Paul L. Snyder on 23 Sep 2012 13:31:14 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] VPN design for home use


Due to DCAnet's unfortunate exit from the home DSL market, I've just
switched over to Verizon FiOS.  The connection itself is great, fast and
stable so far.  Verzon's ancillary evilness, on the other hand is not so
comfortable.  Their privacy policy says, effectively, that they're building
a profile of me by inspecting and keeping a record of every single thing I
do or look at on the Internet.  I've also just discovered that they're
hijacking failed DNS lookups, a heinous practice that I had mistakenly
thought was throughly discredited in the industry.

I take my privacy seriously, and this is unacceptable.

Thus, the time has come to look into a VPN provider.  I've been considering
this for some time, but lack of trust for my new ISP has pushed me over the
edge.  #plug pointed me to this review of several services:

  http://lifehacker.com/5940565

Does anyone have experience with any of these, or with another provider?
I'm wondering how speeds are, as well.  My FiOS service is 50Mbps/25Mbps,
and I'm seeing speeds as high as 60/30.  While VPN will obviously introduce
some latency, I would much prefer not to lose throughput.

Another issue is how to set this up on my home network. Given that I *have*
a home network, I'd like to do some kind of a gateway setup.  Up until now,
I was running with an old WRT54G on OpenWRT, but the connection from the
ONT to the router is now coax, so I'm stuck with the provided router unless
I buy a new one.  It also doesn't support VPN in the stock firmware.

My hardware choices are somewhat limited at the moment, though I'll
probably look into sorting out something better next year.  For the moment,
though, what I have to work with are the WRT54G, my server box, and the
Verizon router.

The server box is pretty straightforward. In my old setup, it had one port
forwarded from the router, SSH on a non-standard port.  It has a running
tmux session with mutt and irssi that I connect back to from elsewhere.  It
also has an mpd server and an NFS music share for the local network...not
externally accessible.  This isn't ideal...I should really have a DMZ
setup and split internal/external functions out, but that's for further
down the road when I'm buying hardware again.

Option 1: Use the server as a VPN gateway.  Add a second gigbit NIC and
hang a switch off of it; connect all the other wired devices to the switch.
Set up the server as an OpenVPN gateway to the VPN tunnel.

Option 2: Try to use the WRT54G as the gateway, directly behind the Verizon
router.  I'm a bit dubious that the CPU can handle the encryption, though,
and it's likely to kill my speed.

Option 3: Break down and buy a new router.  Is there an affordable home
router that can actually keep up with OpenVPN on a 50Mbps connection
(preferably with 802.11n, since both of the above setups are awfully ugly
from the wifi side of things).

Most of the VPN providers offer multiple exit points, and I'd like to be
able to adjust those on the fly, or direct particular types of traffic
through particular exit nodes.  I'd also like to be able to direct some
traffic to not use the VPN when very low latency is desirable (such as for
gaming).

And, as a final wrinkle...once all this is set up, I'd like to be able to
connect my laptop back to my home network when I'm on the road.  Thus, to
open up a VPN channel from whatever coffee shop or hotel room I'm in back
to my home network, and then direct all traffic out through the VPN tunnel
provider to insulate myself from wifi insecurity as much as possible.  Some
providers do have mobile clients to directly connect through their service
remotely as well as from home, but that doesn't address use cases like
being able to access the git repos on my home network without exposing more
of my surface to external access.

So...any thoughts on the best design for this, or how close I'm likely to
be able to get to this ideal scenario? And, as mentioned above, reviews of
particular VPN providers are also appreciated.

Thanks,
Paul
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug