Ryujin Posted April 5, 2017 Posted April 5, 2017 I'm looking to potentially set up a dedicated VPN server probably using an Olimex Olinuxino A20 Lime 2. The main thing I was somewhat confused about is how to connect to my router and how to ensure that traffic is routed through the VPN server? Presumably to connect to my router I would just use an Ethernet cable. But how then would I ensure that all traffic goes through the VPN? The vast majority of SBC that I have seen only have 1 Ethernet port so connecting devices physically is a no go. I assume I might need to use some form of port forwarding?
Igor Posted April 5, 2017 Posted April 5, 2017 2 minutes ago, Ryujin said: I assume I might need to use some form of port forwarding? Yes. You open a port on your router and forward it to the local IP address of your VPN server. A20 is a bit slow for this job, so rather get some cheapest / smallest H3 board. If you are not an expert, check Softether VPN server, also accessible from our simple install tool. 1
Ryujin Posted April 5, 2017 Author Posted April 5, 2017 Thank you Igor! I had a rough idea but wanted to make sure I wasn't missing anything critical. I was researching and figured Softether was the best option for me so now with your recommendation I will definitely go for that. Would you be able to recommend any H3 boards for this kind of task?
Igor Posted April 5, 2017 Posted April 5, 2017 If you will use it as VPN only, than go for Orange Pi One or Friendlyarm Nanopi Neo.Wrote on mobile
Ryujin Posted April 5, 2017 Author Posted April 5, 2017 Orange Pi One looks pretty good, but won't the 10/100 Ethernet be a big bottleneck? Would it be better to go for something with Gigabit Ethernet? And other than Ethernet is the biggest factor the processing speed for a VPN? Is RAM less important compared to CPU?
pancio Posted August 8, 2017 Posted August 8, 2017 Hi Igor, One question regarding Softether VPN... How to uninstall it with any issue? It's not possible by simple uncheck asterisk into your Simple Install Tool. Thanks for your effort! Regards, Blazej
Igor Posted August 8, 2017 Posted August 8, 2017 Uninstall is not implemented. It's some extra work since it's not .deb packed. In general creating clean deinstall would require a lot of extra work with very little real effect. This is Linux after all.
pancio Posted August 8, 2017 Posted August 8, 2017 Thanks for your replay. I'll do it manually. Do you know why 'openvpn' client can't open 'tun' device? Is possible that openvpn can not be run with Softether VPN together? Where I may find script which is responsible for run/stop Softether VPN? Regards, Blazej.
Igor Posted August 8, 2017 Posted August 8, 2017 Sorry, I am familiar with Softether only from a brief user perspective. I am using it but since it works perfectly fine for me (server and client) I haven't learned a thing Install tool uses their install method and I am only adding service or init.d script: https://github.com/armbian/config/blob/dev/softy#L421-L503 Systemd service is responsible for starting and stopping.
Simon D Greve Posted August 21, 2017 Posted August 21, 2017 On 4/5/2017 at 5:18 PM, Igor said: Yes. You open a port on your router and forward it to the local IP address of your VPN server. A20 is a bit slow for this job, so rather get some cheapest / smallest H3 board. If you are not an expert, check Softether VPN server, also accessible from our simple install tool. thanks, Igor. It really helped
Aty Panzerev Posted May 4, 2018 Posted May 4, 2018 Hi Igor , What about Softether VPN installing over Orangepi win board ? it is missing in simple-installing-tools (armbian-config), probably it has some incompatibly with A64 ARM ? is it possible and if there is a config file or a different build pleas give a link to it.
Igor Posted May 4, 2018 Posted May 4, 2018 14 minutes ago, Aty Panzerev said: probably it has some incompatibly with A64 ARM Yes, it doesn't want to install on arm64 ... but my VPN server is running on arm64 (Neo2). Build from sources and it should work. This is latest stable:http://www.softether-download.com/files/softether/v4.25-9656-rtm-2018.01.15-tree/Source_Code/softether-src-v4.25-9656-rtm.tar.gz
Aty Panzerev Posted May 7, 2018 Posted May 7, 2018 Igor Sorry to disturb you again, but: root@orangepiwin:/opt/vpn# make cc -DNDEBUG -DVPN_SPEED -DUNIX -DUNIX_LINUX -DCPU_64 -D_REENTRANT -DREENTRANT -D_THREAD_SAFE -D_THREADSAFE -DTHREAD_SAFE -DTHREADSAFE -D_FILE_OFFSET_BITS=64 -I./src/ -I./src/Cedar/ -I./src/Mayaqua/ -O2 -fsigned-char -m64 -c src/Mayaqua/Cfg.c -o tmp/objs/Mayaqua/Cfg.o cc: error: unrecognized command line option ‘-m64’ Makefile:64: recipe for target 'tmp/objs/Mayaqua/Cfg.o' failed make: *** [tmp/objs/Mayaqua/Cfg.o] Error 1 root@orangepiwin:/opt/vpn# that is what i receive every time I try o build the program. PLS - ca you send me some ting like a command sequence to build the program over 64bit Armbian
Ex3c Posted June 23, 2018 Posted June 23, 2018 This is how i installed Softether VPN on my OrangePI PC2: sudo apt-get update sudo apt-get install build-essential libreadline-dev libssl-dev libncurses-dev zlib1g-dev git git clone https://github.com/SoftEtherVPN/SoftEtherVPN.git cd SoftEtherVPN sudo ./configure cd tmp sudo make sudo make install sudo vpnserver start
WarHawk_AVG Posted June 28, 2018 Posted June 28, 2018 simple script that will install it, then has a fast user add for it as well You will need to port forward UDP traffic thru your firewall aimed at the interface on the OrangePi You will also either need to know your IP address, or use a dynamic dns host service so you can aim your VPN traffic at a URL rather than an IP http://www.pivpn.io/ Main GitHub site https://github.com/pivpn/pivpn I currently have an OPiZero running this and a Tor relay with absolutely minimal CPU usage... Don't know if it is 64bit capable...don't have a 64bit SBC
usuario74 Posted October 11, 2018 Posted October 11, 2018 (edited) On 4/5/2017 at 11:13 PM, Ryujin said: Orange Pi One looks pretty good, but won't the 10/100 Ethernet be a big bottleneck? Would it be better to go for something with Gigabit Ethernet? And other than Ethernet is the biggest factor the processing speed for a VPN? Is RAM less important compared to CPU? First post here. Getting to know armbian. Hello everyone.. I also have these questions about using a SBC as VPN server (for streaming video from Netflix, etc to another country). Is Gigabit Ethernet necessary if the broadband speed is less than 100? 512Mb RAM enough or 1Gb better? 64 bits better than 32bits CPU? I mean "better" as necessary for performance for streaming online video. I am looking at the OrangePi range. Don't need wifi or HDMI output. I think the Orange Pi Zero Plus H5 512Mb (a similar one without Wifi would be ideal I think but is already cheap enough). Then with 1Gb RAM and Gigabit Ethernet: OrangePi One Plus [Maybe not supported by Armbian] and OrangePi PC2. NanoPi Neo could be a candidate if Gigabit Ethernet is not necessary. NanoPi A64 also if 1Gb RAM better (also has Gigabit Ethernet) [NOT SUPPORTED BY ARMBIAN] Less power consumption and less heating also preferable (but I see some have microUSB power which seems is not recommended). I may create a new thread asking for experiences using VPN for online video streaming abroad. Btw I searched this forum for VPN no results came. I searched on google: forum.armbian vpn and there were several results including this thread. Any help appreciated. Thank you. Edited October 11, 2018 by usuario74
Igor Posted October 11, 2018 Posted October 11, 2018 1 hour ago, usuario74 said: Hello everyone Hello! Bigger boards = better heat dispersion and (better) voltage control = less (over)heating, better (non microUSB) powering = better stability. H5 is noticable faster than H3 and has better software support than A64 => IMO Opi PC2 should fit your needs. 1
JMCC Posted October 11, 2018 Posted October 11, 2018 You should also consider processor speed and whether the kernel supports HW crypto acceleration. I have tried openvpn both in an OrangePi+ 2e (Allwinner H3), and an Odroid XU4, and performance is an order of magnitude faster in the XU4. H5 has ARMv8 crypto extensions, so just make sure you choose a kernel that supports them. 1
Igor_K Posted October 11, 2018 Posted October 11, 2018 Gigabit does not make sense. I'm afraid you will not get more than 20mbps out of your board. This is a very very optimistic expectation, 10 is a more realistic number. OpenVPN is secure but there is a significant overhead. Having a hardware encryption can make your board slightly faster probably, but definitely will make it cooler. 1
olivluca Posted October 11, 2018 Posted October 11, 2018 Did anybody try wireguard instead of openvpn? I theory it should be faster, in practice I don't know.
