Is it possible to use Raspberry pi for vpn encryption?

[dosborne]

Can any of those routers allow setup of two separate networks? As I noted, I want primary network to run through vpn, and secondary network to bypass vpn. Someone had suggested using the guest network for the purposes of the secondary network. I have not tried setting up guest network in that manner yet, and not sure if it will work.

Asuswrt-rmerlin VPN setup will allow you to specify devices by IP address to selectively route the traffic from those devices through your VPN so depending on what you are trying accomplish, "two separate networks" may not actually be necessary. For example, I route the traffic from one of my raspberry pi's and one Nas through the VPN all the time. I selectively route my smart tv through the VPN. All my other devices use the normal internet routing (non VPN). Internally, they are all on the same network and no special configuration is required. (Also, no YazFi or other scripting required for this)

 

[blade12]

Asuswrt-rmerlin VPN setup will allow you to specify devices by IP address to selectively route the traffic from those devices through your VPN so depending on what you are trying accomplish, "two separate networks" may not actually be necessary. For example, I route the traffic from one of my raspberry pi's and one Nas through the VPN all the time. I selectively route my smart tv through the VPN. All my other devices use the normal internet routing (non VPN). Internally, they are all on the same network and no special configuration is required. (Also, no YazFi or other scripting required for this)

The benefit of 2 separate networks is that if a bank or something blocks the primary network (the one with VPN), you can connect to the secondary network (the one without VPN) within seconds.

 

[eibgrad]

FWIW, I have the same RT-AC68U, and rather than spending $200-300 on a new router (esp. when I find the RT-AC68U otherwise more than adequate for my needs), I decided a couple years ago to move my OpenVPN client to a small form-factor PC made from old spare parts. Cost me next to nothing to build, and only consumes 18w. Any desktop PC, even something circa 2011 (like mine) will make mincemeat out of even the best available consumer routers. I simply change the default gateway on those clients I want routed over the VPN to that of the PC (which happens to be running DD-WRT x86, but there are other options). As a bonus, because I'm using DD-WRT, I can use my own DD-WRT PBR (policy based routing) scripts to enable selective routing, which support more than just source/destination IP, but also source/destination ports, protocols (tcp, udp, icmp), etc.

But I understand the appeal of having the solution running on the router. It's definitely more convenient. But in my own case, I just wasn't willing to spend that kind of money to solve this one problem. Not, when as I said, the RT-AC68U otherwise meets all my current needs.

P.S. Frankly, I'm sometimes tempted to move my primary router to this same PC, running either DD-WRT or pfSense, and relegate these routers strictly to AP duties.

 

[Tech9]

I believe @blade12 is looking for easier solution. When you don't know software, you have buy more hardware. *

* - from my own experience

 

[blade12]

FWIW, I have the same RT-AC68U, and rather than spending $200-300 on a new router (esp. when I find the RT-AC68U otherwise more than adequate for my needs), I decided a couple years ago to move my OpenVPN client to a small form-factor PC made from old spare parts. Cost me next to nothing to build, and only consumes 18w. Any desktop PC, even something circa 2011 (like mine) will make mincemeat out of even the best available consumer routers. I simply change the default gateway on those clients I want routed over the VPN to that of the PC (which happens to be running DD-WRT x86, but there are other options). As a bonus, because I'm using DD-WRT, I can use my own DD-WRT PBR (policy based routing) scripts to enable selective routing, which support more than just source/destination IP, but also source/destination ports, protocols (tcp, udp, icmp), etc.

But I understand the appeal of having the solution running on the router. It's definitely more convenient. But in my own case, I just wasn't willing to spend that kind of money to solve this one problem. Not, when as I said, the RT-AC68U otherwise meets all my current needs.

That's understandable.

That was my exact thought when I began thinking of using raspberry pi 4 for that purpose. I suspect the way to do it is by using the pi as gateway between the cable modem and router, then setting up Wireguard.

However, I don't know how well encryption would work on the pi. I don't even know if performance would be equivalent to AES hardware acceleration that certain new routers nowadays have for use with Openvpn. That made me pause and re-think everything. I was getting too ahead of myself when I made this thread. I also reckon I might be coming to the end of AC68u's life after 6 and a half years of heavy use on many different devices. It may be time for the little guy to rest and be relegated to backup router. Maybe it might be worth upgrading router once and for all and solving the vpn issue in one swoop.

Sadly, I am not having much luck finding wifi6 routers that support wireguard out of the box. I only found GL.iNet GL-AX1800(Flint) and Belkin AX3200. Belkin one seems to be a fairly significant downgrade from Asus AX68u in performance. I can't find reviews on the GLiNet Flint. We shall see.

 

[eibgrad]

That's understandable.

That was my exact thought when I began thinking of using raspberry pi 4 for that purpose. I suspect the way to do it is by using the pi as gateway between the cable modem and router, then setting up Wireguard.

However, I don't know how well encryption would work on the pi. I don't even know if performance would be equivalent to AES hardware acceleration that certain new routers nowadays have for use with Openvpn. That made me pause and re-think everything. I was getting too ahead of myself when I made this thread. I also reckon I might be coming to the end of AC68u's life after 6 and a half years of heavy use on many different devices. It may be time for the little guy to rest and be relegated to backup router. Maybe it might be worth upgrading router once and for all and solving the vpn issue in one swoop.

