4 4
Ryujin

VPN Server Questions

Recommended Posts

I'm looking to potentially set up a dedicated VPN server probably using an Olimex Olinuxino A20 Lime 2.

 

The main thing I was somewhat confused about is how to connect to my router and how to ensure that traffic is routed through the VPN server?

 

Presumably to connect to my router I would just use an Ethernet cable. But how then would I ensure that all traffic goes through the VPN?

 

The vast majority of SBC that I have seen only have 1 Ethernet port so connecting devices physically is a no go.

 

I assume I might need to use some form of port forwarding?

Share this post


Link to post
Share on other sites
2 minutes ago, Ryujin said:

I assume I might need to use some form of port forwarding?

 

Yes. You open a port on your router and forward it to the local IP address of your VPN server. A20 is a bit slow for this job, so rather get some cheapest / smallest H3 board. If you are not an expert, check Softether VPN server, also accessible from our simple install tool.

Share this post


Link to post
Share on other sites

Thank you Igor!

 

I had a rough idea but wanted to make sure I wasn't missing anything critical.

 

I was researching and figured Softether was the best option for me so now with your recommendation I will definitely go for that.

 

Would you be able to recommend any H3 boards for this kind of task?

Share this post


Link to post
Share on other sites

Orange Pi One looks pretty good, but won't the 10/100 Ethernet be a big bottleneck?

 

Would it be better to go for something with Gigabit Ethernet?

 

And other than Ethernet is the biggest factor the processing speed for a VPN? Is RAM less important compared to CPU?

Share this post


Link to post
Share on other sites

Hi Igor,

 

One question regarding Softether VPN... How to uninstall it with any issue? It's not possible by simple uncheck asterisk into  your Simple Install Tool.

Thanks for your effort!

 

Regards,

Blazej

 

Share this post


Link to post
Share on other sites

Uninstall is not implemented. It's some extra work since it's not .deb packed. In general creating clean deinstall would require a lot of extra work with very little real effect. This is Linux after all.

Share this post


Link to post
Share on other sites

Thanks for your replay. I'll do it manually. Do you know why 'openvpn' client can't open 'tun' device? Is possible that openvpn can not be run with  Softether VPN together? Where I may find script which is responsible for run/stop  Softether VPN?

 

Regards,

Blazej.

 

Share this post


Link to post
Share on other sites

Hi  Igor , What about Softether VPN installing  over Orangepi win board ?

it is  missing in  simple-installing-tools (armbian-config), probably it has some incompatibly with A64 ARM ?

is it possible and if there is a  config file or a different build  pleas give a link to  it.

 

Share this post


Link to post
Share on other sites

Igor  Sorry  to  disturb you again, but:

 
root@orangepiwin:/opt/vpn# make
cc -DNDEBUG -DVPN_SPEED -DUNIX -DUNIX_LINUX -DCPU_64 -D_REENTRANT -DREENTRANT -D_THREAD_SAFE -D_THREADSAFE -DTHREAD_SAFE -DTHREADSAFE -D_FILE_OFFSET_BITS=64 -I./src/ -I./src/Cedar/ -I./src/Mayaqua/ -O2 -fsigned-char -m64 -c src/Mayaqua/Cfg.c -o tmp/objs/Mayaqua/Cfg.o
cc: error: unrecognized command line option ‘-m64’
Makefile:64: recipe for target 'tmp/objs/Mayaqua/Cfg.o' failed
make: *** [tmp/objs/Mayaqua/Cfg.o] Error 1
root@orangepiwin:/opt/vpn#

 

that is  what i receive every time I try o  build the program. 

PLS - ca you send me some ting like a command sequence to build the program  over 64bit Armbian 

Share this post


Link to post
Share on other sites

This is how i installed Softether VPN on my OrangePI PC2:

 

sudo apt-get update
sudo apt-get install build-essential libreadline-dev libssl-dev libncurses-dev zlib1g-dev git
git clone https://github.com/SoftEtherVPN/SoftEtherVPN.git
cd SoftEtherVPN
sudo ./configure
cd tmp
sudo make
sudo make install
sudo vpnserver start

Share this post


Link to post
Share on other sites

simple script that will install it, then has a fast user add for it as well

 

You will need to port forward UDP traffic thru your firewall aimed at the interface on the OrangePi

You will also either need to know your IP address, or use a dynamic dns host service so you can aim your VPN traffic at a URL rather than an IP

 

http://www.pivpn.io/

 

Main GitHub site

https://github.com/pivpn/pivpn

 

I currently have an OPiZero running this and a Tor relay with absolutely minimal CPU usage...

 

Don't know if it is 64bit capable...don't have a 64bit SBC

 

 

 

Share this post


Link to post
Share on other sites
On ‎4‎/‎5‎/‎2017 at 11:13 PM, Ryujin said:

Orange Pi One looks pretty good, but won't the 10/100 Ethernet be a big bottleneck?

 

Would it be better to go for something with Gigabit Ethernet?

 

And other than Ethernet is the biggest factor the processing speed for a VPN? Is RAM less important compared to CPU?

 

First post here. Getting to know armbian. Hello everyone.. 

 

I also have these questions about using a SBC as VPN server (for streaming video from Netflix, etc to another country).

Is Gigabit Ethernet necessary if the broadband speed is less than 100? 512Mb RAM enough or 1Gb better?

64 bits better than 32bits CPU? I mean "better" as necessary for performance for streaming online video.

 

I am looking at the OrangePi range. Don't need wifi or HDMI output.

I think the Orange Pi Zero Plus H5 512Mb (a similar one without Wifi would be ideal I think but is already cheap enough).

Then with 1Gb RAM and Gigabit Ethernet: OrangePi One Plus [Maybe not supported by Armbian] and OrangePi PC2.

NanoPi Neo could be a candidate if Gigabit Ethernet is not necessary.

NanoPi A64 also if 1Gb RAM better (also has Gigabit Ethernet) [NOT SUPPORTED BY ARMBIAN]

Less power consumption and less heating also preferable (but I see some have microUSB power which seems is not recommended).

 

I may create a new thread asking for experiences using VPN for online video streaming abroad.

Btw I searched this forum for VPN no results came. I searched on google: forum.armbian vpn  and there were several results including this thread.

Any help appreciated. Thank you.

Edited by usuario74

Share this post


Link to post
Share on other sites
1 hour ago, usuario74 said:

Hello everyone

 

Hello!
 

Bigger boards = better heat dispersion and (better) voltage control = less (over)heating, better (non microUSB) powering = better stability. H5 is noticable faster than H3 and has better software support than A64 => IMO Opi PC2 should fit your needs.

Share this post


Link to post
Share on other sites

You should also consider processor speed and whether the kernel supports HW crypto acceleration. I have tried openvpn both in an OrangePi+ 2e (Allwinner H3), and an Odroid XU4, and performance is an order of magnitude faster in the XU4.

 

H5 has ARMv8 crypto extensions, so just make sure you choose a kernel that supports them.

Share this post


Link to post
Share on other sites

Gigabit does not make sense. I'm afraid you will not get more than 20mbps out of your board. This is a very very optimistic expectation,  10 is a more realistic number.  OpenVPN is secure but there is a significant overhead. 

 

Having a hardware encryption can make your board slightly faster probably, but definitely will make it cooler. 

Share this post


Link to post
Share on other sites
2 hours ago, olivluca said:

Did anybody try wireguard instead of openvpn? I theory it should be faster, in practice I don't know.

I tried it, but only on a Raspberry Pi 1 Model B. At work we use OpenVPN but are planning to switch to wireguard as soon as possible. I did some cheap benchmark to see if it worths and turned out that it worths!

Wireguard on such old machine (ARMv6, without NEON) was 3x faster than OpenVPN against a simple download of a file (900 kb/s vs 3.2mb/s) and latency was actually a bit better.

I didn't test more powerful ARMv7 and ARMv8 machines, but I expect the gap to be even bigger.

On the opposite side, you lose some ancillary nice things OpenVPN has like pushing the routes on connections, automatic IP assignment, etc... Also running a DHCP service on the server is impossible because Wireguard lays on top of IP protocol

Share this post


Link to post
Share on other sites
On ‎10‎/‎11‎/‎2018 at 11:12 PM, JMCC said:

You should also consider processor speed and whether the kernel supports HW crypto acceleration. I have tried openvpn both in an OrangePi+ 2e (Allwinner H3), and an Odroid XU4, and performance is an order of magnitude faster in the XU4.

H5 has ARMv8 crypto extensions, so just make sure you choose a kernel that supports them.

 

On ‎10‎/‎12‎/‎2018 at 12:44 AM, Igor_K said:

Having a hardware encryption can make your board slightly faster probably, but definitely will make it cooler. 

 

@JMCC

@Igor_K

 

Have been reading some threads here and haven't pulled the trigger yet I am running out of time before my trip.

So for crypto, looking at this:

https://linux-sunxi.org/Cryptographic_Hardware_Accelerators

 

QUESTION 1:

Wouldn't it be better to go with an H3 board (like OrangePi  PC or PC plus) or can I expect advances that turns those WIP into OK

Or is not worth sacrificing the speed and 64bits of the H5 (Orange Pi PC 2) ?

 

Will describe my use case with more detail.

I want to install two of these for VPN server and maybe running pihole and ddns updater. VPN will be for streaming video (Netflix, Amazon Prime) to avoid geoblock some days for three or four hours.

They will be one in Spain and one in the UK while I live in Asia. I will plug them into smartplugs that I can switch on/off remotely. I wont be able to monitor the temperature (I mean see if they burn directly) so I wouldn't like to have my parents or my in-laws house burned down  :-O

I wouldn't mind to leave them running 24/7 but since I don't need them on all the time they will probably stay off when I don't need to stream video so off most of the time.

 

QUESTION 2:

Will they need a case with a fan? Are heatsinks mandatory?

 

QUESTION 3:

Any recommendations about cases  (I did a search for cases and enclosure in the forum but there is not much really. May create a thread)

I would rather not have a fan but.. would this be ok?

https://www.aliexpress.com/item/Orange-Pi-PC-PC2-Plus-Acrylic-Case-Cooling-Fan-Heat-Sink-Beginner-Kit-Compatible-w-Orange/32807785955.html?spm=a2g0s.8937460.0.0.33432e0eino6p4

 

QUESTION 4:

For Power supply, are the ones sold by Xunlong  ok?

 

Thank you and sorry for many questions.

Edited by usuario74

Share this post


Link to post
Share on other sites
On ‎10‎/‎12‎/‎2018 at 4:48 AM, Igor_K said:

@olivluca WG is my default for a few months, It is definitely faster but it is more CPU hungry on a server side. 

 

WG uses "modern" crypto primitives https://www.wireguard.com/protocol/ which means there is no hardware offload. Also if you are not on Linux it is an alpha quality software. 

 

May decide to go with WG if OpenVPN is not enough for my use case but how do those "modern" crypto relate to this:

https://linux-sunxi.org/Cryptographic_Hardware_Accelerators

Do H3 or H5 have hardware/software support for them?

 

Thanks

Share this post


Link to post
Share on other sites

I can only reply to question 4 and based on my limited sample of one: I bought their power supply with mi orange pi pc and it's been working 24/7 for the last year and half. Crossing fingers....

