Whats the best solution for deploying a VPN to the whole house

Discussion in 'privacy technology' started by Abdallah, Mar 23, 2016.

  1. Abdallah

    Abdallah Registered Member

    Joined:
    Oct 28, 2013
    Posts:
    105
    Location:
    Palestine
    Hello,

    I am investigating about the best way to deploy VPN connection for all my house devices without the need to configure each device ,

    Maybe pfsense ? or maybe a custom firmware for the router ?

    Any advices ?

    Abdullah
     
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    The best options are DD-WRT/OpenWrt and pfSense. The key advantage of *wrt is that you can use WiFi routers. They're relatively inexpensive, and WiFi should just work. A downside is that flashing firmware may be a new skill. And there's some risk of bricking. Key advantages of pfSense are its enterprise-level features, easy extendability, well-designed webGUI, and solid pf firewall. Downsides are that required hardware tends to be more expensive, and WiFi setup is more complicated.

    I wrote this for iVPN: https://www.ivpn.net/setup/router-pfsense.html But there's nothing about WiFi, because I've never done it.
     
  3. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,599
    Don't know your threat model and its an important piece of the puzzle. You are looking for a network wide vpn but is it for privacy or a strong adversary?

    DDWRT is really good and not too tough to setup. I use it on my routers even when I run a straight IP to my ISP, meaning no encryption. Many times users deploying ddwrt are doing so on a basic family router. Those have standard/limited processors as a rule. If you have a ton of devices on your network and they are all going to be using encrypted tunneling you may experience a slow down during peak usage on the network. The limiting feature is the router processor. An ASUS 5300 can handle a bunch at once, but a $125.00 netgear router is another story.

    Also, if your threat model is high enough you would benefit with a pfSense approach because you can use MULTIPLE LANs for better isolation.
     
  4. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    Note that, depending on your jurisdiction (Ftc in the US), some wifi routers may lock out open source like dd-wrt/openwrt.

    My personal preference is to use pfsense plus a separate wifi access point which supports vlans, plus a vlan switch (depending on how you attach things). There have historically been issues with supporting wifi adapters directly on pfsense, I haven't tried it. As @Palancar notes, you can also have multiple lan or wan or dmz ports, but the boxes for those get more expensive.

    I have seen 2-port boxes using Soc technology plus intel nics (which have the best track record of working well in pfsense) for sensible $ amounts. But have a look at the pfsense forums for a flavor of what's needed. You'll have to decide on how much processing power and memory you'll need, and this depends on how much lan-lan you do, and whether you're running stuff like Snort or pfsenseng. Note that it makes sense to have processors which have suitable hardware acceleration for VPN encryption.

    The other big factor is size, power consumption and noise. Fanless needs careful attention.

    Reason for the Wifi with vlan support being that - particularly these days with all kinds of very dubious Iot/mobile/tablet/guest/BYOD/gaming/voip/webcam devices connecting through wifi, it makes a lot of sense to do this on several completely segregated networks, which can practically be achieved using vlans plus a wifi AP capable of tagging, and this is supported (with the right ethernet ports) by pfsense. You can treat each vlan separately then, so that for example, some networks see nothing but the internet - or perhaps are barred from the internet. Others can be provided with access to a printer on another vlan, or a fileserver.

    Irrespective of threat model to an extent, there are many reasons for wanting to segregate your internal security domains, because a perimeter firewall on the wan can do nothing if something like a terribly vulnerable and non-update-able internal appliance becomes an internal attack vehicle. That scenario is only going to get worse because of the prevalence of little processors.
     
  5. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    I use a router with Shibby Tomato firmware. I would recommend Shibby Tomato over DD-WRT. DD-WRT has become much more commercial while Shibby Tomato has not. It has really good VPN support and subnetting capabilities. You can do things like set up a subnet with the VPN on a separate wifi SSID and a dedicate another SSID for non VPN use. If you are familiar with a Linux bash scripting and Iptables, you can get even more benefits from it. Shibby is not as easy at first as DD-WRT but I find it to be much more powerful once you get familiar with it.

    Here is the list of routers Shibby supports.

    http://tomato.groov.pl/?page_id=69
     
  6. Abdallah

    Abdallah Registered Member

    Joined:
    Oct 28, 2013
    Posts:
    105
    Location:
    Palestine
    Wow, Thats a lot of information !

    It seems I am going with pfsense but it will take some time to learn,

    Thanks all for your very informative replies.
     
  7. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    787
    Location:
    Germany
    Personally I am using AdvancedTomato on an Asus RT-AC68U router. It is based Shibby Tomato, which MisterB already mentioned, but adds an extremely nice and downright amazing web interface to it. It supports Tinc, PPTP and OpenVPN. I personally use it for OpenVPN only to connect to our company VPN so I don't have to worry about setting up VPN connections on every device seperately.
     
  8. redcell

    redcell Registered Member

    Joined:
    Sep 27, 2010
    Posts:
    126
    Thanks for sharing. Any idea about cheaper wireless router that can run Advanced Tomato?
     
  9. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    787
    Location:
    Germany
  10. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    The list of supported routers consists of all of the routers that run Shibby K26 kernel builds. Shibby supports some older routers that run the K24 Kernel as well, that is the only difference I see in router support. Some of them will cost $20 or less these days on eBay.
     
  11. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
    What about speed? I've read that a VPN through router (DDWRT) has significant lower speed especially with cheap routers, because encryption is done at router level.
     
  12. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    I find it to be faster because the router is not doing as much as a PC and the router firmware is lean and fast compared to even the lightest PC OS. I've tested several VPNs and I always get better speed through a router. Even my old WRT54Gs can handle a VPN at a pretty good speed and most newer routers that support third party firmware are much faster.
     
  13. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
    Thank you!
     
  14. Abdallah

    Abdallah Registered Member

    Joined:
    Oct 28, 2013
    Posts:
    105
    Location:
    Palestine
    Thats interesting !

    Thanks all for your informative replies .
     
Loading...