Point-to-point VPN Questions

[dbender]

I spend my winters in Mexico and summers in Colorado. In the past, I've used StrongVPN through my RT-N16 (with DD-WRT's OpenVPN) for access to Pandora, Hulu, etc. But some of these web services blocked my access at times last winter, as many StrongVPN customers found. (They now recommend their new StrongDNS service.)

I'm considering setting up my own VPN server in Colorado and connecting to that from Mexico, instead of using a commercial VPN service. In addition to being less likely to be blocked by Hulu et al., this would give me a Comcast IP address, which might help with access to certain TV networks. So my questions:

1. I have an RT-N56U in Colorado. Since it does not have a Broadcom chip, I'd be limited to PPTP. How much of a security concern should this be? Would I be smart to buy an RT-AC56U and run OpenVPN (Merlin FW)?

2. I plan to switch my RT-N16 to Merlin's firmware, but I think I read somewhere that this router has issues with OpenVPN, or at least that it is somehow less capable than the other Asus routers with Merlin fw. Do I need to switch out this router as well?

3. What about using an unattended router as my only stateside VPN server? Any recommendations for increasing reliability? Maybe a timer that temporarily cuts power to the cable modem and router early each morning? I've thought about using a WAN-accessible AC outlet; while I could use this to turn off power to the modem and/or router, how would I turn them back on? Maybe there is a device that would turn off power on command and then automatically restore it 30 seconds later or something?

Any other concerns or comments on this general plan are very welcome. I'm not sure I even know all the questions I should be asking yet. Thanks.

Duane Bender

 

[CaptainSTX]

Running a VPN on two consumer grade routers may make your connection so slow that streaming video won't work.

Instead I would recommend that you look at installing a SlingBox at your home in Colorado then you can watch your video sources anywhere in the world without the slow down penalty of a VPN. It always works for me if I have at least a 1.5 Mbps connection or better at the receiving end.

I'm surprised that you have had problems with StrongVPN because they have always worked well for me. One thing in their favor is they give you a static IP which makes it harder to blacklist a specific IP used by many.

Whatever you do if a video provider wants to geo block you they can even if you are using a VPN.

 

[Samir]

If you're concerned about security, there's only one way to go--site to site ipsec vpn.

So you can get a smb router that does site-to-site. And then you can run pptp over that to get on your local network. I've done this very easily and successfully with the Cisco rv series of routers. You don't have to worry about the security of pptp since it's inside of an ipsec tunnel that's always up.

Plus, the added benefits are you can see your network in colorado, so you can see any network cams, computers, servers, printers, etc.

I like the slingbox idea too, but I know nothing about them.

 

[dbender]

@CaptainSTX:

StrongVPN worked perfectly our first winter in Mexico. But in April of this year, shortly before we returned to Colorado, Hulu started blocking me. There were a couple posts on http://blog.strongvpn.com about the issue, and when I left on May 1st, their only answer was to sign up for their StrongDNS service. I don't know when or if they ever resolved Hulu access through StrongVPN, but this made me think I need to consider setting up my own VPN service, which I assume Hulu and others would be unable to detect.

I am considering using a SlingBox hooked to my DirecTV box in Colorado, and leaving my DirecTV service running over the winter (I suspended it last winter). This would leave me without Hulu and possibly other geo-restricted services unless I also use StrongDNS or a VPN service, but it would probably work for us. (I'll check to see whether any of the SlingBox devices include internet apps like smart TVs and blu-ray players do.)

I was surprised to see your concern about VPN throughput speed of consumer routers. Do you, or anyone else, have any idea of the VPN throughput of the RT-AC56U? Wouldn't it at least match the 5 MBPS upload I get from Comcast?

And thanks for your response.

Duane

 

[dbender]

@Samir:

Thanks for the response.

So I would use something like the Cisco RV180, I assume using one on each end, and configure each end like this:

ISP modem <-> RV180 <-> ASUS router (configured as AP)

Is that correct? And would this require static IPs or any other change in service from my ISPs? I have a Comcast cable modem in Colorado and a Telmex ADSL modem in Mexico, both currently with dynamic IPs, though I do have dynamic DNS service from dyn.com in both locations.

And finally, would configuration of an IPSEC VPN on these routers be done via GUI or CLI? I was able to install DD-WRT and follow StrongVPN's instructions for setting up OpenVPN, but that's about the limit of my capability. I don't mind using telnet to set up a router, but I would need detailed instructions, hopefully available from Cisco.

Thanks again.