Share this post


Link to post
Share on other sites

hi running armbian ( kernel 4.14 ) and ovpn 2.4.6 and both nanopi neo2 boards.

ovpn is configured with cipher AES-128-CBC and auth SHA256, following results can be seen:


 

top - 04:53:47 up 26 days, 11:42,  2 users,  load average: 0.16, 0.16, 0.09
Tasks: 102 total,   2 running,  57 sleeping,   0 stopped,   0 zombie
%Cpu0  :  1.0 us,  1.0 sy,  0.0 ni, 98.0 id,  0.0 wa,  0.0 hi,  0.0 si,  0.0 st
%Cpu1  :  1.0 us,  2.0 sy,  0.0 ni, 97.0 id,  0.0 wa,  0.0 hi,  0.0 si,  0.0 st
%Cpu2  : 20.7 us, 30.1 sy,  0.0 ni, 43.5 id,  0.0 wa,  0.0 hi,  5.7 si,  0.0 st
%Cpu3  :  0.3 us,  0.3 sy,  0.0 ni, 99.0 id,  0.0 wa,  0.0 hi,  0.3 si,  0.0 st
KiB Mem :   494152 total,   128980 free,    92528 used,   272644 buff/cache
KiB Swap:   247072 total,   229664 free,    17408 used.   382416 avail Mem

  PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND
 1191 root      20   0   10180   6132   5324 R  59.1  1.2 137:16.90 openvpn

 

and following with single thread " iperf3 -4 -V -c 192.168.10.2 -t 60 -b 0 -P 1 "

 

