List of routers for FTTNx2 and VPN

Advanced feature discussion, beta programs and unsupported "Labs" features.
26 posts Page 3 of 3
by Guest » Tue Dec 27, 2016 7:59 pm
pratik wrote:Now I'm at OpenVPN client config page and it's quite overwhelming, I'm trying to find some useful info online but if anyone know exactly what each field on the page means, I would really appreciate it.
I set the VPN client up in the following order:

1) Set 'Hybrid Outbound NAT rule generation' (Firewall > NAT > Outbound)
2) Setup Sonic.net CA and certificate (System > Certificate Manager > CAs & Certificates)
3) Setup and enable virtual interface for Sonic VPN (Interfaces > Assign (I named mine SONICVPN - IPv4 & IPv6 configuration types both set to 'none'. Leave the other settings default)
4) Add Sonic.net VPN client (VPN > OpenVPN > Clients).

Pertinent settings:

Server mode: Peer to Peer (SSL/TLS)
Protocol: UDP
Device mode: Tun
Interface: WAN
Server host or address: ovpn.sonic.net
Server port 1194
Description: (SONICVPN or whatever)
Username: Sonic username
Password: Your Sonic password
TLS authentication: Checked
Key: Paste from your Sonic client.opvn file (starts with -----BEGIN OpenVPN Static key V1-----)
Peer certificate authority: the CA certificate you created within pfSense during step 2
Client certificate: the certificate you setup during step 2
Encryption Algorithm: AES-128-CBC (128-bit)
Auth digest algorithm: SHA1 (160-bit)
Compression: Enabled with Adaptive Compression
Disable IPv6: checked
Don't pull routes: unchecked
Don't add/remove routes : unchecked

Custom options (these are mine):

setenv FORWARD_COMPATIBLE 1;
server-poll-timeout 4;
dev-type tun;
ns-cert-type server;
verify-x509-name 'CN=OpenVPN Server';
reneg-sec 604800;
sndbuf 100000;
rcvbuf 100000;
keepalive 10 60;
comp-lzo no;
verb 3;
setenv PUSH_PEER_INFO;
auth-nocache;

Make sure to SAVE.


If you want to route only certain clients though the VPN you can specify the Sonic VPN as your gateway in your firewall rules for those clients... If you have quite a few network devices I strongly suggest you utilize aliases (Firewall > Aliases). Makes life a bit simpler :)

For any connection issues make sure to check your OpenVPN log (Status > System Logs > OpenVPN). And also make sure pfSense is not behind another router unless that router is in bridge mode... This will alleviate double NAT, etc. Good luck!
by pratik » Tue Dec 27, 2016 10:20 pm
Guest wrote:
pratik wrote:Now I'm at OpenVPN client config page and it's quite overwhelming, I'm trying to find some useful info online but if anyone know exactly what each field on the page means, I would really appreciate it.
I set the VPN client up in the following order:

1) Set 'Hybrid Outbound NAT rule generation' (Firewall > NAT > Outbound)
2) Setup Sonic.net CA and certificate (System > Certificate Manager > CAs & Certificates)
3) Setup and enable virtual interface for Sonic VPN (Interfaces > Assign (I named mine SONICVPN - IPv4 & IPv6 configuration types both set to 'none'. Leave the other settings default)
4) Add Sonic.net VPN client (VPN > OpenVPN > Clients).

Pertinent settings:

Server mode: Peer to Peer (SSL/TLS)
Protocol: UDP
Device mode: Tun
Interface: WAN
Server host or address: ovpn.sonic.net
Server port 1194
Description: (SONICVPN or whatever)
Username: Sonic username
Password: Your Sonic password
TLS authentication: Checked
Key: Paste from your Sonic client.opvn file (starts with -----BEGIN OpenVPN Static key V1-----)
Peer certificate authority: the CA certificate you created within pfSense during step 2
Client certificate: the certificate you setup during step 2
Encryption Algorithm: AES-128-CBC (128-bit)
Auth digest algorithm: SHA1 (160-bit)
Compression: Enabled with Adaptive Compression
Disable IPv6: checked
Don't pull routes: unchecked
Don't add/remove routes : unchecked

Custom options (these are mine):

setenv FORWARD_COMPATIBLE 1;
server-poll-timeout 4;
dev-type tun;
ns-cert-type server;
verify-x509-name 'CN=OpenVPN Server';
reneg-sec 604800;
sndbuf 100000;
rcvbuf 100000;
keepalive 10 60;
comp-lzo no;
verb 3;
setenv PUSH_PEER_INFO;
auth-nocache;

Make sure to SAVE.


If you want to route only certain clients though the VPN you can specify the Sonic VPN as your gateway in your firewall rules for those clients... If you have quite a few network devices I strongly suggest you utilize aliases (Firewall > Aliases). Makes life a bit simpler :)

For any connection issues make sure to check your OpenVPN log (Status > System Logs > OpenVPN). And also make sure pfSense is not behind another router unless that router is in bridge mode... This will alleviate double NAT, etc. Good luck!
Amazing thanks a ton :D I was missing quite a few things (creating client certificate, and all custom options) I've one computer connected to Zotac box (pfSense) and it works properly with openVPN.
I'll work on adding switch / wireless AP instead of computer to pfSense.
by pratik » Tue Jan 03, 2017 3:28 pm
Just an update:
I took a break after setting pfSense on Zotac box. It's been running since then (I suppose around 1 week) without any issues so I can get to next steps.
Well there is missing WiFi support even when Zotac has Intel wireless chip (freeBSD doesn't have drivers yet). There is a Dell DW1707. I'm not very keen on adding WiFi to Zotac just yet, I'll update this thread when I think of adding WiFi.

Next steps are setting up router behind Zotac and port forwarding. I'll start new threads if I need help with them.

If anyone else is looking for something similar have a look at UP boards as well (cheaper options with Hardware AES engine) : http://up-shop.org/up-boards/48-up-boar ... emory.html that one particularly for all boards: http://up-shop.org/4-up-boards
by Guest » Wed Jan 04, 2017 7:36 am
pratik wrote:Just an update:
I took a break after setting pfSense on Zotac box. It's been running since then (I suppose around 1 week) without any issues so I can get to next steps.
Well there is missing WiFi support even when Zotac has Intel wireless chip (freeBSD doesn't have drivers yet). There is a Dell DW1707. I'm not very keen on adding WiFi to Zotac just yet, I'll update this thread when I think of adding WiFi.

Next steps are setting up router behind Zotac and port forwarding. I'll start new threads if I need help with them.

If anyone else is looking for something similar have a look at UP boards as well (cheaper options with Hardware AES engine) : http://up-shop.org/up-boards/48-up-boar ... emory.html that one particularly for all boards: http://up-shop.org/4-up-boards

Hmm... I wouldn't use the Zotac's onboard WiFi even if FreeBSD drivers become available. Instead, I would purchase a WiFi AP and connect it to your Zotac/pfSense box (Unifi PoE APs rock). If your pfSense box has a limited number of interfaces, connect a simple layer 2 switch to it and your AP to that switch. Get a switch with enough ports for your other wired devices.

As for placing a router behind pfSense, this is not a good idea in most cases... pfSense can handle all of your port forwarding, routing, DHCP, etc.
by daschach » Sat Jan 28, 2017 3:26 pm
A newer Intel Atom SOC with the aes instruction set can do about 130MB/s of aes-128 calculations. You'll be able to encrypt a gigabit connection if available in the future.

Code: Select all

$ openssl speed aes-128-cbc
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128 cbc      41931.31k    46941.79k    48612.43k   130714.80k   133625.81k
Each core has access to an aes unit. Using 4 threads, you can push the aes-128 calculations north of 500MB/s.

Code: Select all

$ openssl speed -multi 4 aes-128-cbc
aes-128 cbc     165523.03k   186435.26k   193790.12k   520110.08k   520246.57k
I'm using a Fedora 25 Server installation on a Supermicro A1SAI-2550F.
by pratik » Sat Feb 25, 2017 10:06 am
daschach wrote:A newer Intel Atom SOC with the aes instruction set can do about 130MB/s of aes-128 calculations. You'll be able to encrypt a gigabit connection if available in the future.

Code: Select all

$ openssl speed aes-128-cbc
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128 cbc      41931.31k    46941.79k    48612.43k   130714.80k   133625.81k
Each core has access to an aes unit. Using 4 threads, you can push the aes-128 calculations north of 500MB/s.

Code: Select all

$ openssl speed -multi 4 aes-128-cbc
aes-128 cbc     165523.03k   186435.26k   193790.12k   520110.08k   520246.57k
I'm using a Fedora 25 Server installation on a Supermicro A1SAI-2550F.
Thanks I'll keep this in mind, however generally Supermicro is much more expensive compared to any router.
26 posts Page 3 of 3

Who is online

In total there are 31 users online :: 0 registered, 0 hidden and 31 guests (based on users active over the past 5 minutes)
Most users ever online was 999 on Mon May 10, 2021 1:02 am

Users browsing this forum: No registered users and 31 guests