Is it possible to use Raspberry pi for vpn encryption?

[blade12]

Problem:
I tried using my AC68u as vpn router, but network slows down too much if vpn runs directly on AC68u. I began thinking of an alternative solution and then I thought maybe a raspberry pi would be great for handling the encryption. Raspberry pi 4 has a quad-core processor and 4gb of ram. No router can match those specs except maybe the Vilfo (a $500 solution, unfortunately). Raspberry pi 4 would be a $65 solution.

In high-level overview..
I want the only job for the rPi to be the vpn encryption tunnel to either encrypt or not encrypt data depending on the device -- I don't need everything to run through the VPN tunnel so I would set vpn-bypass for certain devices like the Google Nest. My router can perhaps be the bridge between the raspberry pi and my cable modem.

I am thinking of two possibilities of setup (picture a network):

Scenario 1:
-internet
-cable modem
-router ----- raspberry pi (so raspberry pi running off the router's lan port with the only job being vpn encryption)
-my pc

Scenario 2:
-internet
-cable modem
-raspberry pi (so rPi as a bridge/gateway/whatever the term would be)
-router
-my pc

Regardless of the scenario, I want all wired/wireless devices to connect to the router, not the rPi.

I essentially want two networks. As depicted in scenario #1.. Network #1 I want the packets to run to the router, through the rPi, encrypt then run to the cable modem to the internet. Network #2 bypasses the VPN and packets runs straight through the router to the cable-modem to the internet (this network would probably use guest network).

Or must the rPi be physically located between the router and modem as depicted in scenario 2? In that case, the router would have to be setup as the access point for the devices. In this situation though, the rPi would be along main path. Is that a good safe idea? I fear it would slow down too much if the entire network runs through rPi. I don't think rPi is a great replacement for router.

Scenario #1 is what I was hopeful of doing. Or is this not realistic or too much trouble?

 

[Tech9]

Raspberry pi 4 has a quad-core processor and 4gb of ram. No router can match those specs

Some home routers have a better CPU for VPN, actually. RPi has more RAM, but the CPU is not licensed for AES. Upgrade your router to RT-AX68U and you have about 200Mbps on-router OpenVPN performance. OpenVPN is single-threaded, so the number of cores doesn't matter. If you want >200Mbps OpenVPN performance, you need to look at x86 CPU firewalls.

Routers with ARMv8 CPU and AES support, plus Asuswrt-Merlin support for Policy Based Routing options:

RT-AC86U
GT-AC2900
RT-AX68U *
RT-AX86U *
RT-AX88U
GT-AX11000

Upgrade your router, get better and faster Wi-Fi coverage + solve your VPN problem.
* - the routers most folks will recommend buying today.

 

[blade12]

Some home routers have a better CPU for VPN, actually. RPi has more RAM, but the CPU is not licensed for AES. Upgrade your router to RT-AX68U and you have about 200Mbps on-router OpenVPN performance. OpenVPN is single-threaded, so the number of cores doesn't matter. If you want >200Mbps OpenVPN performance, you need to look at x86 CPU firewalls.

Routers with ARMv8 CPU and AES support, plus Asuswrt-Merlin support for Policy Based Routing options:

RT-AC86U
GT-AC2900
RT-AX68U *
RT-AX86U *
RT-AX88U
GT-AX11000

Upgrade your router, get better and faster Wi-Fi coverage + solve your VPN problem.
* - the routers most folks will recommend buying today.

1) Would dual-core processor and 512mb ram on the AX-68u be a big enough upgrade to the AC68u to speed up wifi if it runs through VPN? I realize OpenVPN is single-thread from your post so one of the two cores will be used primarily for VPN encryption purposes.

2) I looked into each of those routers you listed. My best options would probably be AX68U or AC86U considering my budget. Any suggestions between the two? ..for VPN performance anyways. The other recommended router (AX86U) is too expensive for me, unfortunately.

3) Can any of those routers allow setup of two separate networks? As I noted, I want primary network to run through vpn, and secondary network to bypass vpn. Someone had suggested using the guest network for the purposes of the secondary network. I have not tried setting up guest network in that manner yet, and not sure if it will work.

Thanks btw!

 

[Tech9]

1) The CPU in AX68U has different cores. It's about 4x faster running OpenVPN.
2) AX68U is the newer router. AC86U is >4 years old and has reliability issues history.
3) Asuswrt-Merlin firmware + YazFi custom script. You can have separate SSID's for VPN and WAN Wi-Fi connections.

I would run VPN on clients, if possible and when needed only. Not on the router.

You're welcome!

 

[blade12]

1) The CPU in AX68U has different cores. It's about 4x faster running OpenVPN.
2) AX68U is the newer router. AC86U is >4 years old and has reliability issues history.
3) Asuswrt-Merlin firmware + YazFi custom script. You can have separate SSID's for VPN and WAN Wi-Fi connections.

I would run VPN on clients, if possible and when needed only. Not on the router.

You're welcome!

The reason why I'm thinking of running VPN on router is because router probably has a better killswitch. Software killswitches are often not very reliable, and some devices like Nvidia Shield don't even support killswitch on the OS level. A hardware killswitch (say on the router itself) would probably be more reliable and effective.

 

[Tech9]

It still software, but running on the router. I have NordVPN account, the client software is excellent. Kill switch is working properly, it has per app VPN, changing servers in few clicks, supports Wireguard, etc. Much more convenient, fast and as reliable as on-router client. On-router VPN client is good only for devices with no VPN client capabilities.

 

[blade12]

It still software, but running on the router. I have NordVPN account, the client software is excellent. Kill switch is working properly, it has per app VPN, changing servers in few clicks, supports Wireguard, etc. Much more convenient, fast and as reliable as on-router client. On-router VPN client is good only for devices with no VPN client capabilities.

That may be a good point. I also have quite a few devices to individually stick vpn on them all - it might be worth trying to see what speeds I get with vpn router first. My vpn-less connection speed is 200meg. I want to see how close I can get from a single point (router).

I am leaning towards the AX68u. If it does not provide reasonable speeds, I can always switch over to individual apps on individual devices.


Question:
1) Does ax68u support aes-ni hardware acceleration? As you know, that handles vpn encryption on another chip to help speed things up. I'm unable to find it on ax68u specs page.

2) I read Asus integrated wireguard, which is faster than openvpn, for the newer ax-routers. It is still under beta firmware, and hard to say if merlin will integrate it once asuswrt finalizes it. He has said in previous posts that he doesn't have time to add new features. Anyways, do you know if the AX68u is one of the routers with wireguard support on asuswrt?

 

[XIII]

The CPU in AX68U has different cores. It's about 4x faster running OpenVPN.

4x Faster than what? The OP’s AC68u or the suggested AC86u alternative?

 

[Tech9]

Does ax68u support aes-ni hardware acceleration? As you know, that handles vpn encryption on another chip to help speed things up. I'm unable to find it on ax68u specs page.

No AES-NI on ARM. This is Intel instructions set. ARMv8 cores support AES instructions for encryption processing. It’s not a separate chip, part of the CPU logic. See above the routers with ARMv8 cores.

 

[Tech9]

4x Faster than what?

Read the question again - AC68U.

 

[blade12]

No AES-NI on ARM. This is Intel instructions set. ARMv8 cores support AES instructions for encryption processing. It’s not a separate chip, part of the CPU logic. See above the routers with ARMv8 cores.

I'm sorry, but I am bit confused by your post. I saw several posts talking about aes-ni hardware acceleration on AX-86u and I believe the AC-86u. Are you saying that aes-ni won't be available on ARM cores?? Or are you saying that only ARMv8 cores support aes-ni?

If you are saying the latter, which asus routers do support aes-ni hardware acceleration if not AX68u?

 

[ColinTaylor]

I'm sorry, but I am bit confused by your post. I saw several posts talking about aes-ni hardware acceleration on AX-86u and I believe the AC-86u. Are you saying that aes-ni won't be available on ARM cores?? Or are you saying that only ARMv8 cores support aes-ni?

If you are saying the latter, which asus routers do support aes-ni hardware acceleration if not AX68u?

He's saying that those people talking about AES-NI on their Asus routers are using the wrong term. They should have said AES, because AES-NI is an Intel thing.

 

[Tech9]

I'm sorry, but I am bit confused by your post.

@ColinTaylor explained why do you see AES-NI here and there. AES instruction set in ARM does similar thing, but is not 1:1 the same as Intel AES-NI in Intel x86 architecture. In regards to Wireguard - it's experimental in current Asuswrt beta testing. I can't predict what is going to be available, when it is coming, on what router models and if it will be supported/enhanced in Asuswrt-Merlin future releases.

My vpn-less connection speed is 200meg. I want to see how close I can get from a single point (router).

I was able to see ~170Mbps on OpenVPN using AC86U and AX88U routers running 386 code base, to NordVPN local servers. Some folks report speeds >200Mbps. On previous 384 code base it was going up to 260Mbps, but the speed also depends on the server you connect to. Don't count on constant high VPN speeds just because you have more capable hardware. It can process the traffic, but someone has to send this traffic to you first.

 

[Tech9]

which asus routers do support aes

Answered already in post #2, filtered by Asuswrt-Merlin support for enhanced OpenVPN with Policy Based Routing. Other Asus models with Broadcom ARMv8 CPU's are RT-AX92U, GT-AC5300, GT-AXE11000, the brand new GT-AX6000. You want Asuswrt-Merlin supported model from the list above.

 

[blade12]

@ColinTaylor explained why do you see AES-NI here and there. AES instruction set in ARM does similar thing, but is not 1:1 the same as Intel AES-NI in Intel x86 architecture. In regards to Wireguard - it's experimental in current Asuswrt beta testing. I can't predict what is going to be available, when it is coming, on what router models and if it will be supported/enhanced in Asuswrt-Merlin future releases.



I was able to see ~170Mbps on OpenVPN using AC86U and AX88U routers running 386 code base, to NordVPN local servers. Some folks report speeds >200Mbps. On previous 384 code base it was going up to 260Mbps, but the speed also depends on the server you connect to. Don't count on constant high VPN speeds just because you have more capable hardware. It can process the traffic, but someone has to send this traffic to you first.

Yup, that makes sense now. I'm just looking for the AES hardware acceleration equivalent regardless of who makes it. That is pretty much a requirement if I wish to run vpn on it.



As for wireguard, I understand. However, I wasn't asking for a prediction. Just asking whether you know if the AX68u supports wireguard in beta firmware. The AX86u and AX88u beta-firmwares do, but that's beyond my budget. I can probably ask asus support which of their routers is currently in wireguard beta testing.

There is always the possibility of considering a non-asus router that supports wireguard out of the box. I'm used to asus routers going back a decade, but tbh it is not necessary router be asus or even supported by merlin. The only real requirement for me is AES hardware acceleration, under $200 and router stability. If you know of any, feel free to suggest. I will have to do some googling on the options out there. It's worth considering all options. If there is nothing like that with wireguard support, then I can always order the AX68u & stick to Openvpn.

Thanks!

 

[Tech9]

Just asking whether you know if the AX68u supports wireguard in beta firmware.

I don't know. I don't have an AX68U to test.

If you know of any, feel free to suggest.

Perhaps GL.iNet Brume, as per specs it supports Wireguard in GUI, runs OpenWRT. Not many home routers support Wireguard (or VPN at all) and not all commercial VPN providers offer Wireguard outside of their own VPN apps. NordVPN for example has so called NordLynx in-app only.

See this:

Wireguard - Session Manager - Discussion thread (CLOSED/EXPIRED Oct 2021 use http://www.snbforums.com/threads/session-manager-discussion-2nd-thread.75129/)

Thanks to @Odkrys, WireGuard as an alternative to established VPN tunnel protocols OpenVPN and IPSec has been available on some specific ASUS Routers for a while, although the instructions posted by the OP...

www.snbforums.com

Wireguard - Session Manager - Discussion (2nd) thread

This thread http://www.snbforums.com/threads/session-manager.70787/ has now expired. Thanks for the heads-up SNB Forum member @Ubimo

www.snbforums.com

 

[Tech9]

The only real requirement for me is AES hardware acceleration, under $200 and router stability

DIY firewall using SFF x86 3rd/4th Gen Intel i5 PC and running pfSense. It will fit in $200 requirement. Networking knowledge required.

 

[blade12]

I don't know. I don't have an AX68U to test.



Perhaps GL.iNet Brume, as per specs it supports Wireguard in GUI, runs OpenWRT. Not many home routers support Wireguard (or VPN at all) and not all commercial VPN providers offer Wireguard outside of their own VPN apps. NordVPN for example has so called NordLynx in-app only.

See this:

Wireguard - Session Manager - Discussion thread (CLOSED/EXPIRED Oct 2021 use http://www.snbforums.com/threads/session-manager-discussion-2nd-thread.75129/)

Thanks to @Odkrys, WireGuard as an alternative to established VPN tunnel protocols OpenVPN and IPSec has been available on some specific ASUS Routers for a while, although the instructions posted by the OP...

www.snbforums.com

Wireguard - Session Manager - Discussion (2nd) thread

This thread http://www.snbforums.com/threads/session-manager.70787/ has now expired. Thanks for the heads-up SNB Forum member @Ubimo

www.snbforums.com

I searched on the forum and yes the AX68u is part of the wireguard beta test. That sounds good!

Beta - ASUSWRT 386 RC3-3 public beta for IPv6 DDNS and IPv6 VPN server

Hi All, New 386 rc3-3 firmware added more IPv6 support. You can now use IPv6 to register DDNS and use it for OpenVPN, WireGuard server. firmware link https://drive.google.com/drive/folders/1zbP67c9LM-je_w3PEc36ybc_VFddJPPe?usp=sharing support model list GT-AX11000 RT-AX92U...

www.snbforums.com

I also checked my current vpn (mullvad), and it supports wireguard. I should be okay from that end.


I will look into the GL.Net mv1000, but it seems to be a gateway. That may actually work for what I was thinking. Ultimately, I may still need to upgrade my router. That is why I will also research to see what other routers with wireguard options are available so I can perhaps do a single router upgrade to solve the issue in one single swipe.

 

[blade12]

There is also this option:

GL.iNet GL-AX1800(Flint) WiFi 6 Router
https://www.amazon.com/dp/B09HBW45ZJ/?tag=snbforums-20

Best for me to research reviews to see how it compares to the asus routers in speed.

 

[Tech9]

The tools in Asuswrt-Merlin are for OpenVPN. If you need more VPN control, you have no options, but OpenVPN. RMerlin may or may not provide enhancements over standard Asuswrt Wireguard implementation.