iperf 3.1.3
Linux vpn01 4.14.70-sunxi64 #274 SMP Wed Sep 19 12:09:30 CEST 2018 aarch64
Time: Sun, 09 Dec 2018 02:53:07 GMT
Connecting to host 192.168.10.2, port 5201
      Cookie: vpn01.1544323987.071807.somewhat
      TCP MSS: 1276 (default)
[  4] local 10.8.0.2 port 63472 connected to 192.168.10.2 port 5201
Starting Test: protocol: TCP, 1 streams, 131072 byte blocks, omitting 0 seconds, 60 second test
[ ID] Interval           Transfer     Bandwidth       Retr  Cwnd
[  4]   0.00-1.00   sec  9.07 MBytes  75.9 Mbits/sec  199   1.24 MBytes
[  4]   1.00-2.00   sec  8.75 MBytes  73.4 Mbits/sec  166   1.09 MBytes
[  4]   2.00-3.00   sec  12.5 MBytes   105 Mbits/sec    0   1.35 MBytes
[  4]   3.00-4.00   sec  7.50 MBytes  62.9 Mbits/sec    0   1.36 MBytes
[  4]   4.00-5.00   sec  7.50 MBytes  62.9 Mbits/sec   54   1.22 MBytes
[  4]   5.00-6.00   sec  8.75 MBytes  73.4 Mbits/sec    0   1.22 MBytes
[  4]   6.00-7.00   sec  7.50 MBytes  62.8 Mbits/sec    0   1.24 MBytes
[  4]   7.00-8.00   sec  8.75 MBytes  73.5 Mbits/sec    0   1.16 MBytes
[  4]   8.00-9.00   sec  8.75 MBytes  73.3 Mbits/sec    0   1.21 MBytes
[  4]   9.00-10.00  sec  11.2 MBytes  94.4 Mbits/sec    0   1.41 MBytes
[  4]  10.00-11.00  sec  8.75 MBytes  73.4 Mbits/sec    3   1.59 MBytes
[  4]  11.00-12.00  sec  7.50 MBytes  63.0 Mbits/sec   46   1.58 MBytes
[  4]  12.00-13.00  sec  10.0 MBytes  83.9 Mbits/sec    0   1.27 MBytes
[  4]  13.00-14.00  sec  7.50 MBytes  62.9 Mbits/sec   25   1.17 MBytes
[  4]  14.00-15.00  sec  11.2 MBytes  94.4 Mbits/sec    0   1.40 MBytes
[  4]  15.00-16.00  sec  11.2 MBytes  94.4 Mbits/sec   15    616 KBytes
[  4]  16.00-17.00  sec  6.25 MBytes  52.4 Mbits/sec    9   1.25 MBytes
[  4]  17.00-18.00  sec  8.75 MBytes  73.4 Mbits/sec  252   1.15 MBytes
[  4]  18.00-19.00  sec  7.50 MBytes  62.9 Mbits/sec    0   1.24 MBytes
[  4]  19.00-20.00  sec  10.0 MBytes  83.8 Mbits/sec   29    684 KBytes
[  4]  20.00-21.00  sec  7.50 MBytes  62.9 Mbits/sec    0   1.24 MBytes
[  4]  21.00-22.00  sec  7.50 MBytes  62.9 Mbits/sec  194   1.26 MBytes
[  4]  22.00-23.00  sec  8.75 MBytes  73.4 Mbits/sec    0   1.25 MBytes
[  4]  23.00-24.00  sec  7.50 MBytes  62.9 Mbits/sec    0   1.16 MBytes
[  4]  24.00-25.00  sec  12.5 MBytes   105 Mbits/sec    0   1.43 MBytes
[  4]  25.00-26.00  sec  6.25 MBytes  52.4 Mbits/sec   46   1.42 MBytes
[  4]  26.00-27.00  sec  8.75 MBytes  73.4 Mbits/sec    0   1.40 MBytes
[  4]  27.00-28.00  sec  8.75 MBytes  73.4 Mbits/sec   18   1.24 MBytes
[  4]  28.00-29.00  sec  8.75 MBytes  73.4 Mbits/sec    0   1.23 MBytes
[  4]  29.00-30.00  sec  10.0 MBytes  83.9 Mbits/sec    0   1.37 MBytes
[  4]  30.00-31.00  sec  7.50 MBytes  62.9 Mbits/sec    0   1.26 MBytes
[  4]  31.00-32.00  sec  8.75 MBytes  73.4 Mbits/sec   64   1.15 MBytes
[  4]  32.00-33.00  sec  8.75 MBytes  73.4 Mbits/sec    0   1.16 MBytes
[  4]  33.00-34.00  sec  10.0 MBytes  83.9 Mbits/sec    0   1.34 MBytes
[  4]  34.00-35.00  sec  8.75 MBytes  73.4 Mbits/sec    0   1.34 MBytes
[  4]  35.00-36.00  sec  8.75 MBytes  73.4 Mbits/sec    0   1.26 MBytes
[  4]  36.00-37.00  sec  8.75 MBytes  73.4 Mbits/sec    0   1.29 MBytes
[  4]  37.00-38.00  sec  8.75 MBytes  73.4 Mbits/sec    0   1.25 MBytes
[  4]  38.00-39.00  sec  7.50 MBytes  62.9 Mbits/sec    0   1.25 MBytes
[  4]  39.00-40.00  sec  10.0 MBytes  83.8 Mbits/sec    0   1.16 MBytes
[  4]  40.00-41.00  sec  11.2 MBytes  94.4 Mbits/sec    0   1.37 MBytes
[  4]  41.00-42.00  sec  10.0 MBytes  83.9 Mbits/sec    0   1.38 MBytes
[  4]  42.00-43.00  sec  7.50 MBytes  63.0 Mbits/sec   79   1.07 MBytes
[  4]  43.00-44.00  sec  8.75 MBytes  73.4 Mbits/sec   34    728 KBytes
[  4]  44.00-45.00  sec  7.50 MBytes  62.9 Mbits/sec   99   1.38 MBytes
[  4]  45.00-46.00  sec  7.50 MBytes  62.9 Mbits/sec  200   1.38 MBytes
[  4]  46.00-47.00  sec  8.75 MBytes  73.4 Mbits/sec   62   1.21 MBytes
[  4]  47.00-48.00  sec  7.50 MBytes  62.9 Mbits/sec   22   1.26 MBytes
[  4]  48.00-49.00  sec  8.75 MBytes  73.5 Mbits/sec    0   1.33 MBytes
[  4]  49.00-50.00  sec  8.75 MBytes  73.4 Mbits/sec    5   1.23 MBytes
[  4]  50.00-51.00  sec  7.50 MBytes  62.8 Mbits/sec    0   1.25 MBytes
[  4]  51.00-52.00  sec  10.0 MBytes  84.0 Mbits/sec    0   1.30 MBytes
[  4]  52.00-53.00  sec  7.50 MBytes  62.9 Mbits/sec    0   1.29 MBytes
[  4]  53.00-54.00  sec  8.75 MBytes  73.4 Mbits/sec    4   1.26 MBytes
[  4]  54.00-55.00  sec  7.50 MBytes  62.9 Mbits/sec    0   1.24 MBytes
[  4]  55.00-56.00  sec  8.75 MBytes  73.4 Mbits/sec    0   1.23 MBytes
[  4]  56.00-57.00  sec  7.50 MBytes  62.9 Mbits/sec    0   1.19 MBytes
[  4]  57.00-58.00  sec  10.0 MBytes  83.9 Mbits/sec    0   1.23 MBytes
[  4]  58.00-59.00  sec  7.50 MBytes  62.9 Mbits/sec    0   1.21 MBytes
[  4]  59.00-60.00  sec  6.25 MBytes  52.4 Mbits/sec    0   1.24 MBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
Test Complete. Summary Results:
[ ID] Interval           Transfer     Bandwidth       Retr
[  4]   0.00-60.00  sec   520 MBytes  72.7 Mbits/sec  1625             sender
[  4]   0.00-60.00  sec   514 MBytes  71.8 Mbits/sec                  receiver
CPU Utilization: local/sender 1.5% (0.1%u/1.3%s), remote/receiver 3.5% (0.4%u/3.2%s)

