New Member
Posts: 9
Registered: ‎06-25-2017
Solutions: 1
Accepted Solution

OpenVPN Server on ERL vs. Linux box

I am looking to setup an OpenVPN server to allow for remote clients to connect to a certain VLAN and run tasks as they were local (ssh, vnc, etc.).  Would it be better to setup the OpenVPN server on the ERL or on one of the Linux computers on that VLAN?

 

As for what constitutes "better"  I am wondering about the security implications of these methods and also speed.  I have heard that running the OpenVPN server will be quite slow ~10 Mb/sec compared to running it on a computer?  I want to have the VPN protected using 2-factor (DUO/Yubikey/etc).  

 

I found a rather detailed guide HERE that discusses setting up a VPN server but I'm not sure if it would work for the current EdgeOS and perhaps there are benefits to running this on an internal computer?  

 

Thanks


Accepted Solutions
Regular Member
Posts: 702
Registered: ‎01-26-2015
Kudos: 187
Solutions: 65

Re: OpenVPN Server on ERL vs. Linux box

As long as you forward the OpenVPN port only, the other ports on the server should be safe. If you are concerned about their security, add an iptable rule that blocks traffic from wan ips on any port except the OpenVPN port.

 

The ER is not well suited for OpenVPN as it can't be offloaded. As you mentioned it maxxes out at about ~10 Mbit/s. If this is not fast enough and you are concerned about your server running OpenVPN, you might want to think about IPsec. Contrary to OpenVPN IPsec can be offloaded. Users reported that IPsec can deliver speeds well above the 10 Mbit/s, up to ~100 Mbit/s.

 

If neither IPsec is an option nor OpenVPN@server, you should consider to set up a proper OpenVPN server. A PI 3 is faster than an ER but still not a performance beast. Any standard computer grants much higher speeds. Maybe an Intel NUC or similar is an option. My pretty old i3 (2nd gen) laptop (W7) connects to my i3 (2nd gen) server (ubuntu) with 800+ Mbit/s OpenVPN.

View solution in original post


All Replies
Veteran Member
Posts: 6,237
Registered: ‎07-03-2008
Kudos: 1973
Solutions: 152

Re: OpenVPN Server on ERL vs. Linux box

ERL gets its speed from kernel offloading to the Cavium chip's paket processing engine.

 

OpenVPN runs in user space.  The ERL doesn't have a lot of horsepower there.

Regular Member
Posts: 317
Registered: ‎02-05-2017
Kudos: 89
Solutions: 3

Re: OpenVPN Server on ERL vs. Linux box

[ Edited ]

I use old PCs repurposed as headless CeontOS servers for my OpenVPN network. I know that my ER-X devices will do OpenVPN but the horsepower from old PCs is much better, plus I can use the OpenVPN Access Server software for ease of deployment, configuration and maintenance.

https://www.youtube.com/watch?v=Fc87pw1aYPg
New Member
Posts: 9
Registered: ‎06-25-2017
Solutions: 1

Re: OpenVPN Server on ERL vs. Linux box

Hm, maybe OpenVPN is better suited to a propper computer.  I don't have any old ones laying around (besides a Raspberry pi 3 which I don't think will have the power either)  I could run this on my production server but am a little concerned with security since it will also have many other ports open in the iptables, I didn't plan on doing a port forward to that server.

 

Would it be more secure to run OpenVPN in a virtualbox as opposed to the bare metal debian server?

 

 

Veteran Member
Posts: 6,237
Registered: ‎07-03-2008
Kudos: 1973
Solutions: 152

Re: OpenVPN Server on ERL vs. Linux box

Regular Member
Posts: 702
Registered: ‎01-26-2015
Kudos: 187
Solutions: 65

Re: OpenVPN Server on ERL vs. Linux box

As long as you forward the OpenVPN port only, the other ports on the server should be safe. If you are concerned about their security, add an iptable rule that blocks traffic from wan ips on any port except the OpenVPN port.

