What's new

MicroTik RB750GR3 hEX Router & VPNs

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Status
Not open for further replies.

barlo

New Around Here
I am wanting to get a VPN next month (been putting it off for a year now), and been researching which ones are compatible to install on my router:

https://wiki.mikrotik.com/wiki/OpenVPN

I'm running XP Pro and this weird little router that has proven to be fantastic....but the two disqualify most VPNs, so my choices are:
Anonine
AirVPN
Express VPN
FrootVPN
IVPN
SaferVPN
VPNArea
All of the above mention OpenVPN capability on their websites. Does this mean I can install one of these VPNs on my router? None of these VPNs have inhouse clients that work on MikroTik, so the OpenVPN route seems like the only choice. I'll have a tech guy come by to mess with the setup, but at $100 an hour, I need to make sure this is doable beforehand.

Lastly, at least one above (Anonine) does not have a killswitch, but I think something can be rigged in the router (https://forum.mikrotik.com/viewtopic.php?t=130397). Does this look possible?
 
The killswitch is relatively straightforward. However, Mikrotik has very poor OpenVPN support, especially as a client. The main issues being that it does not support UDP, nor the latest fixes and features such as those from the major OpenVPN 2.4 patch. Mikrotik in general has poor VPN client support, it can be ok as a VPN server though.

If the intent is simply to hide traffic from your ISP, then you may be better off or have no choice but to use L2TP/IPsec or even PPTP if you insist on using Mikrotik. However, this is very dependent on the VPN provider. Increasingly, VPN providers are eliminating their L2TP and PPTP support due to the tiny customer usage of these protocols and their much lower security.

In short, if I were you, I would use some other device internally, e.g. something that can support OpenWRT, if you do not need high VPN performance (less than 50 Mbps). Alternatively, for high performance an Asus RT-AC86U (up to 200 Mbps) or an x86 box or virtual machine on an x86 platform (up to the throughput limit of what almost any VPN provider gives to residential customers) would be ideal.
 
Last edited:
The killswitch is relatively straightforward. However, Mikrotik has very poor OpenVPN support, especially as a client. The main issues being that it does not support UDP, nor the latest fixes and features such as those from the major OpenVPN 2.4 patch. Mikrotik in general has poor VPN client support, it can be ok as a VPN server though.

If the intent is simply to hide traffic from your ISP, then you may be better off or have no choice but to use L2TP/IPsec or even PPTP if you insist on using Mikrotik. However, this is very dependent on the VPN provider. Increasingly, VPN providers are eliminating their L2TP and PPTP support due to the tiny customer usage of these protocols and their much lower security.

In short, if I were you, I would use some other device internally, e.g. something that can support OpenWRT, if you do not need high VPN performance (less than 50 Mbps). Alternatively, for high performance an Asus RT-AC86U (up to 200 Mbps) or an x86 box or virtual machine on an x86 platform (up to the throughput limit of what almost any VPN provider gives to residential customers) would be ideal.

Well, I'd consider replacing the MikroTek, but only with another 'wired-only' router. If you know of such a rare critter, I'd look into buying it, but $300 is likely the most I would pay. I absolutely would never have any sort of wireless/wi-fi/bluetooth device here. Never trusted that junk....not when it used WEP, even less when WPA was broken, and WPA2 not at all. To each his own, but I have always viewed it as a security breach waiting to happen, and history has never proven me wrong. Sooner or later WPA2 will fall, and be replaced with a new version, and on it will go.

Anyway, OpenWRT and all similar that requires a wireless router is a no-go here. A quickie search for 'wired-only' routers turned up just as few as two years ago, when I bought the MikroTik:

Ubiquiti EdgeMax EdgeRouter Lite ERLite-3 512MB Memory

Ubiquiti Networks - ERPOE-5 - EdgeRouter POE 24VDr C 1.25A Power Adapter

Cisco Systems Gigabit Dual WAN VPN 14 Port Router (RV325K9NA)

According to online speed test, I get download @ 16.3 Mbps and upload @ 1.0 right now, so "high performance" is likely not important.
 
With such a slow connection, the Mikrotik may be all that you need, especially if your chosen VPN provider has L2TP/PPTP as a backup.