iperf Done.

 

 

also did not tweak kernel settings too much atm - both ends read:

net.core.default_qdisc = fq_codel
net.core.netdev_max_backlog = 1024

net.core.rmem_max = 33554432
net.core.wmem_max = 33554432

net.ipv4.tcp_rmem = 4096 87380 33554432
net.ipv4.tcp_wmem = 4096 87380 33554432

net.ipv4.tcp_congestion_control = bbr   # RETEST westwood OR cubic
net.ipv4.tcp_max_syn_backlog = 1024
net.ipv4.tcp_slow_start_after_idle = 0
net.ipv4.tcp_no_metrics_save = 0

net.ipv4.ip_local_port_range = 9000 65535

 

If you want a cheap and low wattage VPN consider H5 boards ( eg nanopi neo2 or orange pi zero plus2 ) that should handle proper TV streaming (15-20Mbit) over ovpn this is your option.

If speed will be most important consider other platforms, I'm currently looking in to the ASRock J4005B-ITX and should do 300Mbit ...

Share this post


Link to post
Share on other sites

Ok

 

I installed Softether with the package...easy simple install

 

It's not for me

How do I stop it from starting every boot

 

Was able to shut it down by going into /usr/local/vpnserver and running ./vpnserver stop
But there is no /etc/init.d autostart script...where can I comment out to prevent it from starting again...removing I realize is a nogo...just don't want it to startup anymore

 

Share this post


Link to post
Share on other sites
On 12/8/2018 at 7:09 PM, dolphs said:

hi running armbian ( kernel 4.14 ) and ovpn 2.4.6 and both nanopi neo2 boards.

ovpn is configured with cipher AES-128-CBC and auth SHA256, following results can be seen:

 

 

Food for thought...

 

NEO2 - and this is AES-128-GCM

$ openvpn --genkey --secret /tmp/secret && time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-128-gcm
Sat Dec 22 20:26:07 2018 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode

real	0m19.502s
user	0m19.149s
sys	0m0.124s

3200/real time == 164 Mb/Sec potential bandwidth with OpenVPN

Share this post


Link to post
Share on other sites
4 4