Hardware Router VPN

[jc101]

Ten years ago I would have recommended Ubiquiti as router and firewall, but they have gone to the cloud now.

How so?
All my Ubiquiti stuff runs entirely locally. There is one exception, which is their doorbell, that requires a (free) UI cloud login to enable push notifications to my phone. It is one of the reasons I like them.

You can enable a cloud login to act as an administrator, I do that for some charities I help out with. They have UniFi kit and I can get alerts to issues and make changes as needed for them via the cloud login. The cloud service acts as a proxy to their local on premise controller, confusingly called a cloud key or cloud gateway, despite not using the cloud for any of the configuration data. I could also VPN onto their LAN and do it "locally", either is fine.

I've recently moved back to using a UnFi router from a MikroTik, hard to ignore the performance of some of the new routers.

[JohanH]

How so?
All my Ubiquiti stuff runs entirely locally. There is one exception, which is their doorbell, that requires a (free) UI cloud login to enable push notifications to my phone. It is one of the reasons I like them.

You can enable a cloud login to act as an administrator, I do that for some charities I help out with. They have UniFi kit and I can get alerts to issues and make changes as needed for them via the cloud login. The cloud service acts as a proxy to their local on premise controller, confusingly called a cloud key or cloud gateway, despite not using the cloud for any of the configuration data. I could also VPN onto their LAN and do it "locally", either is fine.

I've recently moved back to using a UnFi router from a MikroTik, hard to ignore the performance of some of the new routers.

Maybe I have to take a look at their products again. There was a big debate when they started to ramp down the Edgemax devices, and the "cloud" devices received some criticism. And I realize it's quite some time ago. I see now that there are also cheaper models available. Such as maybe the Unifi Cloud gateway ultra. That was one example I found by a quick search.

Edit. I already found one downside. There is no way to add your own, or download existing dnsmasq blocklists on Unifi. That's too bad.

[MarkusAJ]

I want to set up a hardware (router) based VPN at the lab and at home (plus my Android phone).
What do I need?

I know I could just get any of the dozen software based VPN's that are advertised constantly, but I think that having hardware just do it at the router level is way cooler.
I presume my phone will need one of those software options though.

My home router supports OpenVPN and PPTP

My lab router is an old TP-Link C1200 and Google Gemini seems to think it's capable using OpenVPN via tplinkwifi.net ? 

I also have my dedicated server in the US, so can potentially set up a VPN via that server box I presume?

Dave, I would stay away from any of SOHO routers as front end to the Internet.
The AX6000 from TP-LINK may be a good AP choice at home, but I wouldn’t trust it as a router,
the AX6000 can be configured as AP only and link with decent router.

You should check pFsesnse and OPNsense. I didn’t try OPNsense, but I used pFsense since ~2011 as firewall for >10 mln users
(in peak hours > 3Gbs traffic), vpn p-2-p solution and as vpn server for warrior admin users.
Both solutions offer IP layer 2 routing and filtering.

As VPN protocol I suggest OpenVPN, or WireGuard.

Using pFsense, or OPNsense you could link all your locations over p-2-p of your choice
and access it from any place in the world using an vpn client.

pFsense (aka Netgates and formerly Electric Sheep Fencing, LLC) is offering appliances,
but the software is free and you could build your own using older, decommissioned hardware.

Link to pFsense: https://www.pfsense.org/
Link to OPNsense: https://opnsense.org/

Both are based on FreeBSD which in my opinion is best when come to IP protocol.

[EEVblog]

Dave, I would stay away from any of SOHO routers as front end to the Internet.
The AX6000 from TP-LINK may be a good AP choice at home, but I wouldn’t trust it as a router,
the AX6000 can be configured as AP only and link with decent router.

Why?

[MarkusAJ]

Dave, I would stay away from any of SOHO routers as front end to the Internet.
The AX6000 from TP-LINK may be a good AP choice at home, but I wouldn’t trust it as a router,
the AX6000 can be configured as AP only and link with decent router.

Why?

I don’t trust these manufactures, below is link to one of many examples
https://www.tomsguide.com/computing/malware-adware/thousands-of-tp-link-routers-have-been-infected-by-a-botnet-to-spread-malware

I’m working 30+ years in IT and maybe I’m a little bit paranoid, however not without a reason.

