Alan Dayley wrote:
> Joseph Sinclair wrote (in part):
>>> ---
>>> It looks, from what I can find, as if the WRT CPU slows by about half running a single SSL-VPN tunnel (not unusual, SSL-VPN is a rather CPU-intensive solution).
>>> If you're planning to run more than 2 clients on the VPN at a time, start with the VPN in a machine between the WRT and the wired network. The extra CPU on even a low-end machine will be far more capable of handling the SSL-VPN load than the generally overtaxed WRT CPU.
>>> In most cases, it's reasonable to expect each SSL-VPN tunnel to consume about 100-200MHz of CPU while in use. This varies somewhat by type of CPU, but most specialized firewall systems that support SSL-VPN have accelerator cards just to handle the cryptographic overhead (and provide a hardware entropy source to stave off entropy starvation, a common problem with SSL-VPN's [and SSL in general])
>>>
>>> One other point, if you're requiring an OpenVPN connection to link through the WRT, then turn OFF WEP and WPA. They add a lot of now-useless overhead to the WRT CPU, and they can actually compromise security of the VPN tunnel.
>
> The performance worries me so let me go down a different path.
>
> We have a Citrix VPN server already on the internal network. The
> firewall directs connections from the Internet to that VPN server for
> remote access to the internal network. The new plan would be to do the
> same on the wireless access point.
>
> - All connections to the wireless access point, via WPA, would be routed
> to the internal VPN server.
> - If you can log into that VPN server, you are in. If not, you go no
> further.
>
> In other words, I would want to setup the access point such that it only
> routes to the internal VPN server and no where else. Does that sound
> like a reasonable plan?
>
---
This sounds like a good and viable plan, although I'd drop the WPA part. If you're already encrypting the communications via VPN, it's both wasteful and, possibly, self-defeating to add WPA (or WEP) on top of that. Encrypting an already encrypted datastream can actually reduce security, and is generally not recommended (it takes a lot of careful planning to ensure the two encryptions don't result in a net reduction in ciphertext entropy). It's particularly unwise to use AES on top of AES of 3DES on 3DES, both doublings are known to result in a less secure ciphertext.
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss