Paul L. Snyder on 23 Sep 2012 13:31:14 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
[PLUG] VPN design for home use |
Due to DCAnet's unfortunate exit from the home DSL market, I've just switched over to Verizon FiOS. The connection itself is great, fast and stable so far. Verzon's ancillary evilness, on the other hand is not so comfortable. Their privacy policy says, effectively, that they're building a profile of me by inspecting and keeping a record of every single thing I do or look at on the Internet. I've also just discovered that they're hijacking failed DNS lookups, a heinous practice that I had mistakenly thought was throughly discredited in the industry. I take my privacy seriously, and this is unacceptable. Thus, the time has come to look into a VPN provider. I've been considering this for some time, but lack of trust for my new ISP has pushed me over the edge. #plug pointed me to this review of several services: http://lifehacker.com/5940565 Does anyone have experience with any of these, or with another provider? I'm wondering how speeds are, as well. My FiOS service is 50Mbps/25Mbps, and I'm seeing speeds as high as 60/30. While VPN will obviously introduce some latency, I would much prefer not to lose throughput. Another issue is how to set this up on my home network. Given that I *have* a home network, I'd like to do some kind of a gateway setup. Up until now, I was running with an old WRT54G on OpenWRT, but the connection from the ONT to the router is now coax, so I'm stuck with the provided router unless I buy a new one. It also doesn't support VPN in the stock firmware. My hardware choices are somewhat limited at the moment, though I'll probably look into sorting out something better next year. For the moment, though, what I have to work with are the WRT54G, my server box, and the Verizon router. The server box is pretty straightforward. In my old setup, it had one port forwarded from the router, SSH on a non-standard port. It has a running tmux session with mutt and irssi that I connect back to from elsewhere. It also has an mpd server and an NFS music share for the local network...not externally accessible. This isn't ideal...I should really have a DMZ setup and split internal/external functions out, but that's for further down the road when I'm buying hardware again. Option 1: Use the server as a VPN gateway. Add a second gigbit NIC and hang a switch off of it; connect all the other wired devices to the switch. Set up the server as an OpenVPN gateway to the VPN tunnel. Option 2: Try to use the WRT54G as the gateway, directly behind the Verizon router. I'm a bit dubious that the CPU can handle the encryption, though, and it's likely to kill my speed. Option 3: Break down and buy a new router. Is there an affordable home router that can actually keep up with OpenVPN on a 50Mbps connection (preferably with 802.11n, since both of the above setups are awfully ugly from the wifi side of things). Most of the VPN providers offer multiple exit points, and I'd like to be able to adjust those on the fly, or direct particular types of traffic through particular exit nodes. I'd also like to be able to direct some traffic to not use the VPN when very low latency is desirable (such as for gaming). And, as a final wrinkle...once all this is set up, I'd like to be able to connect my laptop back to my home network when I'm on the road. Thus, to open up a VPN channel from whatever coffee shop or hotel room I'm in back to my home network, and then direct all traffic out through the VPN tunnel provider to insulate myself from wifi insecurity as much as possible. Some providers do have mobile clients to directly connect through their service remotely as well as from home, but that doesn't address use cases like being able to access the git repos on my home network without exposing more of my surface to external access. So...any thoughts on the best design for this, or how close I'm likely to be able to get to this ideal scenario? And, as mentioned above, reviews of particular VPN providers are also appreciated. Thanks, Paul ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug