Recommend A Router For VPN (Connections To).......

SachaJ

I'm looking for a new router. Currently running an Apple Airport Extreme but it doesn't have a VPN server. So I'm after one where I can connect to the home network from my phone over a VPN.

Have Vodafone BB with the 658c bridged to the AE. Budget around 150 notes but might push that a little.

Current thinking is an Asus 68u or maybe 87u, a TP Link Archer of some flavour. Not a massive fan of Netgear as I had a R7000 before the AE. Can't remember why I sold it though.... That said I'm running a Netgear managed PoE switch at home and that's solid as a rock.

Anything else worth looking at? Drayteks are a bit expensive.....

editorsean

A Fritz!Box would be another brand worth checking as I'm fairly sure all the Fritz!Box models have a built-in VPN server, including the basic 4020 Wi-Fi router which is currently £53 on Amazon.

With the Fritz!Box I got with Digiweb, it was straight forward to set up the VPN server and it also provides a guide showing how to set up a VPN client connection on various types of devices.

murphaph

Yeah I have a 7360 Fritz and use it to VPN into my home network. It also supports updating dynamic DNS services (I use no-ip) if you don't have a static IP address.

SachaJ

Yeah, have a static IP

ED E

I'd be slow to buy a router for its VPN features unless its got an assured update plan.

Just look at OpenVPN, its had 3(IIRC) crucial issues in the last two years or so requiring updates and now a significant config change. AVM may or may not update libraries like OpenSSL for a year, after that you're SOL. With the likes of iOS or JunOS you'll have much better support. OpenWRT/Tomato/DDWrt will be hit or miss there.

A better solution in my eyes is something like a Rasberry Pi. 4W or 5W, small form factor, SSH and update whenever you want. Can run any proprietary service you like.

tsue921i8wljb3

ED E wrote: »

I'd be slow to buy a router for its VPN features unless its got an assured update plan.

Just look at OpenVPN, its had 3(IIRC) crucial issues in the last two years or so requiring updates and now a significant config change. AVM may or may not update libraries like OpenSSL for a year, after that you're SOL. With the likes of iOS or JunOS you'll have much better support. OpenWRT/Tomato/DDWrt will be hit or miss there.

A better solution in my eyes is something like a Rasberry Pi. 4W or 5W, small form factor, SSH and update whenever you want. Can run any proprietary service you like.

Good idea ED E. Would the Pi need to be in a router DMZ or would port forwarding also work?

SachaJ

ED E wrote: »

A better solution in my eyes is something like a Rasberry Pi. 4W or 5W, small form factor, SSH and update whenever you want. Can run any proprietary service you like.

As in forward a port on the AE to the RPi as use that as my VPN server?

Any Pi do? I have an 1st gen one here. Can it hardly the throughput of 6+ CCTV cameras?

ED E

Eliezer Deep Peppermint wrote: »

Good idea ED E. Would the Pi need to be in a router DMZ or would port forwarding also work?

Deny all - allow good is the right ethos (We learned that with WindowsXP). I'd forward 22 SSH and 443 for VPN access as you can then pretend to be HTTPs on limited connections like in a Cafe/Hotel.

SachaJ wrote: »

As in forward a port on the AE to the RPi as use that as my VPN server?

Any Pi do? I have an 1st gen one here. Can it hardly the throughput of 6+ CCTV cameras?

Yep.

Its not a big job. Remember your upload will be up to 20Mbps with VDSL or 30Mbps with Lightspeed 150. So that means your VPN server only has to turn around that rate.

I havent done it but it appears the BananaPi has a faster NIC so that might be a good option. Really if you get 10Mbps symmetric thats plenty. I hosted my VPN on a 120/12(so 10/10 VPN) for yonks with no problems streaming video over it.

murphaph

ED E wrote: »

I'd be slow to buy a router for its VPN features unless its got an assured update plan.

Just look at OpenVPN, its had 3(IIRC) crucial issues in the last two years or so requiring updates and now a significant config change. AVM may or may not update libraries like OpenSSL for a year, after that you're SOL. With the likes of iOS or JunOS you'll have much better support. OpenWRT/Tomato/DDWrt will be hit or miss there.

A better solution in my eyes is something like a Rasberry Pi. 4W or 5W, small form factor, SSH and update whenever you want. Can run any proprietary service you like.

Your point is well made and to be fair to AVM at least, they do release updates pretty quickly where there's a known security threat and they support their older devices for years with updates.

murphaph

ED E wrote: »

Deny all - allow good is the right ethos (We learned that with WindowsXP). I'd forward 22 SSH and 443 for VPN access as you can then pretend to be HTTPs on limited connections like in a Cafe/Hotel.

For me this is a compelling argument to set up openVPN behind the router. It has happened to me a few times that port 22 was blocked by the hotel etc. and I couldn't access my home network.

ED E

murphaph wrote: »

For me this is a compelling argument to set up openVPN behind the router. It has happened to me a few times that port 22 was blocked by the hotel etc. and I couldn't access my home network.

Remember to bind it twice on UDP for performance and TCP for decent firewalls.

BailMeOut

I use a unifi USG and its works really well. I also have a unifi AP and the two work brilliantly together. The USG was £113 and £50 for the AP.


https://www.ubnt.com/unifi-routing/usg/

murphaph

BailMeOut wrote: »

I use a unifi USG and its works really well. I also have a unifi AP and the two work brilliantly together. The USG was £113 and £50 for the AP.


https://www.ubnt.com/unifi-routing/usg/

I have 3 unifi APs so I'd be interested in hearing how these work well together? What do I get as a Unifi AP owner buying the USG compared to some other router?

BailMeOut

murphaph wrote: »

I have 3 unifi APs so I'd be interested in hearing how these work well together? What do I get as a Unifi AP owner buying the USG compared to some other router?

The main thing you get is a single console to manage everything. Next going to replace my Netgear switch with a one of these https://www.ubnt.com/unifi-switching/unifi-switch-8-150w so everying is in one place.

You also will get "Deep Packet Inspection' with the USG in place. I have three kids so this lets me see what they are doing from the console. They are on their one wifi network that is rate limited and and cannot access any my systems (I work from home). I also have their Wifi network automatically shut down at bedtime and start up later in the morning.

but mainly being able to see and manage everyone from one plane of glass (and an app) is really nice.