this is very hard to screw up. I have had one instance where my custom PFSense box didn't reboot and the wife lost Internet. I performed the big 2.2.6 to 2.3.0 upgrade remotely from the office...my device didn't reboot or clear my Squid web filter cache. Easy enough, I manually rebooted and cleared the cache with the click of a mouse button in the webGUI...and off I was in mere minutes.

If you can take the time to learn AsusWRT, you can learn PFSense's GUI. It really is pretty easy. Sure there's A LOT more you CAN do in PFSense, you don't HAVE to do it. Hesitation is find, and I get it, but you have some good help here, there's a lot of good resources and really you'd be trying something that millions of others have used, and something that is deployed at home, SoHo and professional/enterprise levels. No different than Cisco except for the free part...

Edit Part Deux:

Here's a video where the dude is running PFSense as a VM, which is shown what the VGA connection to PFSense would look like at the top right of the screen. The left is the Web GUI and upgrading from 2.2.6 to the newer 2.3 with the new GUI.

AND he even fits in setting up OpenVPN. All in a video under 12 minutes in length! Sure some of it is fast forwarded...what you see him do in the webGUI is what you'd be doing with the OpenVPN server.

 

[Shou Miko]

Edge router or USG...

Note on the USG VPN https://help.ubnt.com/hc/en-us/articles/204953054-UniFi-USG-Remote-User-VPN-with-Local-Users

But what is your total budget?

You could get a Meraki z1 if you can go as high as 350-450

It has an easy VPN server

U forget I am not building a VPN need this for a secured VPN line that runs IPSec instead of needing to install clients on my computers at home I currently have two and software can be a bit buggy from time to time and take long to connect even on my iphone.

 

[remixedcat]

this does not need software, use the native OS controls.