Alan Dayley wrote: >>> Yeah, definitely OpenVPN. Simple (relatively speaking) to setup, comes >>> with DD-WRT, and has clients for everything under the sun. > > Yes, OpenVPN looks like the way to go. > --- Since OpenVPN is SSL-based, it's considered a medium-security VPN. You might find it helpful to explore an IPSec-based VPN if you're really concerned about security. >>> Have you done performance testing with a simple peer-to-peer OpenVPN >>> setup over wireless and are you satisfied with the performance? I ask >>> because when I first set things up before, I wanted it configured so >>> that the *only* way you could get on the wireless network is through >>> OpenVPN. That is, no easily crackable WEP or WPA connections. What I >>> found, though, was that the added encryption layer over wireless, unless >>> the signal strength was top-notch, was actually pretty noticeable. I >>> eventually turned if off for "normal" laptop use (email, web browsing, >>> etc) since anything I care about in that realm is already encrypted at a >>> client layer. I still have it for those cases where it's a pain to >>> tunnel protocols through stunnel or ssh (like AppleShare or RDP). > > No, I have not done performance tests. Again, the OpenWRT wiki links to > some performance tests that I have not read yet. > http://wiki.openwrt.org/openvpn?highlight=%28openvpn%29 > > This is a concern because I think once this is available, many more of > the wireless users will want to take advantage of it. I don't know how > many VPN connections a router can handle. I suppose a two NIC server > handling VPN could sit between the access point and the rest of the > network if the load is too high. I'll have to read the above reports. > --- It looks, from what I can find, as if the WRT CPU slows by about half running a single SSL-VPN tunnel (not unusual, SSL-VPN is a rather CPU-intensive solution). If you're planning to run more than 2 clients on the VPN at a time, start with the VPN in a machine between the WRT and the wired network. The extra CPU on even a low-end machine will be far more capable of handling the SSL-VPN load than the generally overtaxed WRT CPU. In most cases, it's reasonable to expect each SSL-VPN tunnel to consume about 100-200MHz of CPU while in use. This varies somewhat by type of CPU, but most specialized firewall systems that support SSL-VPN have accelerator cards just to handle the cryptographic overhead (and provide a hardware entropy source to stave off entropy starvation, a common problem with SSL-VPN's [and SSL in general]) One other point, if you're requiring an OpenVPN connection to link through the WRT, then turn OFF WEP and WPA. They add a lot of now-useless overhead to the WRT CPU, and they can actually compromise security of the VPN tunnel.