Helpful links:
https://www.securityweek.com/
https://thehackernews.com/

[David Hess]

I am not entirely clear what you want to accomplish.

You can link your home and office networks using a pair of almost any VPN routers, so machines on one side can see machines on the other side.  This will also allow your phone to call into your VPN router from anywhere and see everything.  This might be done with OpenVPN, or some other protocol.

I pay Cryptostorm to provide a VPN service over OpenVPN and Wireguard so that machines (or VMs) on my single network can access the internet as if they were somewhere else.  Cryptostorm also provides port forwarding from a routable IPv4 and IPv6 address for higher user ports even though I am behind several layers of NAT.  In case it is not clear, this also gives me full IPv6 access.

Now I have never gotten it to work, but the PFSense/OPNSense router that I use (1) should be able to connect to my VPN service and handle all of the routing to various VPN endpoints, so that my router decides which machines, or even applications, connect to which endpoints.  The problem here is just a matter of getting the configuration right.

I would not trust someone's dedicated router hardware to do this, or pretty much anything these days;  their firmware and support tends to be awful.  Whatever you do, I would recommend x86 hardware running PFSense or OPNSense.  Network appliance type of x86 hardware is available for this, but you could start out with a decommissioned PC that has a couple of extra network ports installed.  Netgate has small routers preinstalled with PFSense which will definitely do anything you need.  Micro

There are VPN providers which will sell/rent a fixed IP to you if you want a fully routable endpoint that will accept any incoming connections, but I am not sure if that is what you are looking for, and it is more expensive.  I remember when getting a static IP over a VPN did not have an additional cost.

(1) PCEngines apu4 - Unfortunately discontinued, but Netgate has similar x86 hardware at higher cost but probably with better support.

[madires]

My only goal is to have an IP address on all machines at home and the lab (plus phone) that is not Australia.

That would be a NAT service, usually miscalled as VPN service. That's basically a VPN connection to a NAT server somewhere around globe supplying you with a different outbound IP address. The original (real) VPN service is something completely different. It's meant to establish a private (encrypted) virtual link between two or more sites over public internet, or between a mobile device and a central site. There are also different forms via leased lines and ISP services. The goal is to connect the sites or mobile devices to access or share internal network services safely.

Regarding TP-Link routers, I'd recommend too to stay away from them or to run OpenWrt if supported. TP-Link has a bad security track record (as bad as D-Link).

[bingo600]

Too much Off topic ...
removed

[gnif]

Finally got some time to respond here properly

@EEVBlog, there is no such thing as a "hardware VPN" device, in years gone by there was when it was important to offload the VPN workload to a hardware device to accelerate the encryption, but these days there is no advantage to using a "hardware" device. They are all embedded Linux devices running VPN client software.

If anything there is a very very good reason to avoid them, which is outdated software and vulnerabilities. Unless your spending big for a enterprise grade device with a support contract, they are not worth touching. You're better served recycling an old PC and installing pfSense or similar which will not only be practically free, but cutting edge and maintainable. Your recycled PC becomes your "hardware VPN" device with more power then any cheapo TP-Link like device.

In the past I have used Wyse Thin Clients for this purpose (They are just embedded PCs in a small form factor), pfSense sings along on them very well and can easily cope with the traffic for most small to medium sized businesses (think, 25+ users).  The only downside here is they usually only have one Ethernet port, which can be limiting and confuse new users on how it could still be viable (ie, VLANs).

If you're willing to spend a bit of cash on something decent, there are fully integrated industrial PCs on AliExpress that are absolutely perfect for this, for example:
https://www.aliexpress.com/item/1005008165245304.html

[Halcyon]

Ten years ago I would have recommended Ubiquiti as router and firewall, but they have gone to the cloud now.

How so?
All my Ubiquiti stuff runs entirely locally. There is one exception, which is their doorbell, that requires a (free) UI cloud login to enable push notifications to my phone. It is one of the reasons I like them.

You can enable a cloud login to act as an administrator, I do that for some charities I help out with. They have UniFi kit and I can get alerts to issues and make changes as needed for them via the cloud login. The cloud service acts as a proxy to their local on premise controller, confusingly called a cloud key or cloud gateway, despite not using the cloud for any of the configuration data. I could also VPN onto their LAN and do it "locally", either is fine.