vlad59 Posted October 11, 2018 Posted October 11, 2018 it is faster (guaranted if you have more than one core because OpenVPN only use one core)
jock Posted October 11, 2018 Posted October 11, 2018 2 hours ago, olivluca said: Did anybody try wireguard instead of openvpn? I theory it should be faster, in practice I don't know. I tried it, but only on a Raspberry Pi 1 Model B. At work we use OpenVPN but are planning to switch to wireguard as soon as possible. I did some cheap benchmark to see if it worths and turned out that it worths! Wireguard on such old machine (ARMv6, without NEON) was 3x faster than OpenVPN against a simple download of a file (900 kb/s vs 3.2mb/s) and latency was actually a bit better. I didn't test more powerful ARMv7 and ARMv8 machines, but I expect the gap to be even bigger. On the opposite side, you lose some ancillary nice things OpenVPN has like pushing the routes on connections, automatic IP assignment, etc... Also running a DHCP service on the server is impossible because Wireguard lays on top of IP protocol
Igor_K Posted October 11, 2018 Posted October 11, 2018 @olivluca WG is my default for a few months, It is definitely faster but it is more CPU hungry on a server side. WG uses "modern" crypto primitives https://www.wireguard.com/protocol/ which means there is no hardware offload. Also if you are not on Linux it is an alpha quality software.
usuario74 Posted December 5, 2018 Posted December 5, 2018 (edited) On 10/11/2018 at 11:12 PM, JMCC said: You should also consider processor speed and whether the kernel supports HW crypto acceleration. I have tried openvpn both in an OrangePi+ 2e (Allwinner H3), and an Odroid XU4, and performance is an order of magnitude faster in the XU4. H5 has ARMv8 crypto extensions, so just make sure you choose a kernel that supports them. On 10/12/2018 at 12:44 AM, Igor_K said: Having a hardware encryption can make your board slightly faster probably, but definitely will make it cooler. @JMCC @Igor_K Have been reading some threads here and haven't pulled the trigger yet I am running out of time before my trip. So for crypto, looking at this: https://linux-sunxi.org/Cryptographic_Hardware_Accelerators QUESTION 1: Wouldn't it be better to go with an H3 board (like OrangePi PC or PC plus) or can I expect advances that turns those WIP into OK Or is not worth sacrificing the speed and 64bits of the H5 (Orange Pi PC 2) ? Will describe my use case with more detail. I want to install two of these for VPN server and maybe running pihole and ddns updater. VPN will be for streaming video (Netflix, Amazon Prime) to avoid geoblock some days for three or four hours. They will be one in Spain and one in the UK while I live in Asia. I will plug them into smartplugs that I can switch on/off remotely. I wont be able to monitor the temperature (I mean see if they burn directly) so I wouldn't like to have my parents or my in-laws house burned down :-O I wouldn't mind to leave them running 24/7 but since I don't need them on all the time they will probably stay off when I don't need to stream video so off most of the time. QUESTION 2: Will they need a case with a fan? Are heatsinks mandatory? QUESTION 3: Any recommendations about cases (I did a search for cases and enclosure in the forum but there is not much really. May create a thread) I would rather not have a fan but.. would this be ok? https://www.aliexpress.com/item/Orange-Pi-PC-PC2-Plus-Acrylic-Case-Cooling-Fan-Heat-Sink-Beginner-Kit-Compatible-w-Orange/32807785955.html?spm=a2g0s.8937460.0.0.33432e0eino6p4 QUESTION 4: For Power supply, are the ones sold by Xunlong ok? Thank you and sorry for many questions. Edited December 6, 2018 by usuario74
usuario74 Posted December 5, 2018 Posted December 5, 2018 On 10/12/2018 at 4:48 AM, Igor_K said: @olivluca WG is my default for a few months, It is definitely faster but it is more CPU hungry on a server side. WG uses "modern" crypto primitives https://www.wireguard.com/protocol/ which means there is no hardware offload. Also if you are not on Linux it is an alpha quality software. May decide to go with WG if OpenVPN is not enough for my use case but how do those "modern" crypto relate to this: https://linux-sunxi.org/Cryptographic_Hardware_Accelerators Do H3 or H5 have hardware/software support for them? Thanks
olivluca Posted December 5, 2018 Posted December 5, 2018 I can only reply to question 4 and based on my limited sample of one: I bought their power supply with mi orange pi pc and it's been working 24/7 for the last year and half. Crossing fingers.... 1
dolphs Posted December 9, 2018 Posted December 9, 2018 hi running armbian ( kernel 4.14 ) and ovpn 2.4.6 and both nanopi neo2 boards. ovpn is configured with cipher AES-128-CBC and auth SHA256, following results can be seen: top - 04:53:47 up 26 days, 11:42, 2 users, load average: 0.16, 0.16, 0.09 Tasks: 102 total, 2 running, 57 sleeping, 0 stopped, 0 zombie %Cpu0 : 1.0 us, 1.0 sy, 0.0 ni, 98.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu1 : 1.0 us, 2.0 sy, 0.0 ni, 97.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu2 : 20.7 us, 30.1 sy, 0.0 ni, 43.5 id, 0.0 wa, 0.0 hi, 5.7 si, 0.0 st %Cpu3 : 0.3 us, 0.3 sy, 0.0 ni, 99.0 id, 0.0 wa, 0.0 hi, 0.3 si, 0.0 st KiB Mem : 494152 total, 128980 free, 92528 used, 272644 buff/cache KiB Swap: 247072 total, 229664 free, 17408 used. 382416 avail Mem PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 1191 root 20 0 10180 6132 5324 R 59.1 1.2 137:16.90 openvpn and following with single thread " iperf3 -4 -V -c 192.168.10.2 -t 60 -b 0 -P 1 " iperf 3.1.3 Linux vpn01 4.14.70-sunxi64 #274 SMP Wed Sep 19 12:09:30 CEST 2018 aarch64 Time: Sun, 09 Dec 2018 02:53:07 GMT Connecting to host 192.168.10.2, port 5201 Cookie: vpn01.1544323987.071807.somewhat TCP MSS: 1276 (default) [ 4] local 10.8.0.2 port 63472 connected to 192.168.10.2 port 5201 Starting Test: protocol: TCP, 1 streams, 131072 byte blocks, omitting 0 seconds, 60 second test [ ID] Interval Transfer Bandwidth Retr Cwnd [ 4] 0.00-1.00 sec 9.07 MBytes 75.9 Mbits/sec 199 1.24 MBytes [ 4] 1.00-2.00 sec 8.75 MBytes 73.4 Mbits/sec 166 1.09 MBytes [ 4] 2.00-3.00 sec 12.5 MBytes 105 Mbits/sec 0 1.35 MBytes [ 4] 3.00-4.00 sec 7.50 MBytes 62.9 Mbits/sec 0 1.36 MBytes [ 4] 4.00-5.00 sec 7.50 MBytes 62.9 Mbits/sec 54 1.22 MBytes [ 4] 5.00-6.00 sec 8.75 MBytes 73.4 Mbits/sec 0 1.22 MBytes [ 4] 6.00-7.00 sec 7.50 MBytes 62.8 Mbits/sec 0 1.24 MBytes [ 4] 7.00-8.00 sec 8.75 MBytes 73.5 Mbits/sec 0 1.16 MBytes [ 4] 8.00-9.00 sec 8.75 MBytes 73.3 Mbits/sec 0 1.21 MBytes [ 4] 9.00-10.00 sec 11.2 MBytes 94.4 Mbits/sec 0 1.41 MBytes [ 4] 10.00-11.00 sec 8.75 MBytes 73.4 Mbits/sec 3 1.59 MBytes [ 4] 11.00-12.00 sec 7.50 MBytes 63.0 Mbits/sec 46 1.58 MBytes [ 4] 12.00-13.00 sec 10.0 MBytes 83.9 Mbits/sec 0 1.27 MBytes [ 4] 13.00-14.00 sec 7.50 MBytes 62.9 Mbits/sec 25 1.17 MBytes [ 4] 14.00-15.00 sec 11.2 MBytes 94.4 Mbits/sec 0 1.40 MBytes [ 4] 15.00-16.00 sec 11.2 MBytes 94.4 Mbits/sec 15 616 KBytes [ 4] 16.00-17.00 sec 6.25 MBytes 52.4 Mbits/sec 9 1.25 MBytes [ 4] 17.00-18.00 sec 8.75 MBytes 73.4 Mbits/sec 252 1.15 MBytes [ 4] 18.00-19.00 sec 7.50 MBytes 62.9 Mbits/sec 0 1.24 MBytes [ 4] 19.00-20.00 sec 10.0 MBytes 83.8 Mbits/sec 29 684 KBytes [ 4] 20.00-21.00 sec 7.50 MBytes 62.9 Mbits/sec 0 1.24 MBytes [ 4] 21.00-22.00 sec 7.50 MBytes 62.9 Mbits/sec 194 1.26 MBytes [ 4] 22.00-23.00 sec 8.75 MBytes 73.4 Mbits/sec 0 1.25 MBytes [ 4] 23.00-24.00 sec 7.50 MBytes 62.9 Mbits/sec 0 1.16 MBytes [ 4] 24.00-25.00 sec 12.5 MBytes 105 Mbits/sec 0 1.43 MBytes [ 4] 25.00-26.00 sec 6.25 MBytes 52.4 Mbits/sec 46 1.42 MBytes [ 4] 26.00-27.00 sec 8.75 MBytes 73.4 Mbits/sec 0 1.40 MBytes [ 4] 27.00-28.00 sec 8.75 MBytes 73.4 Mbits/sec 18 1.24 MBytes [ 4] 28.00-29.00 sec 8.75 MBytes 73.4 Mbits/sec 0 1.23 MBytes [ 4] 29.00-30.00 sec 10.0 MBytes 83.9 Mbits/sec 0 1.37 MBytes [ 4] 30.00-31.00 sec 7.50 MBytes 62.9 Mbits/sec 0 1.26 MBytes [ 4] 31.00-32.00 sec 8.75 MBytes 73.4 Mbits/sec 64 1.15 MBytes [ 4] 32.00-33.00 sec 8.75 MBytes 73.4 Mbits/sec 0 1.16 MBytes [ 4] 33.00-34.00 sec 10.0 MBytes 83.9 Mbits/sec 0 1.34 MBytes [ 4] 34.00-35.00 sec 8.75 MBytes 73.4 Mbits/sec 0 1.34 MBytes [ 4] 35.00-36.00 sec 8.75 MBytes 73.4 Mbits/sec 0 1.26 MBytes [ 4] 36.00-37.00 sec 8.75 MBytes 73.4 Mbits/sec 0 1.29 MBytes [ 4] 37.00-38.00 sec 8.75 MBytes 73.4 Mbits/sec 0 1.25 MBytes [ 4] 38.00-39.00 sec 7.50 MBytes 62.9 Mbits/sec 0 1.25 MBytes [ 4] 39.00-40.00 sec 10.0 MBytes 83.8 Mbits/sec 0 1.16 MBytes [ 4] 40.00-41.00 sec 11.2 MBytes 94.4 Mbits/sec 0 1.37 MBytes [ 4] 41.00-42.00 sec 10.0 MBytes 83.9 Mbits/sec 0 1.38 MBytes [ 4] 42.00-43.00 sec 7.50 MBytes 63.0 Mbits/sec 79 1.07 MBytes [ 4] 43.00-44.00 sec 8.75 MBytes 73.4 Mbits/sec 34 728 KBytes [ 4] 44.00-45.00 sec 7.50 MBytes 62.9 Mbits/sec 99 1.38 MBytes [ 4] 45.00-46.00 sec 7.50 MBytes 62.9 Mbits/sec 200 1.38 MBytes [ 4] 46.00-47.00 sec 8.75 MBytes 73.4 Mbits/sec 62 1.21 MBytes [ 4] 47.00-48.00 sec 7.50 MBytes 62.9 Mbits/sec 22 1.26 MBytes [ 4] 48.00-49.00 sec 8.75 MBytes 73.5 Mbits/sec 0 1.33 MBytes [ 4] 49.00-50.00 sec 8.75 MBytes 73.4 Mbits/sec 5 1.23 MBytes [ 4] 50.00-51.00 sec 7.50 MBytes 62.8 Mbits/sec 0 1.25 MBytes [ 4] 51.00-52.00 sec 10.0 MBytes 84.0 Mbits/sec 0 1.30 MBytes [ 4] 52.00-53.00 sec 7.50 MBytes 62.9 Mbits/sec 0 1.29 MBytes [ 4] 53.00-54.00 sec 8.75 MBytes 73.4 Mbits/sec 4 1.26 MBytes [ 4] 54.00-55.00 sec 7.50 MBytes 62.9 Mbits/sec 0 1.24 MBytes [ 4] 55.00-56.00 sec 8.75 MBytes 73.4 Mbits/sec 0 1.23 MBytes [ 4] 56.00-57.00 sec 7.50 MBytes 62.9 Mbits/sec 0 1.19 MBytes [ 4] 57.00-58.00 sec 10.0 MBytes 83.9 Mbits/sec 0 1.23 MBytes [ 4] 58.00-59.00 sec 7.50 MBytes 62.9 Mbits/sec 0 1.21 MBytes [ 4] 59.00-60.00 sec 6.25 MBytes 52.4 Mbits/sec 0 1.24 MBytes - - - - - - - - - - - - - - - - - - - - - - - - - Test Complete. Summary Results: [ ID] Interval Transfer Bandwidth Retr [ 4] 0.00-60.00 sec 520 MBytes 72.7 Mbits/sec 1625 sender [ 4] 0.00-60.00 sec 514 MBytes 71.8 Mbits/sec receiver CPU Utilization: local/sender 1.5% (0.1%u/1.3%s), remote/receiver 3.5% (0.4%u/3.2%s) iperf Done. also did not tweak kernel settings too much atm - both ends read: net.core.default_qdisc = fq_codel net.core.netdev_max_backlog = 1024 net.core.rmem_max = 33554432 net.core.wmem_max = 33554432 net.ipv4.tcp_rmem = 4096 87380 33554432 net.ipv4.tcp_wmem = 4096 87380 33554432 net.ipv4.tcp_congestion_control = bbr # RETEST westwood OR cubic net.ipv4.tcp_max_syn_backlog = 1024 net.ipv4.tcp_slow_start_after_idle = 0 net.ipv4.tcp_no_metrics_save = 0 net.ipv4.ip_local_port_range = 9000 65535 If you want a cheap and low wattage VPN consider H5 boards ( eg nanopi neo2 or orange pi zero plus2 ) that should handle proper TV streaming (15-20Mbit) over ovpn this is your option. If speed will be most important consider other platforms, I'm currently looking in to the ASRock J4005B-ITX and should do 300Mbit ... 1
WarHawk_AVG Posted December 23, 2018 Posted December 23, 2018 Ok I installed Softether with the package...easy simple install It's not for me How do I stop it from starting every boot Was able to shut it down by going into /usr/local/vpnserver and running ./vpnserver stop But there is no /etc/init.d autostart script...where can I comment out to prevent it from starting again...removing I realize is a nogo...just don't want it to startup anymore
sfx2000 Posted December 23, 2018 Posted December 23, 2018 On 12/8/2018 at 7:09 PM, dolphs said: hi running armbian ( kernel 4.14 ) and ovpn 2.4.6 and both nanopi neo2 boards. ovpn is configured with cipher AES-128-CBC and auth SHA256, following results can be seen: Food for thought... NEO2 - and this is AES-128-GCM $ openvpn --genkey --secret /tmp/secret && time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-128-gcm Sat Dec 22 20:26:07 2018 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode real 0m19.502s user 0m19.149s sys 0m0.124s 3200/real time == 164 Mb/Sec potential bandwidth with OpenVPN
Recommended Posts