embedded hardware for openVPN?

[guppy 10]

For some time I've had my router (rt-a66u) handle my openVPN needs, and that works fine for browsing, etc - unfortunately it seems to top out at 4Mbps/6Mbps ( yeah upload is higher for some reason ) which means that streaming can get a tad tricky. 

 

So my current idea is to offload the work to a dedicated unit, to minimize the power usage something embedded is preferred - I've been considering the Cubox-i;

http://solid-run.com/freescale-imx6-family/cubox-i/cubox-i-specifications/

 

Though I'm not really sure how powerful it has to be to get reasonably close to being able to saturate my 100/100 connection - I know that the airvpn server may just turn out to be the bottleneck, but the hardware will also be hosting an inbound VPN connection which is really what I'm interested in saturating.

 

Before I ordered a box I figured I ask around here if anyone has any experience with dedicated embeded hardware for openvpn - perhaps something with builtin hw acceleration?

 

 

Realistically I could properly learn to live with ~25Mpbs, but obviously the faster the better

 

The hardware will have to host 2 clients and 1 server.

[Valerian 20]

I have a 100/100 connection and my AirVPN speeds are consistently around 90/90 or above, so I wouldn't worry about AirVPN being the bottleneck.

[guppy 10]

No one?

 

 

New favorite - the banana pi r1

http://www.bananapi.com/index.php/component/content/article?layout=edit&id=59

http://www.banana-pi.org/r1.html

 

The A20 ( dual core 1Ghz ) should be enough for handling en/de-cryption in software but it seems to have hardware crypto support for AES-128/196/256 in CBC mode,

 

How ever feel free to suggest other platforms while I dig though forums trying to figure out how badly the binary blobs perform

 

As it turns out, the banana pi has massive issues with both the sata interface noget getting enough power and one core being completely maxed out just switching traffic between the 5 1Gbe ports - who in turn max out at 300mbps

 

so while it might work it just has too little head room for my liking, soo.. anyone ?

[go558a83nk 352]

for ease, it looks as though pfsense sells hardware that will act as gateway/firewall/openvpn client/etc.  I checked it out and even the lowest end comes with an intel chip that has AES-NI if I read correctly.

 

I'm interested in getting one myself.

[rickjames 106]

Personally I would build something based on the 6 watt intel N3700 chip or the N3150. Both have aes-ni.

That or pick up a used $100 1u xeon server off ebay.

 

The banana pi's are all fairly under powered, and from what I can tell all the pfsense hardware only has intel Atom chips = They're overpriced for what you get performance wise.

 

If you're looking to run 2 openvpn instances and saturate a 100/100 line, you're gonna need a bit more horsepower than a pi ect. Not a lot, but more than most of the inexpensive embedded setups will offer.

[LazyLizard14 11]

I can really recommend to look out for a decent thin client like the Igel H710C or similar. The VIA processors have built-in cryptohardware ("VIA Padlock").

They often available on ebay for cheap: I got mine plus a Intel dual NIC for 70 Euro alltogether.

3 concurrent OpenVPN instances are no problem. Also I recently upgraded to a 100 Mbps line

[guppy 10]

I can really recommend to look out for a decent thin client like the Igel H710C or similar. The VIA processors have built-in cryptohardware ("VIA Padlock").

They often available on ebay for cheap: I got mine plus a Intel dual NIC for 70 Euro alltogether.

3 concurrent OpenVPN instances are no problem. Also I recently upgraded to a 100 Mbps line

 

That does look very tempting - but unfortunately the eden series (c7 specifically) only seems to support AES-128, airvpn is locked to AES-256-CBC - so you would have to do it in software?

 

Apparently the Via C7 series does support AES-256-CBC, bit annoying that via doesn't have better documentations of their chips

 

 

So this definitively looks like the way to go.

 

What are you running on it? ( windows/Linux/ openWRT / other )

[guppy 10]

That or pick up a used $100 1u xeon server off ebay.

that is an excellent idea really those tings are dirt cheap! , unfortunately I do not have anywhere to place such a noise machine, thanks for the suggestion tho 

[LazyLizard14 11]

What are you running on it? ( windows/Linux/ openWRT / other )

 pfsense. There is also an excellent guide about how to set it up here on the forums.

 

If possible, try to get a thin client with the VIA nano: https://en.wikipedia.org/wiki/VIA_Nano

Maybe a fast C7 could serve you as well. For sure worth a try. Don't forget to pick up an Intel dual or quad NIC!

 

A Xeon server is powerful enough for sure but consider noise, power consumption and a space to mount it.

[rickjames 106]

If you keep powerd @ minimum 'in pfsense' the fan should hardly ever kick on in one of those 1u box's.

The cpu will run at or around 200'ish mhz.

 

I would still just build something.