---

However, for a more reliable and better performing solution, I was not talking about replacing your Mikrotik. You can just get a second router and use it as a VPN Gateway. It does not matter whether the second router has wireless or not, since you should be able to just disable the wireless entirely if you wish. The only important factors are that the CPU is sufficiently fast enough for your throughput needs and that it supports VPN clients or can be flashed to support such.

The easiest to use and quite flexible options for a VPN router are anything that can run Asuswrt or better yet Asuswrt-Merlin. For your speeds, RT-AC66U B1 should be more than sufficient. There are even cheaper options that can run Asuswrt, DD-WRT, Tomato or OpenWRT. However, they are likely to be less flexible (cannot run latest Merlin for Asus devices) and more involved to setup, since you may have to flash them for third-party firmware.

Finally, if you absolutely insist that it is a wired-only router, there are SOHO/SMB routers like Ubiquiti Edgerouters, e.g. the cheap Edgerouter ER-X, that can be configured as a VPN router. However, they are more difficult to configure than consumer routers.

Here is an idea of what you'd be trying to set up in general:
Separately, given the low performance of your Internet connection, the modern Smart Queue Management (SQM) of the ER-X may be tempting enough to replace your Mikrotik as your primary router in order to minimize bufferbloat whenever you inevitably saturate your connection, especially your tiny upload. In that scenario, you could ditch the Mikrotik entirely (or use it as just a switch), and use policy routing on the Edgerouter to split VPN and non-VPN traffic instead. However, this is quite technical and may require more maintenance as you add and remove devices from your network.
 
Last edited:
With such a slow connection, the Mikrotik may be all that you need, especially if your chosen VPN provider has L2TP/PPTP as a backup.

---

However, for a more reliable and better performing solution, I was not talking about replacing your Mikrotik. You can just get a second router and use it as a VPN Gateway. It does not matter whether the second router has wireless or not, since you should be able to just disable the wireless entirely if you wish. The only important factors are that the CPU is sufficiently fast enough for your throughput needs and that it supports VPN clients or can be flashed to support such.

The easiest to use and quite flexible options for a VPN router are anything that can run Asuswrt or better yet Asuswrt-Merlin. For your speeds, RT-AC66U B1 should be more than sufficient. There are even cheaper options that can run Asuswrt, DD-WRT, Tomato or OpenWRT. However, they are likely to be less flexible (cannot run latest Merlin for Asus devices) and more involved to setup, since you may have to flash them for third-party firmware.

Finally, if you absolutely insist that it is a wired-only router, there are SOHO/SMB routers like Ubiquiti Edgerouters, e.g. the cheap Edgerouter ER-X, that can be configured as a VPN router. However, they are more difficult to configure than consumer routers.

Here is an idea of what you'd be trying to set up in general:
Separately, given the low performance of your Internet connection, the modern Smart Queue Management (SQM) of the ER-X may be tempting enough to replace your Mikrotik as your primary router in order to minimize bufferbloat whenever you inevitably saturate your connection, especially your tiny upload. In that scenario, you could ditch the Mikrotik entirely (or use it as just a switch), and use policy routing on the Edgerouter to split VPN and non-VPN traffic instead. However, this is quite technical and may require more maintenance as you add and remove devices from your network.

Thanks for the info. I know very little about this topic. As said, I have a tech guy to come around to deal with the MikroTik. All I need to do is be able to call him, have all necessary equipment available for him to do the job, and have a list drawn up to tell him what I want done. Now so far as I know, "Asuswrt, DD-WRT, Tomato or OpenWRT" only work on wireless routers, and as said, I do not allow wi-fi past my door, so I'd guess this is not an option. My current setup consists of my PC, monitor, VDSL modem, & MikroTik hex RB750Gr3 router. Maybe my landline phone? So far as I know, my inkjet and laser printers are not connected to the internet, nor is the TrippLite LS606M. As this setup will not be changing, a switch is likely overkill, so sounds like I need to replace the MikroTik with an Edgerouter. I assume this leaves these choices:

