|Julien Vehent on 21 Sep 2012 20:18:46 -0700|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|Re: [PLUG] VPN design for home use|
On 2012-09-21 13:39, Paul L. Snyder wrote:
Boooh ! Thanks for the heads up though, I didn't know that Fios was so bad. I guess it's not any different than AT&T and their NSA room mirroring the entire traffic for analysis.
I take my privacy seriously, and this is unacceptable. Thus, the time has come to look into a VPN provider. I've been consideringthis for some time, but lack of trust for my new ISP has pushed me over theedge. #plug pointed me to this review of several services: http://lifehacker.com/5940565 Does anyone have experience with any of these, or with another provider? I'm wondering how speeds are, as well. My FiOS service is 50Mbps/25Mbps, and I'm seeing speeds as high as 60/30. While VPN will obviously introduce some latency, I would much prefer not to lose throughput.
Quite frankly, I wouldn't bother with any of those providers. I'd get a VPS or a small server (http://www.hetzner.de/en/, OVH, ...) and route the VPN through. I personally have a dedibox (a small atom dedicated server) from a free ISP, hosted in Paris, that I use for that kind of stuff. It has a 1gbps connection and cost me ~18euros/month.
Another issue is how to set this up on my home network. Given that I *have*a home network, I'd like to do some kind of a gateway setup. Up until now, I was running with an old WRT54G on OpenWRT, but the connection from theONT to the router is now coax, so I'm stuck with the provided router unlessI buy a new one. It also doesn't support VPN in the stock firmware. My hardware choices are somewhat limited at the moment, though I'll probably look into sorting out something better next year. For the moment, though, what I have to work with are the WRT54G, my server box, and the Verizon router. The server box is pretty straightforward. In my old setup, it had one port forwarded from the router, SSH on a non-standard port. It has a running tmux session with mutt and irssi that I connect back to from elsewhere. It also has an mpd server and an NFS music share for the local network...not externally accessible. This isn't ideal...I should really have a DMZ setup and split internal/external functions out, but that's for further down the road when I'm buying hardware again.
Meh. If your firewall rules are clean, and your NAT properly done, you canprobably live without the DMZ. That's not "state of the art", but good enough
for a residential.
Option 1: Use the server as a VPN gateway. Add a second gigbit NIC andhang a switch off of it; connect all the other wired devices to the switch.Set up the server as an OpenVPN gateway to the VPN tunnel.Option 2: Try to use the WRT54G as the gateway, directly behind the Verizonrouter. I'm a bit dubious that the CPU can handle the encryption, though, and it's likely to kill my speed. Option 3: Break down and buy a new router. Is there an affordable home router that can actually keep up with OpenVPN on a 50Mbps connection (preferably with 802.11n, since both of the above setups are awfully ugly from the wifi side of things).
I'd just get a nice and cheap ATOM motherboard with 2*2"5 drives. It's probably going to cost you a couple hundred bucks, but you will get the equivalent amount of fun playing with QoS and such. Plus, with 2x2"5 drives, you can do a RAID1 and store stuff on it.
Most of the VPN providers offer multiple exit points, and I'd like to be able to adjust those on the fly, or direct particular types of traffic through particular exit nodes. I'd also like to be able to direct some traffic to not use the VPN when very low latency is desirable (such as for gaming).
That's done on your gateway. I believe you can use iptables/netfilter to mark packets and direct them to a specific routing table. I haven't done it myself
but if you figure it out, please post about it.
And, as a final wrinkle...once all this is set up, I'd like to be able to connect my laptop back to my home network when I'm on the road. That is, I want to open up a VPN channel from whatever coffee shop or hotel room I'm in back to my home network, and then direct all traffic out through the VPN tunnel provider to insulate myself from wifi insecurity as much as possible. Some providers do have mobile clients to directly connect through their service remotely as well as from home, but that doesn't address use cases like being able to access the git repos on my home network without exposing more of my internal surface to external access.
ip route add <insert fun here> I would recommend openvpn, it plays nicely with linux's kernel routing.
So...any thoughts on the best design for this, or how close I'm likely to be able to get to this ideal scenario? And, as mentioned above, reviews of particular VPN providers are also appreciated.
It's all doable. As of VPN providers, I'd strongly insist that you do it yourself. Now, if you just want to poke around before deciding, I'd be happy to set you up with an openvpn access to my server in Paris, so you can play with the latency a bit. Cheers, Julien -- Julien Vehent - http://jve.linuxwall.info ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug