Author Topic: Recommended stand-alone VPN servers?  (Read 501 times)

0 Members and 1 Guest are viewing this topic.

Offline Bicurico

  • Frequent Contributor
  • **
  • Posts: 994
  • Country: pt
    • VMA's Satellite Blog
Recommended stand-alone VPN servers?
« on: September 16, 2019, 08:06:18 pm »
Hi,

As a follow-up to this thread: https://www.eevblog.com/forum/security/rdp-brute-force-attacks-on-my-pc-caused-monitors-to-flash-black/

I ended up with this odd situation:

- My ISP provides me with a router for fibre. It has a RF connector with CATV and DVB-T, analog phone connectors and of course 4x 1GBit LAN ports. There is no way I can replace this router and it does not offer VPN server functionality.
- My internet connection is 1GBit/s download and 200MBit/s upload.
- I need to use RDP with a big bandwidth. I acknowledge that I should not open the RDP port to the internet and use VPN instead.
- Currently I use a cheap TP-Link router with DD-Wrt as an access point (I have three actually) and one is acting as the VPN server.

This solution has an issue: the TP-Link acting as VPN Server has too little performance and the RDP session run through VPN is several magnitudes slower as compared with a direct RDP access without VPN.

Conclusion: I want a FAST VPN server!

I was recommended to NOT run a VPN server on the computer i want to RDP to, for the same reasons I should not open the RDP port. Makes sense, kind of...

So I went today and bought which seemed the best option router-wise, considering by budget: an Asus RT-AC1750U. The "U" meaning it is NOT compatible with DD-WRT, Merlin or OpenWRT.

I bought it, because of the fact that it is modern and has dual core CPU. Plus, the stock firmware has a VPN server.

Turns out, that Asus decided that you can only get to use the VPN server if you run the device in Router mode. If you configure it to Access Point mode, it won't even show the VPN menu.

This sucks, because in Router mode, the device expects incoming VPN requests only on the WAN port, which has to be in a different subnet.

Having two routers in series is not that nice, because I would have to configure the ISP router to consider the second router in the DMZ. While that is not a real problem security wise (the router is supposed to be connected to the internet anyway), it will add lag (an additional router) plus I am not so sure about other oddities like UPnP issues.

No problem money-wise, as I can return the router for a full refund.

HOWEVER (and this is the question): I did not find any solution for my problem!!!

1) There seems to be no DD-WRT compatible router (DD-Wrt being a FW I like and which for sure would do what I want)
2) I did not find any (professional, but on the lower end of prices) stand-alone VPN server. Is there any? Remember: I don't want a router - I already have one, which I need to use.
3) I don't want to setup a whole dedicated computer (too expensive energy-wise). Of course I could use one of my three IBM M3650M3 servers, one even has full network options with, I don't recall, some 10 or more LAN ports... But this beast is to loud and consumes too much power for 24/7 use. In case you are wondering, I use them for R&D (automated multi-session CAM programming).

*** SO HOW SHOULD I SETUP A FAST VPN? ***

Thank you gentlemen! I hope I get some expert suggestions, especially from those that pushed me towards the VPN solution in the first place...  >:D :)

Regards,
Vitor

Offline Bratster

  • Regular Contributor
  • *
  • Posts: 242
  • Country: us
Re: Recommended stand-alone VPN servers?
« Reply #1 on: September 16, 2019, 08:29:20 pm »
Can you set your ISPs router to something like bridge mode or modem mode?

or disable the DHCP server so it just passes through your internet, that might require a static IP though.

Then you'll be free to use whatever router you want.



That's what we do at multiple locations that we get cable internet at. We use the cable company's modem/router but we set it up in either bridge mode or DHCP disable and then use our own router.

But we have static IP addresses at each of those locations, I'm not sure if you can do the same thing if you're only getting dynamic addresses from your ISP.

Sent from my Pixel 2 XL using Tapatalk

 

Offline Bicurico

  • Frequent Contributor
  • **
  • Posts: 994
  • Country: pt
    • VMA's Satellite Blog
Re: Recommended stand-alone VPN servers?
« Reply #2 on: September 16, 2019, 09:28:56 pm »
I just tried it:

Configured ISP Router to a different LAN IP, activated DMZ to point to router WAN IP, configured router LAN to the previous IP.

So now I have two routers in series.

Apparently (and against my fears)  it actually seems to work.

Now I just need to test the resulting VPN speed.

I will keep updating this with my results.

Offline Bicurico

  • Frequent Contributor
  • **
  • Posts: 994
  • Country: pt
    • VMA's Satellite Blog
Re: Recommended stand-alone VPN servers?
« Reply #3 on: September 17, 2019, 08:58:44 pm »
Update:

I was going to return the router, but then I decided to give it another try.

I hooked it up after the ISP router and configured everything so that the ISP router forwards all traffic (DMZ) to the Asus router.

The IPTV box does work, because I had a spare RJ45 cable going to the living room, which is directly connected to the ISP router. It would not work when attached to the Asus router: I guess the IPTV stream is not forwared.

After setting everything up and winning the fight of the common stupid errors like wrong IP's, etc., the result is actually quite good.

Trying to measure the VPN speed from my company to home, I actually reached the limit of the bandwidth of our office internet (just 20MBPS). Thursday I will try to VPN from the Uni and let's see how fast that will go. But yes, the new router is much quicker on VPN than the old TP-Link one.

The VPN connects in less than 5 seconds, too, wheras before it would take much longer.

Having to connect to VPN first is not that bad, actually, and I got VPN to work on my phone, too.

I tested all services and they all do work, including UPnP.

Guess I was being the guy resistance to change.

Another nice feature of this setup is that I now have two subnets: the one from the ASUS router, which is my "main" subnet and the subnet from the ISP router. Interestingly (to me, at least) I can access both subnets from my PC, without having to switch cables or changing IP's. That makes sense, because the ASUS router forwards the unknown subnet to the ISP router, which knows what to do!

Conclusion: I think that was money well spent, afterall. I have a fast VPN server and by using RDP over it I have a new layer of security at decent speed.

Regards,
Vitor


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf