VPN Gateway Hardware requirements? (& recommendations?)

[JTnola]

I am toying with the idea of investing in some kind of VPN gateway hardware/appliance — the sole purpose of which would be running the client side of the commercial OVPN I use on my network. Currently, I run the client on my RT-AC86U. My main interest in making the change would be speed — I recently became a Verizon Wireless 5g Home Internet customer, and I’d like to better utilize as much of the tremendous boost in speed as possible.

So I guess… a device that can take advantage of NES acceleration & OVPN-DCO … and that has more/better optimized processing power for the task at hand than my current router/other consumer routers out there.

If anyone has suggestions/recommendations for a device type or model, I’m all ears. But even just some basic info about system requirements to meet my needs/wish list, as specified above, would be much appreciated. (Also if you think this is a foolish endeavor, I’d be glad to hear that feedback as well.)

THANK YOU!

 

[Tech9]

Also if you think this is a foolish endeavor, I’d be glad to hear that feedback as well

If network-wide VPN is the idea - see my answer to another forum member below.

NordVpn speed test 75% slower

Disclosure, new to VPN world as well as custom fw's. Did search the Google but nothing specific to my issue that I could find. Just installed 388.2b1 on a tester & m&m'd RT-AX86s router. Working fine for 2 days so went ahead and installed Diversion lite using the Adguard family DNS option in...

www.snbforums.com

 

[Tech Junky]

OVPN

This is the first issue when it comes to speed and resources.

OVPN in a home setting even with the best HW tops out at about 600mbps. So, depending on your ISP speed it makes a difference on whether or not you should switch gears to an appliance or DIY your own setup.

Wire Guard or other names for the same tech under different brands is going to be faster and less resource intensive. Most consumer routers limit you to a single provider unless you flash them to another firmware. Even then outers typically suck at handling VPN processing because the gear is not designed to do so. If you want something to just unbox and supply your credentials for connecting to a VPN services it's going to be a bit pricy. You would be looking at SMB level gear at a minimum and those start out at least around $1K. This is where a DIY setup competes for performance and multiple uses if you want to roll in a NAS or DVR or you name it because you have the space to do so.

I went DIY for a few reasons but mostly because of the junk firmware being pushed out with issues and breaking other things while fixing others. Taking things into my own hands seemed like a better idea than relying on vendors to fix their mistakes in a timely manner. You can make it as simple as you want or complicated as you'd like as well. I've played around with all of the options posted around the net when it comes to firewalling things and using KISS methodology yields the best performance.

All you really need to go DIY is a PC with a NIC that supports 2 ethernet confections and linux. Then google homebrew router for how to set it up. Bare min would be about $200 for a SFF PC / NIC. On the extreme side your imagination and wallet can support.

 

[JTnola]

If network-wide VPN is the idea - see my answer to another forum member below.

NordVpn speed test 75% slower

Disclosure, new to VPN world as well as custom fw's. Did search the Google but nothing specific to my issue that I could find. Just installed 388.2b1 on a tester & m&m'd RT-AX86s router. Working fine for 2 days so went ahead and installed Diversion lite using the Adguard family DNS option in...

www.snbforums.com

Thanks.

By “foolish endeavor” I was thinking more along the lines of the worthiness of proposed implementation as a means to achieve the goal stated … but I appreciate the perspective.

 

[Tech9]

Network-wide VPN is essentially replacing your ISP with some other company with better "privacy" and "security" promises. You deal with the inconveniences and pay both. Ask yourself what interest this other company has in routing all your traffic through their servers for few dollars a month.

 

[Spud]

Network-wide VPN is essentially replacing your ISP with some other company with better "privacy" and "security" promises. You deal with the inconveniences and pay both. Ask yourself what interest this other company has in routing all your traffic through their servers for few dollars a month.

Here in the UK, ISPs are obliged to record and store browsing data for a year and turn it over to various authorities on request.

In my experience, ISPs are none too competent with personal data (one I used was hacked and left me exposed a few years ago), let alone PC Plod.

Looking at NordVPN’s various audits - the latest being in December 2022 by Deloitte - the chances of data being retained or linked with me as a user sound really small.

Privacy seems more attainable with the VPN, so I prefer that. Besides, the performance has been solid - especially since I dialled Skynet down to Firehol Level 1 only (that was your suggestion elsewhere - thanks).

 

[Tech Junky]

UK, ISPs are obliged to record and store browsing data for a year and turn it over to various authorities on request.

That's very insightful. Costly as well for both parties but the ISP housing that much data gets expensive too. Obfuscation via VPN should be something for everyone in the UK to be aware of. For $2/mo it's a cheap privacy measure to keep prying eyes out of your data.

 

[Tech9]

Here in the UK, ISPs are obliged to record and store browsing data for a year and turn it over to various authorities on request.

Like in all 5-6-9-14 Eyes alliance member countries. Six months in Canada as far as I know. Do you have anything to hide? How do you know there is no link from the exit node to another server doing the logging in compliance to local regulations? All popular VPN services lease local (to me) servers in downtown Toronto and serve Canadian citizens. What do you think local authorities say - oh, this company is registered somewhere far, let them break the local law, it's okay...? What about PIA registered in the USA? It's quite popular VPN too. Do you know for sure who runs the show? What about Tor exit nodes? You think some of them are not there in purpose? Don't you think if you run VPN all the time or use Tor you only draw more attention?

For few bucks a month? I own few IT related businesses and it doesn't make sense to me at all. If it's possible now the more people come with the same idea the price will go up or the VPN provider will implement restrictions. Those companies lease servers and Internet links. Someone has to pay.

 

[Spud]

Like in all 5-6-9-14 Eyes alliance member countries. Six months in Canada as far as I know. Do you have anything to hide? How do you know there is no link from the exit node to another server doing the logging in compliance to local regulations? All popular VPN services lease local (to me) servers in downtown Toronto and serve Canadian citizens. What do you think local authorities say - oh, this company is registered somewhere far, let them break the local law, it's okay...? What about PIA registered in the USA? It's quite popular VPN too. Do you know for sure who runs the show? What about Tor exit nodes? You think some of them are not there in purpose? Don't you think if you run VPN all the time or use Tor you only draw more attention?

For few bucks a month? I own few IT related businesses and it doesn't make sense to me at all. If it's possible now the more people come with the same idea the price will go up or the VPN provider will implement restrictions. Those companies lease servers and Internet links. Someone has to pay.

A few bucks a month is also the cost to rent several hundred GB of cloud storage with a provider like Apple - not so far off my monthly internet traffic. NordVPN ought(!) to have none of the storage or backup costs. In many ways, why not a few bucks?

As to the other questions, this has to live or die by its auditors’ hand and the data laws where it’s based. The controls appear stronger than my previous ISP used, who guarded all their customer data with the password “Steve”. Guess what happened.

@Tech Junky, turns out the default position in the UK used to require activity logging for 12 months (not all data), but it was later challenged legally and now requires a specific request from the Secretary of State.

 

[Tech Junky]

How do you know there is no link from the exit node to another server doing the logging in compliance to local regulations?

Since it's basically a paid proxy service they wouldn't be able to tie it to a single user as the exit node handles multiple users. If you're searching for personally identifiable information it could show up as a result but that doesn't mean it was your search. Chances are it was yuh but they would need your machine to confirm.

Security and privacy are a layered approach. Keeping your ISP form seeing anything other than encrypted traffic is step one. Encrypting it end to end is the second hurdle which is harder to do unless the other end is secure as well.

 

[Tech9]

In many ways, why not a few bucks?

Because the more users use the service (server load, VPN is encrypted) and route the traffic through (Internet connection capacity) the cost goes up. All popular VPN providers lease the equipment from big data centers. The more you need the more you pay. The cost is not even close to storage cost.

Keeping your ISP form seeing anything other than encrypted traffic is step one.

It's just moving the "visibility" from one company to another (with better promises) with associated inconveniences and added cost in the process. More and more Internet services detect VPN exit nodes and refuse service from lottery tickets through media streaming to banks and government services. All traffic processing (encryption) creates higher hardware demands, usually reduces throughput and increases latency. Gaming is in question, access to own network is an issue (port forwarding). Depending on what country you live in the inconveniences may outweigh the expected benefits. What happens most often is users come here with network-wide VPN ideas, purchase the equipment and subscriptions and then realize it's not exactly what they expected it to be. Few hundred dollars investment in an experiment. Good thing mini PCs are re-usable for something else.