| Rich Freeman on 10 Nov 2014 12:59:57 -0800 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] Restructuring home network and building a storage server |
On Mon, Nov 10, 2014 at 2:43 PM, Paul L. Snyder <paul@pataprogramming.com> wrote: > > My secondary goal is to sort out the VPN stuff. Ideally, I'd like a small, > dedicated box of some sort that can actually push though traffic that'll > keep up with my ISP connection, so I can move more devices behind it and > actually change the pseudo-DMZ into a setup where it only has a tiny box > or two for hosting things that I really want to be able to access > externally, with everything else behind the internal server/firewall. > So, I tend to run everything off of one server - VPN, mythtv, postfix, DNS, DHCP, mariadb, apache, etc. What I have started to do is putting each of those into containers. I too tried to run my VPN through an openwrt router, and its CPU just couldn't sustain any kind of serious traffic (it capped at maybe a few Mbps). Right now I have a VPN container right on my server, which can handle 50+Mbps (compressed - uncompressed input can be higher) sustained and it uses all of maybe 10% CPU on one core on an old Phenom II (which hardly compares to an i5/7). The container has its own bridged interface, iptables, iproute, etc - it is like a VM but way lighter on RAM use. The biggest issue I tend to have with it is that sometimes the iptables rules aren't saved perfectly, so I just keep a script handy to re-apply them (I probably should just disable the auto-saving and apply them in my own systemd unit). I don't bother with a DMZ. To be honest having one wouldn't be a bad idea though. You could maybe do one on the cheap with VLAN and such. Or you could just use a multi-router setup like you have. That internal router could use the VPN box as its gateway, and thus offload all its work. I don't have issue with games and my VPN provider, but I did have some problems with webex on my work laptop. So, my DHCP server hands my work laptop the actual router to the internet as its gateway and it skips the VPN. One issue I did run into with my setup not having the VPN on the router is that if you have incoming connections that aren't on the VPN it gets a bit tricky. I solved this with iproute2. If you aren't careful your replies to incoming connections could go out on the VPN and thus end up with the wrong IP on them. -- Rich ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug