Julien Vehent on 21 Sep 2012 20:18:46 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] VPN design for home use

On 2012-09-21 13:39, Paul L. Snyder wrote:
Due to DCAnet's unfortunate exit from the home DSL market, I've just
switched over to Verizon FiOS. The connection itself is great, fast and
stable so far. Verzon's ancillary evilness, on the other hand is not so
comfortable. Their privacy policy says, effectively, that they're building
a profile of me by inspecting and keeping a record of every single thing I
do or look at on the Internet. I've also just discovered that they're
hijacking failed DNS lookups, a heinous practice that I had mistakenly
thought was throughly discredited in the industry.

Boooh ! Thanks for the heads up though, I didn't know that Fios was so bad.
I guess it's not any different than AT&T and their NSA room mirroring the
entire traffic for analysis.

I take my privacy seriously, and this is unacceptable.

Thus, the time has come to look into a VPN provider. I've been considering
this for some time, but lack of trust for my new ISP has pushed me over the
edge. #plug pointed me to this review of several services:


Does anyone have experience with any of these, or with another provider?
I'm wondering how speeds are, as well. My FiOS service is 50Mbps/25Mbps,
and I'm seeing speeds as high as 60/30. While VPN will obviously introduce
some latency, I would much prefer not to lose throughput.

Quite frankly, I wouldn't bother with any of those providers. I'd get a VPS
or a small server (http://www.hetzner.de/en/, OVH, ...) and route the VPN
through. I personally have a dedibox (a small atom dedicated server) from a
free ISP, hosted in Paris, that I use for that kind of stuff. It has a 1gbps
connection and cost me ~18euros/month.

Another issue is how to set this up on my home network. Given that I *have*
a home network, I'd like to do some kind of a gateway setup. Up until now,
I was running with an old WRT54G on OpenWRT, but the connection from the
ONT to the router is now coax, so I'm stuck with the provided router unless
I buy a new one. It also doesn't support VPN in the stock firmware.

My hardware choices are somewhat limited at the moment, though I'll
probably look into sorting out something better next year. For the moment,
though, what I have to work with are the WRT54G, my server box, and the
Verizon router.

The server box is pretty straightforward. In my old setup, it had one port
forwarded from the router, SSH on a non-standard port. It has a running
tmux session with mutt and irssi that I connect back to from elsewhere. It
also has an mpd server and an NFS music share for the local network...not
externally accessible. This isn't ideal...I should really have a DMZ
setup and split internal/external functions out, but that's for further
down the road when I'm buying hardware again.

Meh. If your firewall rules are clean, and your NAT properly done, you can
probably live without the DMZ. That's not "state of the art", but good enough
for a residential.

Option 1: Use the server as a VPN gateway. Add a second gigbit NIC and
hang a switch off of it; connect all the other wired devices to the switch.
Set up the server as an OpenVPN gateway to the VPN tunnel.

Option 2: Try to use the WRT54G as the gateway, directly behind the Verizon
router. I'm a bit dubious that the CPU can handle the encryption, though,
and it's likely to kill my speed.

Option 3: Break down and buy a new router. Is there an affordable home
router that can actually keep up with OpenVPN on a 50Mbps connection
(preferably with 802.11n, since both of the above setups are awfully ugly
from the wifi side of things).

I'd just get a nice and cheap ATOM motherboard with 2*2"5 drives. It's
probably going to cost you a couple hundred bucks, but you will get the
equivalent amount of fun playing with QoS and such. Plus, with 2x2"5 drives,
you can do a RAID1 and store stuff on it.

Most of the VPN providers offer multiple exit points, and I'd like to be
able to adjust those on the fly, or direct particular types of traffic
through particular exit nodes. I'd also like to be able to direct some
traffic to not use the VPN when very low latency is desirable (such as for

That's done on your gateway. I believe you can use iptables/netfilter to mark packets and direct them to a specific routing table. I haven't done it myself
but if you figure it out, please post about it.

And, as a final wrinkle...once all this is set up, I'd like to be able to
connect my laptop back to my home network when I'm on the road. That is, I
want to open up a VPN channel from whatever coffee shop or hotel room I'm
in back to my home network, and then direct all traffic out through the
VPN tunnel provider to insulate myself from wifi insecurity as much as
possible. Some providers do have mobile clients to directly connect
through their service remotely as well as from home, but that doesn't
address use cases like being able to access the git repos on my home
network without exposing more of my internal surface to external access.

ip route add <insert fun here>

I would recommend openvpn, it plays nicely with linux's kernel routing.

So...any thoughts on the best design for this, or how close I'm likely to
be able to get to this ideal scenario? And, as mentioned above, reviews of
particular VPN providers are also appreciated.

It's all doable. As of VPN providers, I'd strongly insist that you do it
yourself. Now, if you just want to poke around before deciding, I'd be
happy to set you up with an openvpn access to my server in Paris, so you
can play with the latency a bit.


Julien Vehent - http://jve.linuxwall.info
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug