Rich Freeman on 10 Nov 2014 12:59:57 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Restructuring home network and building a storage server


On Mon, Nov 10, 2014 at 2:43 PM, Paul L. Snyder
<paul@pataprogramming.com> wrote:
>
> My secondary goal is to sort out the VPN stuff. Ideally, I'd like a small,
> dedicated box of some sort that can actually push though traffic that'll
> keep up with my ISP connection, so I can move more devices behind it and
> actually change the pseudo-DMZ into a setup where it only has a tiny box
> or two for hosting things that I really want to be able to access
> externally, with everything else behind the internal server/firewall.
>

So, I tend to run everything off of one server - VPN, mythtv, postfix,
DNS, DHCP, mariadb, apache, etc.  What I have started to do is putting
each of those into containers.

I too tried to run my VPN through an openwrt router, and its CPU just
couldn't sustain any kind of serious traffic (it capped at maybe a few
Mbps).

Right now I have a VPN container right on my server, which can handle
50+Mbps (compressed - uncompressed input can be higher) sustained and
it uses all of maybe 10% CPU on one core on an old Phenom II (which
hardly compares to an i5/7).  The container has its own bridged
interface, iptables, iproute, etc - it is like a VM but way lighter on
RAM use.  The biggest issue I tend to have with it is that sometimes
the iptables rules aren't saved perfectly, so I just keep a script
handy to re-apply them (I probably should just disable the auto-saving
and apply them in my own systemd unit).

I don't bother with a DMZ.  To be honest having one wouldn't be a bad
idea though.  You could maybe do one on the cheap with VLAN and such.
Or you could just use a multi-router setup like you have.  That
internal router could use the VPN box as its gateway, and thus offload
all its work.

I don't have issue with games and my VPN provider, but I did have some
problems with webex on my work laptop.  So, my DHCP server hands my
work laptop the actual router to the internet as its gateway and it
skips the VPN.

One issue I did run into with my setup not having the VPN on the
router is that if you have incoming connections that aren't on the VPN
it gets a bit tricky.  I solved this with iproute2.  If you aren't
careful your replies to incoming connections could go out on the VPN
and thus end up with the wrong IP on them.

--
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug