Wireless VPN from WRT54GL?

Thu Jan 25 22:06:19 MST 2007

Alan Dayley wrote:
>>> Yeah, definitely OpenVPN.  Simple (relatively speaking) to setup, comes
>>> with DD-WRT, and has clients for everything under the sun.
> 
> Yes, OpenVPN looks like the way to go.
> 
---
Since OpenVPN is SSL-based, it's considered a medium-security VPN.
You might find it helpful to explore an IPSec-based VPN if you're really concerned about security.

>>> Have you done performance testing with a simple peer-to-peer OpenVPN
>>> setup over wireless and are you satisfied with the performance?  I ask
>>> because when I first set things up before, I wanted it configured so
>>> that the *only* way you could get on the wireless network is through
>>> OpenVPN.  That is, no easily crackable WEP or WPA connections.  What I
>>> found, though, was that the added encryption layer over wireless, unless
>>> the signal strength was top-notch, was actually pretty noticeable.  I
>>> eventually turned if off for "normal" laptop use (email, web browsing,
>>> etc) since anything I care about in that realm is already encrypted at a
>>> client layer.  I still have it for those cases where it's a pain to
>>> tunnel protocols through stunnel or ssh (like AppleShare or RDP).
> 
> No, I have not done performance tests.  Again, the OpenWRT wiki links to
> some performance tests that I have not read yet.
> http://wiki.openwrt.org/openvpn?highlight=%28openvpn%29
> 
> This is a concern because I think once this is available, many more of
> the wireless users will want to take advantage of it.  I don't know how
> many VPN connections a router can handle.  I suppose a two NIC server
> handling VPN could sit between the access point and the rest of the
> network if the load is too high.  I'll have to read the above reports.
> 
---
It looks, from what I can find, as if the WRT CPU slows by about half running a single SSL-VPN tunnel (not unusual, SSL-VPN is a rather CPU-intensive solution).
If you're planning to run more than 2 clients on the VPN at a time, start with the VPN in a machine between the WRT and the wired network.  The extra CPU on even a low-end machine will be far more capable of handling the SSL-VPN load than the generally overtaxed WRT CPU.
In most cases, it's reasonable to expect each SSL-VPN tunnel to consume about 100-200MHz of CPU while in use.  This varies somewhat by type of CPU, but most specialized firewall systems that support SSL-VPN have accelerator cards just to handle the cryptographic overhead (and provide a hardware entropy source to stave off entropy starvation, a common problem with SSL-VPN's [and SSL in general])

One other point, if you're requiring an OpenVPN connection to link through the WRT, then turn OFF WEP and WPA.  They add a lot of now-useless overhead to the WRT CPU, and they can actually compromise security of the VPN tunnel.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 191 bytes
Desc: OpenPGP digital signature
Url : http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20070125/33d1b5eb/attachment.pgp 