Duane

 

[CaptainSTX]

To get around geo blocking you really don't need to use a secure method of encryption on your VPN. PPTP is fine though with StrongVPN I have found OpenVPN to be faster. If someone i.e. a video service provider wants to really verify where you are they can use a more sophisticated method than just checking your public IP's location. Aero to verify your location looked at your WiFi neighborhood and based on that determined where you really are down to the neighborhood. Amazon Prime, when you purchase/rent a video, verifies that you have a credit card with a zip code in the area of your IP. Other suppliers check your system clock and if it doesn't match the time in the area where your IP is then you are SOL.

As for the speed reduction the rule of thumb is that even using a powerful new SOHO router and running a VPN you will be doing well, based on my experience, to get 66% of your bandwidth. If you have two routers running a VPN then the reduction might be even more drastic.

In your case you probably get by without using a VPN at either end if all you are doing is streaming video from Colorado to Mexico. Just set if up so you can connect to your Colorado router remotely and it will in turn connect you to your desired US video source. Without the necessity of encryption/decryption your connection should be faster than using the VPN.

 

[dbender]

Just set if up so you can connect to your Colorado router remotely....

Okay, sounds good, but how do I do that? I need the RT-N16 in Mexico to have a WAN IP address from Comcast in Colorado, so that my Roku and smart TV appear to be in Colorado. Wouldn't I still at least have to use the built-in PPTP VPN server on the RT-N56U in Colorado, and the DD-WRT VPN client on the RT-N16 in Mexico? Even if I don't need to worry about security, I thought the VPN tunnel was necessary to get the Colorado IP address.

As far as security, I know I don't need (or, really, want) the video feeds to be encrypted. The only reason I asked about the security of using PPTP is the possibility of someone else getting access to the VPN server. Is that not an issue? Is it sufficient to use a really strong password for the PPTP credentials?

By the way, one of the things StrongVPN advised us to do back in April was to set our router's time to match the VPN server we were using (Pacific time for me). If I set up the point-to-point connection to Colorado, I will set my router in Mexico to Mountain time.

And thanks again for taking time to try to help me.

Duane

 

[Samir]

I was surprised to see your concern about VPN throughput speed of consumer routers. Do you, or anyone else, have any idea of the VPN throughput of the RT-AC56U? Wouldn't it at least match the 5 MBPS upload I get from Comcast?

And thanks for your response.

Duane

I don't have any experience on anything outside the Netgear fvs series and the Cisco rv series, but you can get up to full line speed depending on what the router is spec'd at. I would check the reviews here as they have great details like max site-to-site speeds.

I would think you wouldn't have a problem hitting the 5 up from Comcast.

@Samir:

Thanks for the response.

So I would use something like the Cisco RV180, I assume using one on each end, and configure each end like this:

ISP modem <-> RV180 <-> ASUS router (configured as AP)

Is that correct? And would this require static IPs or any other change in service from my ISPs? I have a Comcast cable modem in Colorado and a Telmex ADSL modem in Mexico, both currently with dynamic IPs, though I do have dynamic DNS service from dyn.com in both locations.

And finally, would configuration of an IPSEC VPN on these routers be done via GUI or CLI? I was able to install DD-WRT and follow StrongVPN's instructions for setting up OpenVPN, but that's about the limit of my capability. I don't mind using telnet to set up a router, but I would need detailed instructions, hopefully available from Cisco.

Thanks again.

Duane

Exactly. Because you already have dyndns, you should be good with that as most routers support that now as a fqdn. Even if they don't, if your IPs change as often as ours (next to never), you only need to get the new IP from dyndns and then log into the router and just change the vpn config.

As far as configuration, if you've installed dd-wrt and worked with openvpn, you're already qualified in my book. I haven't messed with dd-wrt as the possibility to brick something scares me pretty good. But almost any firmware update scares me like that.

To get around geo blocking you really don't need to use a secure method of encryption on your VPN. PPTP is fine though with StrongVPN I have found OpenVPN to be faster. If someone i.e. a video service provider wants to really verify where you are they can use a more sophisticated method than just checking your public IP's location. Aero to verify your location looked at your WiFi neighborhood and based on that determined where you really are down to the neighborhood. Amazon Prime, when you purchase/rent a video, verifies that you have a credit card with a zip code in the area of your IP. Other suppliers check your system clock and if it doesn't match the time in the area where your IP is then you are SOL.

In your case you probably get by without using a VPN at either end if all you are doing is streaming video from Colorado to Mexico. Just set if up so you can connect to your Colorado router remotely and it will in turn connect you to your desired US video source. Without the necessity of encryption/decryption your connection should be faster than using the VPN.

You know, this made me think of another solution that I'm now using for a client--rdp. RDP takes care of a lot of the compression and getting rid of unneeded transfers. And it also supports video quite well with sufficient bandwidth. Then you don't have to worry about any geolocation because the computer is actually there.