Sadly, I am not having much luck finding wifi6 routers that support wireguard out of the box. I only found GL.iNet GL-AX1800(Flint) and Belkin AX3200. Belkin one seems to be a fairly significant downgrade from Asus AX68u in performance. I can't find reviews on the GLiNet Flint. We shall see.

FYI. The reason the RT-AC68U has such bad performance w/ OpenVPN has less to do w/ the lack of hardware encryption (AES) support, and far more to do w/ the fact it runs in user-space. It can't handle the numerous ring changes between user-space and the kernel very efficiently. And you can see the difference when you install DD-WRT and configure for WG (WireGuard), which does run in the kernel. Suddenly your VPN performance triples (!), despite no AES support. I just did a retest a few minutes ago, and I'm currently seeing 30Mbps w/ OpenVPN vs. 111Mbps w/ WG (3.7x faster!). If anyone had the inclination to do the same for OpenVPN, I'm sure you'd see the same thing. Of course, AES would further boost performance as well. But it's a mistake to think the lack of AES support tells the whole story, at least w/ this particular router and others w/ similar specs.

So the answer may ultimately be WG support, NOT necessarily a new router. But I don't know what the support will eventually look like. Will it support multiple WG clients? Will it support selective routing? Will it be integrated into the VPN Director? Etc. Of course, I certainly don't expect all these things to happen immediately. It's still going to take some time to have full integration. But at least for the simple cases, WG may be the lifesaver for some users. Esp. for those loath to spend money on a new router solely to resolve this one problem.

 

[blade12]

FYI. The reason the RT-AC68U has such bad performance w/ OpenVPN has less to do w/ the lack of hardware encryption (AES) support, and far more to do w/ the fact it runs in user-space. It can't handle the numerous ring changes between user-space and the kernel very efficiently. And you can see the difference when you install DD-WRT and configure for WG (WireGuard), which does run in the kernel. Suddenly your VPN performance triples (!), despite no AES support. I just did a retest a few minutes ago, and I'm currently seeing 30Mbps w/ OpenVPN vs. 111Mbps w/ WG (3.7x faster!). If anyone had the inclination to do the same for OpenVPN, I'm sure you'd see the same thing. Of course, AES would further boost performance as well. But it's a mistake to think the lack of AES support tells the whole story, at least w/ this particular router and others w/ similar specs.

So the answer may ultimately be WG support, NOT necessarily a new router. But I don't know what the support will eventually look like. Will it support multiple WG clients? Will it support selective routing? Will it be integrated into the VPN Director? Etc. Of course, I certainly don't expect all these things to happen immediately. It's still going to take some time to have full integration. But at least for the simple cases, WG may be the lifesaver for some users. Esp. for those loathe to spend money on a new router solely to resolve this one problem.

Plus, Wireguard doesn't even use AES hardware acceleration. Hardware acceleration/AES only applies to OpenVPN*. Wireguard uses something else called ChaCha20. ChaCha is much more effective, efficient, and significantly faster. And ofc the code is much simpler/shorter. Wireguard, as a protocol, is just so much superior to Openvpn. Openvpn is still tried and tested so still has its use, but has its limitations.

*I searched into that when RMerlin said that hardware acceleration was turning off on Asus router whenever Wireguard was turned on (in beta firmware). It's to be expected because Wireguard simply doesn't use AES.


Ultimately, I don't expect older routers to get Wireguard support, even if it was possible. Wireguard official version was released just last year. I don't expect companies to test and add firmware update with Wireguard for routers released years ago. That might be why I only see the AX routers for Asus getting Wireguard and newest routers for other companies out there.

Beta - ASUSWRT 386 RC3-3 public beta for IPv6 DDNS and IPv6 VPN server | SmallNetBuilder Forums (snbforums.com)

So just seeking Wireguard support by itself might require a new router. Unless if I decide to setup a DIY project like raspberry pi or a small-factor PC like yours or something as a gateway to handle VPN client duties.

 

[Tech9]

*I searched into that when RMerlin said that hardware acceleration was turning off on Asus router whenever Wireguard was turned on (in beta firmware). It's to be expected because Wireguard simply doesn't use AES.

You are confusing NAT acceleration (Runner, Flow Cache) with AES instructions in CPU. You can't turn off AES, used or not.

 

[blade12]

You are confusing NAT acceleration (Runner, Flow Cache) with AES instructions in CPU. You can't turn off AES, used or not.

Does the AES hardware acceleration work with Wireguard? I was of the understanding from quite a few posts that the hardware acceleration wouldn't work with Wireguard and only work with OpenVPN

 

[Tech9]

Does the AES hardware acceleration work with Wireguard?

As far as I know, Wireguard doesn't use AES cipher, it uses ChaCha20. Still, NAT acceleration is different than AES acceleration you are talking about. What RMerlin mentioned in RC-3 beta thread is that Asus is disabling part of NAT acceleration. This means your router may not be capable of more than 350Mbps WAN-LAN traffic, no matter how fast Wireguard may run in theory. Testing is needed when Wireguard becomes available. Again, still in beta.

Beta - ASUSWRT 386 RC3-3 public beta for IPv6 DDNS and IPv6 VPN server

I'm running the RC3-3 on my ET8 pair. Today I find that my wired xbox one no longer receives an IP from DHCP. I've rebooted the xbox and router and still the same. Why would this break out of the blue after days of stability? No issues with RC3-3 on my ET8 pair with my Xbox One so far. Will...

www.snbforums.com