I've recently moved back to using a UnFi router from a MikroTik, hard to ignore the performance of some of the new routers.

Seconded. I just use a self-hosted controller. There are cloud options too.

[5U4GB]

If you're looking to build a new router, pfSense is my recommendation. Runs on normal Intel-based hardware. Supports Wireguard as well.

pfSense used to be the go-to solution but it's slowly becoming... not enshittified as such but just stagnating somewhat as it focuses on commercial use, while OpnSense has improved markedly in the last few years and has overtaken pfSense in terms of functionality and user community.  I'd also go with WireGuard, overall a better protocol and widely supported.

If you just want an out-of-the-box solution rather than wet-nursing yet another bit of IT gear I can recommend Firewallas, a lot of overlap with the *Sense feature set but you get complete control of things via a phone app, really useful when you can just pull out your phone to deal with any network issue.  This also makes it a lot easier to manage than having to hand-configure rulesets and similar in *Sense.

[5U4GB]

Dave, I would stay away from any of SOHO routers as front end to the Internet.
The AX6000 from TP-LINK may be a good AP choice at home, but I wouldn’t trust it as a router,
the AX6000 can be configured as AP only and link with decent router.

Why?

They're a perpetual vulnerability engine.  Google $router-brand + "vulnerability" to see all the horror stories.  And they're typically never patched or fixed via press release, "oh, that's gone out of support in the two weeks since it was released, you'll have to buy a new model and see if that fixes it".

[Bicurico]

I gave up on VPN
Many networks filter VPN connections: I can't access via Starling or 4G/5G. At the Uni VPN stopped working , too.
OpenVPN didn't work on all devices and was a pain to setup.
Nowadays I just access the remote computer via RustDesk and do everything in the respective network from this computer. Using a Tapo internet outlet I can switch the computer on/off remotely. Files are shared via WeTransfer.
Works well for me and I just stopped using VPN.

[EEVblog]

Dave, I would stay away from any of SOHO routers as front end to the Internet.
The AX6000 from TP-LINK may be a good AP choice at home, but I wouldn’t trust it as a router,
the AX6000 can be configured as AP only and link with decent router.

Why?

They're a perpetual vulnerability engine.  Google $router-brand + "vulnerability" to see all the horror stories.  And they're typically never patched or fixed via press release, "oh, that's gone out of support in the two weeks since it was released, you'll have to buy a new model and see if that fixes it".

Wouldn't that be the same for every router, ever? At some point it's going to get discontinued for support.

[gnif]

Dave, I would stay away from any of SOHO routers as front end to the Internet.
The AX6000 from TP-LINK may be a good AP choice at home, but I wouldn’t trust it as a router,
the AX6000 can be configured as AP only and link with decent router.

Why?

They're a perpetual vulnerability engine.  Google $router-brand + "vulnerability" to see all the horror stories.  And they're typically never patched or fixed via press release, "oh, that's gone out of support in the two weeks since it was released, you'll have to buy a new model and see if that fixes it".

Wouldn't that be the same for every router, ever? At some point it's going to get discontinued for support.

Often though even ones with support when vulnerabilities are discovered are not updated/patched to fix them.

This is why in any situation where you actually care about the security of your network, you avoid these. Use a little industrial computer instead that you can update without relying on the vendor to do the right thing.

Edit: I literally built this out of recycled crap over the last few days to provide VPN access to my corporate workstations. Fully custom setup though (arch, iproute2, openconnect, etc) as I have some very specific routing requirements that no out of the box solution would solve for me.

[EEVblog]

Finally got some time to respond here properly

@EEVBlog, there is no such thing as a "hardware VPN" device, in years gone by there was when it was important to offload the VPN workload to a hardware device to accelerate the encryption, but these days there is no advantage to using a "hardware" device. They are all embedded Linux devices running VPN client software.

If anything there is a very very good reason to avoid them, which is outdated software and vulnerabilities. Unless your spending big for a enterprise grade device with a support contract, they are not worth touching. You're better served recycling an old PC and installing pfSense or similar which will not only be practically free, but cutting edge and maintainable. Your recycled PC becomes your "hardware VPN" device with more power then any cheapo TP-Link like device.

In the past I have used Wyse Thin Clients for this purpose (They are just embedded PCs in a small form factor), pfSense sings along on them very well and can easily cope with the traffic for most small to medium sized businesses (think, 25+ users).  The only downside here is they usually only have one Ethernet port, which can be limiting and confuse new users on how it could still be viable (ie, VLANs).

If you're willing to spend a bit of cash on something decent, there are fully integrated industrial PCs on AliExpress that are absolutely perfect for this, for example:
https://www.aliexpress.com/item/1005008165245304.html
(Attachment Link)

Thanks. I've got several of those new Beelink mini PC's sitting doing nothing, and they have dual ethernet ports.
So I just install pfSense and insert inline between my NBN modem and my router and that's it?
So I have to subscribe to pfSense and pay per US$0.08/hr? That's almost US$60/month, or US$120/month for home and work. Seems pricey?

[gnif]

Finally got some time to respond here properly

@EEVBlog, there is no such thing as a "hardware VPN" device, in years gone by there was when it was important to offload the VPN workload to a hardware device to accelerate the encryption, but these days there is no advantage to using a "hardware" device. They are all embedded Linux devices running VPN client software.

If anything there is a very very good reason to avoid them, which is outdated software and vulnerabilities. Unless your spending big for a enterprise grade device with a support contract, they are not worth touching. You're better served recycling an old PC and installing pfSense or similar which will not only be practically free, but cutting edge and maintainable. Your recycled PC becomes your "hardware VPN" device with more power then any cheapo TP-Link like device.

In the past I have used Wyse Thin Clients for this purpose (They are just embedded PCs in a small form factor), pfSense sings along on them very well and can easily cope with the traffic for most small to medium sized businesses (think, 25+ users).  The only downside here is they usually only have one Ethernet port, which can be limiting and confuse new users on how it could still be viable (ie, VLANs).

If you're willing to spend a bit of cash on something decent, there are fully integrated industrial PCs on AliExpress that are absolutely perfect for this, for example:
https://www.aliexpress.com/item/1005008165245304.html
(Attachment Link)

Thanks. I've got several of those new Beelink mini PC's sitting doing nothing, and they have dual ethernet ports.
So I just install pfSense and insert inline between my NBN modem and my router and that's it?
So I have to subscribe to pfSense and pay per US$0.08/hr? That's almost US$60/month, or US$120/month for home and work. Seems pricey?

You don't have to pay a dime for pfSense, only if you want support.

And yes, just put in in-between, there will be some configuration required. Ideally you would put the router into "Bridge Mode" too if you can, this way the pfSense box becomes the router, and the NBN modem/router just becomes a dumb modem. You will need the authentication details from your ISP for this though as you will need to put them into pfSense.

I recommend you don't change your network at all initially, put pfSense on it, treat your LAN as if it's the WAN, and put a PC/Laptop on the new "LAN" interface for testing/configuring/verification, etc.

If I were closer i'd come and give you a hand, doing this for the first time can be quite a chore as it's a pretty steep learning curve. If I were you, i'd take up @Halcyon on his offer for help.

[EEVblog]

Finally got some time to respond here properly

@EEVBlog, there is no such thing as a "hardware VPN" device, in years gone by there was when it was important to offload the VPN workload to a hardware device to accelerate the encryption, but these days there is no advantage to using a "hardware" device. They are all embedded Linux devices running VPN client software.

If anything there is a very very good reason to avoid them, which is outdated software and vulnerabilities. Unless your spending big for a enterprise grade device with a support contract, they are not worth touching. You're better served recycling an old PC and installing pfSense or similar which will not only be practically free, but cutting edge and maintainable. Your recycled PC becomes your "hardware VPN" device with more power then any cheapo TP-Link like device.

In the past I have used Wyse Thin Clients for this purpose (They are just embedded PCs in a small form factor), pfSense sings along on them very well and can easily cope with the traffic for most small to medium sized businesses (think, 25+ users).  The only downside here is they usually only have one Ethernet port, which can be limiting and confuse new users on how it could still be viable (ie, VLANs).

If you're willing to spend a bit of cash on something decent, there are fully integrated industrial PCs on AliExpress that are absolutely perfect for this, for example:
https://www.aliexpress.com/item/1005008165245304.html
(Attachment Link)

Thanks. I've got several of those new Beelink mini PC's sitting doing nothing, and they have dual ethernet ports.
So I just install pfSense and insert inline between my NBN modem and my router and that's it?
So I have to subscribe to pfSense and pay per US$0.08/hr? That's almost US$60/month, or US$120/month for home and work. Seems pricey?

You don't have to pay a dime for pfSense, only if you want support.

And yes, just put in in-between, there will be some configuration required. Ideally you would put the router into "Bridge Mode" too if you can, this way the pfSense box becomes the router, and the NBN modem/router just becomes a dumb modem. You will need the authentication details from your ISP for this though as you will need to put them into pfSense.

I recommend you don't change your network at all initially, put pfSense on it, treat your LAN as if it's the WAN, and put a PC/Laptop on the new "LAN" interface for testing/configuring/verification, etc.

If I were closer i'd come and give you a hand, doing this for the first time can be quite a chore as it's a pretty steep learning curve. If I were you, i'd take up @Halcyon on his offer for help.

Ah, got it, thanks.
I only have the one connection from the 4 port NBN modem to my WiFi router, the single output of which goes into a 24way switch which then connects everything.
Grok said pfSense has basic VPN capability built in? But can also be used with third party services like Nord, ExpressVPN etc? Which one should I go with?

[gnif]

Grok said if I want VPN capability I need to use one of the third part services like Nord, ExpressVPN etc?

pfSense has multiple VPN clients available to it and can connect to most of the offerings out there. It really depends on your usage requirements.

1) If you want to link your home to your lab, you need a corporate VPN service, or run your own, which is what I would do. In your office you'd setup pfSense to be a VPN server, not client.
2) If you are intending to route your traffic through another country for your entire network to bypass network/geo restrictions, you would need to use one of these services, or rent a VPS in one of these countries and setup a VPN server for your own usage.

If you setup your gateway to route your traffic via a VPN, this will affect every device on your LAN, not just your PC. Generally when you want to bypass a network/geo restriction you'd just use a VPN client on your own PC for that temporary session. Routing your entire network through a VPN service will slow things down considerably, no matter how fast they claim to be (remember, 200+ms from AU to US minimum).

For work I route through the AMD VPN, which is a top shelf service, no expenses spared (GlobalProtect Palo Alto Network), this routes via a VPN gateway in Sydney. On my gigabit FTTP connection without the VPN I achieve 980Mbit/s... via the VPN nearly 400Mbit/s, and this isn't being routed overseas. The impact can be very substantial even when there is no financial limit.

[EEVblog]

pfSense has multiple VPN clients available to it and can connect to most of the offerings out there. It really depends on your usage requirements.
1) If you want to link your home to your lab, you need a corporate VPN service, or run your own, which is what I would do. In your office you'd setup pfSense to be a VPN server, not client.
2) If you are intending to route your traffic through another country for your entire network to bypass network/geo restrictions, you would need to use one of these services, or rent a VPS in one of these countries and setup a VPN server for your own usage.

If you setup your gateway to route your traffic via a VPN, this will affect every device on your LAN, not just your PC. Generally when you want to bypass a network/geo restriction you'd just use a VPN client on your own PC for that temporary session. Routing your entire network through a VPN service will slow things down considerably, no matter how fast they claim to be (remember, 200+ms from AU to US minimum).

I don't have much traffic part from my Synology NAS backing up to the cloud.
No lab<>home access required right now, I just want my lab and home to "disappear" into another country
I know it's easy to just run the normal VPN software, but I kinda like the idea of it "just working" on any PC I plug into or WiFi into the network.
I need it on my phone(s) too, so I'll just join one of the mainstream VPN services and I think they allow multiple PC access, so one paid VPN account for home, lab, and phones.

[EEVblog]

Current lab setup.
Everything hangs off the switch in the lab, and a 2nd cascaded switch down in the dungeon which also has another Wifi hotspot and a few devices hanging off it.

[gnif]

Is that router ISP supplied, or one you threw in there?

[EEVblog]

I have to create a Netgate account to download pfSense? Urgh.

[gnif]

This is how I would do it, you should be able to configure the C1200 to be just a standard AP to bridge wireless clients onto the LAN. You'd need to disable it's DHCP server and assign it a static IP address, that's all. PfSense would take over DHCP duties.

[EEVblog]

Is that router ISP supplied, or one you threw in there?

An old one I threw in there.