https://www.amazon.com/dp/B0144R449W/?tag=snbforums-20

https://www.amazon.com/dp/B00YFJT29C/?tag=snbforums-20

https://www.amazon.com/dp/B00HXT8EKE/?tag=snbforums-20

https://www.amazon.com/dp/B00VK4L3SI/?tag=snbforums-20

Which would you say is the best choice for my situation? Currently my practice is to turnoff the PC via software, then cut power to the PC when not in use. My MikroTik does not mind this, and gives no problems....can I assume the EdgeRouter will be the same?
https://www.amazon.com/Mikrotik-RB7...s&sprefix=mikrotik+hex,electronics,233&sr=1-1
 
You can turn off the radios and then they become 'wired-only' routers.

I could also cut off the antenna, superglue the switch to 'off', wrap it in aluminum foil, forge a lead box to house it in, and buy a wi-fi jammer to set on top....like one guy did....or I could just not buy any wi-fi crap at all. I have a couple remotes for my TV, VCR, and DVD recorder. I think that is quite enough wireless junk.
 
I could also cut off the antenna, superglue the switch to 'off', wrap it in aluminum foil, forge a lead box to house it in, and buy a wi-fi jammer to set on top....like one guy did....or I could just not buy any wi-fi crap at all. I have a couple remotes for my TV, VCR, and DVD recorder. I think that is quite enough wireless junk.
I don't know why you feel the need to be so offensive when people are trying to help you. You said yourself that wired-only routers were "rare" so I was merely pointing out a way for you to increase your options. I appreciate that you don't trust wireless devices but as I said, the radio part can be turned off and the antennas removed.
 
That was my branded hybrid form of surreal/satirical humor, but trust me, I can be offensive. For example, what does "I absolutely would never have any sort of wireless/wi-fi/bluetooth device here" tell you? Apparently not much, or at least, not enough....unfortunately I know of no way to make it clearer.
 
Inappropriate behavior. Be respectful to others or be gone.
That you're either exaggerating or you don't understand what an "off switch" does.

So in other words, instead of paying attention to what was written ""I absolutely would never have any sort of wireless/wi-fi/bluetooth device here" you preferred to listen to what the voices in your head were claiming I actually meant to say? I wrote that for the express purpose to dissuade argumentarians and contrarians from turning into a debate, what was never open to debate, yet here we are. Silly you....'no' really did mean NO! I don't exaggerate and I understand what an off switch is, I simply don't give a ding-dang whether it has one on not, as the very fact of any device being in any way, shape or form wi-fi capable, automatically means it NEVER comes into my space.

Any switch that can be turned off can be turned on again. For all I know, some blackhatter might figure out how to do so remotely. Wi-Fi crap is a security breach waiting to happen. WEP was breached, WPA was breached. WPA2 will be breached sooner or later. Only fools make the same mistake again and again and again. I don't. Wireless junk is banned here. Permanently. You love it? You use it. You deal with the consequences!

Might I suggest you cease listening to the voices in your head, and pay more attention to what is actually written in posts, and not interpreting what was written to support your debate-club fantasies? As for your OCD-like fixation to debate what is not open for debate...perhaps electroshock therapy?
 
So in other words, instead of paying attention to what was written ""I absolutely would never have any sort of wireless/wi-fi/bluetooth device here" you preferred to listen to what the voices in your head were claiming I actually meant to say? I wrote that for the express purpose to dissuade argumentarians and contrarians from turning into a debate, what was never open to debate, yet here we are. Silly you....'no' really did mean NO! I don't exaggerate and I understand what an off switch is, I simply don't give a ding-dang whether it has one on not, as the very fact of any device being in any way, shape or form wi-fi capable, automatically means it NEVER comes into my space.

Any switch that can be turned off can be turned on again. For all I know, some blackhatter might figure out how to do so remotely. Wi-Fi crap is a security breach waiting to happen. WEP was breached, WPA was breached. WPA2 will be breached sooner or later. Only fools make the same mistake again and again and again. I don't. Wireless junk is banned here. Permanently. You love it? You use it. You deal with the consequences!

Might I suggest you cease listening to the voices in your head, and pay more attention to what is actually written in posts, and not interpreting what was written to support your debate-club fantasies? As for your OCD-like fixation to debate what is not open for debate...perhaps electroshock therapy?

I don't think you fit in this forum here. We try to help everyone. Not everyone wants help though.

Your response to ColinTaylor is very unwelcome here. Not to mention very immature.
 
So in other words, instead of paying attention to what was written ""I absolutely would never have any sort of wireless/wi-fi/bluetooth device here" you preferred to listen to what the voices in your head were claiming I actually meant to say? I wrote that for the express purpose to dissuade argumentarians and contrarians from turning into a debate, what was never open to debate, yet here we are. Silly you....'no' really did mean NO! I don't exaggerate and I understand what an off switch is, I simply don't give a ding-dang whether it has one on not, as the very fact of any device being in any way, shape or form wi-fi capable, automatically means it NEVER comes into my space.

Any switch that can be turned off can be turned on again. For all I know, some blackhatter might figure out how to do so remotely. Wi-Fi crap is a security breach waiting to happen. WEP was breached, WPA was breached. WPA2 will be breached sooner or later. Only fools make the same mistake again and again and again. I don't. Wireless junk is banned here. Permanently. You love it? You use it. You deal with the consequences!

Might I suggest you cease listening to the voices in your head, and pay more attention to what is actually written in posts, and not interpreting what was written to support your debate-club fantasies? As for your OCD-like fixation to debate what is not open for debate...perhaps electroshock therapy?
Mikrotik supports openVPN via TCP only currently, for any other VPN config it does quite well and as long as you pick a hardware supported encryption you can get decent speeds with the RB750Gr3

You also have to remember that this is a forum, everyone has different experiences and expertise. I have set up various VPN configs with mikrotik but most of them are personal (own VPN server/service, own VPN architecture) rather than using a public VPN service. Most VPN Services also have multiple VPN types as well and any VPN type is fine for a tunnel, but if you are looking for security to encrypt your traffic between you and the server, your best choices are IPSEC or openVPN.

With VPN routing you have to be very specific on what you are trying to achieve, to route all traffic or some, to also route DNS requests through the VPN rather than router too for clients on VPN. If you dont know terminologies that means you dont know much about networking and may be better off with a more user friendly router like pfsense, otherwise just ask what they mean or google it up.
 
Mikrotik supports openVPN via TCP only currently, for any other VPN config it does quite well and as long as you pick a hardware supported encryption you can get decent speeds with the RB750Gr3

You also have to remember that this is a forum, everyone has different experiences and expertise. I have set up various VPN configs with mikrotik but most of them are personal (own VPN server/service, own VPN architecture) rather than using a public VPN service. Most VPN Services also have multiple VPN types as well and any VPN type is fine for a tunnel, but if you are looking for security to encrypt your traffic between you and the server, your best choices are IPSEC or openVPN.

With VPN routing you have to be very specific on what you are trying to achieve, to route all traffic or some, to also route DNS requests through the VPN rather than router too for clients on VPN. If you dont know terminologies that means you dont know much about networking and may be better off with a more user friendly router like pfsense, otherwise just ask what they mean or google it up.


Good info. Just have an issue with pfSense being user-friendly! :eek:

I found it anything but. Very easy to install from bare metal. Impossible to do anything worthwhile with it that can easily be achieved in an RMerlin powered router. The dealbreaker for me was that performance actually declined with each day of uptime on the heavily overbuilt box (i5, 16GB RAM, SSD, 2x Intel NIC's).

But... Maybe I'm not as network knowledgable as I (sometimes) think I am either? :D:oops:o_O:p
 
Good info. Just have an issue with pfSense being user-friendly! :eek:

I found it anything but. Very easy to install from bare metal. Impossible to do anything worthwhile with it that can easily be achieved in an RMerlin powered router. The dealbreaker for me was that performance actually declined with each day of uptime on the heavily overbuilt box (i5, 16GB RAM, SSD, 2x Intel NIC's).

But... Maybe I'm not as network knowledgable as I (sometimes) think I am either? :D:oops:o_O:p
theres always more to learn about networks everytime
 
Status
Not open for further replies.

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top