 

The ER is not well suited for OpenVPN as it can't be offloaded. As you mentioned it maxxes out at about ~10 Mbit/s. If this is not fast enough and you are concerned about your server running OpenVPN, you might want to think about IPsec. Contrary to OpenVPN IPsec can be offloaded. Users reported that IPsec can deliver speeds well above the 10 Mbit/s, up to ~100 Mbit/s.

 

If neither IPsec is an option nor OpenVPN@server, you should consider to set up a proper OpenVPN server. A PI 3 is faster than an ER but still not a performance beast. Any standard computer grants much higher speeds. Maybe an Intel NUC or similar is an option. My pretty old i3 (2nd gen) laptop (W7) connects to my i3 (2nd gen) server (ubuntu) with 800+ Mbit/s OpenVPN.

New Member
Posts: 9
Registered: ‎06-25-2017
Solutions: 1

Re: OpenVPN Server on ERL vs. Linux box

Thanks for the replies.  I might look at getting a used i3 Dell Optiplex to run the VPN server on.   I feel safer having the VPN server on a separate server since my main server needs to be high reliability and im not too sure about my OpenVPN coding skills yet : )

New Member
Posts: 10
Registered: ‎06-26-2017
Kudos: 1
Solutions: 1

Re: OpenVPN Server on ERL vs. Linux box

I set up an openvpn server on a low-cost cloud VM with a public IP running Ubuntu (14.04). I can't say the performance is stellar -- you undoubtedly get what you pay for with that kind of service, but it does work and was dirt cheap: One-time setup fee was under $20 for a minimal VM (1 vCPU, 512MB RAM, 10G storage, 2 public IPs), with a yearly maintenance fee under $10. I wouldn't use it for anything critical though!

Member
Posts: 304
Registered: ‎07-30-2013
Kudos: 60
Solutions: 14

Re: OpenVPN Server on ERL vs. Linux box

That sounds like a cloud@cost server. I use that service for my unifi controller

New Member
Posts: 10
Registered: ‎06-26-2017
Kudos: 1
Solutions: 1

Re: OpenVPN Server on ERL vs. Linux box

yep, that's the one (wasn't sure how touchy the forum is about mentioning things like that). I have several openvpn servers running on the same VM, one for privacy (all traffic routing back to the server in Canada) and another one for remote access.

 

It takes awhile for them to respond to problems (in my minds eye I see a guy with racks and racks of surplus Dell servers in his basement) but for the money, it's hard to beat. If this were more critical, I'd probably look at digital ocean or the like.

Highlighted
Regular Member
Posts: 317
Registered: ‎02-05-2017
Kudos: 89
Solutions: 3

Re: OpenVPN Server on ERL vs. Linux box

I also make use of VPS servers in Singapore and the UK, but for different reasons. I use my UK based VPS to access geo locked services, primarily the iPlayer (I'm a British expat in Southeast Asia). OpenVPN is sensitive to high latency, so I make sure I use a VPS provider with premium/tier 1 bandwidth, meaning I can get the latency to the UK down to 220 milliseconds, and I can stream the iPlayer in HD. Ookla speedtest results give me around 20 Mbits per second symmetrical, but that is limited by international bandwidth bottlenecks rather than VPS horsepower.

 

Incidentally my Singapore VPS only has a 10 Mbit/s pipe, but I can achieve twice that in speed tests due to the on the fly compression utilised by OpenVPN. Sometimes I will route my traffic to the UK through a double pipe i.e. route my UK OpenVPN pipe through my Singapore OpenVPN pipe, which gives me lower overall speeds but much better stability due to the better international connectivity available through Singapore.

 

To summarize, OpenVPN improves my quality of life. I can also provide my young son with some decent UK television on cBeebies, instead of the garbage they air in this country.

https://www.youtube.com/watch?v=Fc87pw1aYPg