Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Wireguard / router advice
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
vespaman
Guru
Guru


Joined: 28 Aug 2002
Posts: 322
Location: Stockholm, Sweden

PostPosted: Fri Oct 23, 2020 3:13 pm    Post subject: Wireguard / router advice Reply with quote

Hi,

I thought I should ask here, since gentoo forums always are very helpful! Hope it is fine. :)

I am looking for a way to add wireguard into my home, to be able to get in touch with it from everywhere. Currently I have been using openVPN into my Netgear R7000 router.
But this is flaky, router hangs every now and then when doing lots of VPN traffic, and it can be dead slow at time, when I am on a poor link travelling.

I have gigabit fiber to the house, currently the R7000 router, and then my main mail/file/dns/letsencrypt/etc etc server, curently an aging gentoo box, with a i5-3570K cpu. Double LAN (used to also be a router, but due to performance issues, I got the R7000 instead). The R7000 Wifi is disabled, I have separate access points.

So, I am wondering : how to add wireguard to this in the best easiset way, with decent performance?
I guess the options are;

1. openWRT into R7000, and configure it for wireguard.
2. wireguard onto the server, exposing one of its NIC directly onto internet, purely for VPN/wireguard. Let the rest go throuth the R7000 as today.
3. wireguard onto the server, behind the R7000 (not sure if this is this possible?)
4. New router, more modern, with built in wireguard (Edgerouter? Other?)

I suppose (1) is popular, but I have not found any performance data on that - I suspect normal downloading from the internet might be limited. (will it drop max speed significantly from 1Gb?). Also, I have never done this, so I am not sure about how complicated this is. Also not sure about what kind of wireguard performance I could expect. Also not sure if it will be stable, seeing as it hangs every now and then with netgear firmware...
I guess I could try, but then it might end up with me bricking my working set-up....


Any other suggstions? As security is important, I'd like to keep the setup and config as simple as possible. Also low power consumption is a driver.

What would you do?
Back to top
View user's profile Send private message
dalu
Guru
Guru


Joined: 20 Jan 2003
Posts: 507

PostPosted: Tue Oct 27, 2020 12:52 pm    Post subject: Reply with quote

I'm in a similar situation.

2 locations:
- Germany
1 network, Fritz Box 7590, VDSL 100/40 MBit/s, German Telekom
Cable TV
- Croatia
2 networks
-- the "main" network
-- the TV network
Currently still 16/0.8 Mbit, but fiber apparently coming soonTM, which will be at least 100/20, but if I pay more 200/100 or 1000/500.
So that's why I'm planning ahead.
Thing is, the Croatian Telekom (essentially German Telekom with a Croatia name stamp) has these "MaxTV" set top boxes that act as a streaming client for regular TV.
They also have a "MaxTV to Go" offer which allows viewing most channels outside of Croatia but the interesting ones aren't present there.
Currently I'm using an old Intel NUC with Windows on it and the "MaxTV to Go" desktop app to be able to watch Croatian TV I'm paying a subscription for (30€/month not cheap)
But it's suboptimal, like I wrote missing channels and the stream quality is varying degrees of bad. Also, no remote.

So the idea is to connect those 2 networks Germany and Croatia, so I can take the set top box with me to Germany, plug it into a network port and be able to receive the stream via wireguard or other means. The stream doesn't take up a lot of bandwidth 2-5Mbit/s on average (once they enable HD quality) and they claim you need 10 Mbit/s with enabled HD quality.

Next thing is, when I'm in Croatia I'd like to access my computers in Germany as if they're in Croatia. For instance I have a data dump server which serves as a virtualization host and serves various databases. My laptop is in Croatia, my workstation in Germany. So when I'm developing stuff I can access this central database server and share the codebase.

On the other hand in Germany there's also this cable TV and while I have a satellita antenna and setup in Croatia the TV (which is Android TV) is a piece of shit. Sony Bravia 4k 2015. AndroidTV is the worst piece of shit ever. You can't even install porn apps because nanny Google is apparently able to tell you what you can and can't do with the fucking hardware and software you bought. If I ever buy a TV again it's not going to be an Android TV or AppleTV for that matter, screw those two.
Btw I can watch porn on "MaxTV" but not "MaxTV to go" because mommy Google forbids porn content.

In the past I had cable internet in Germany, which I liked but the house owning company decided that they'd abandon the ISP (unitymedia) for cost reasons and switch to German Telekom, showering us in German Telekom ads on a daily basis in the mail. So ok never mind what I want, I took the cable offer from German Telekom, which was 20€ more expensive than the Unitymedia one. But the monthly rent decreased by 30€, however some local TV station are now missing and I had to buy a FritzBox 7590 for 270€ aka net loss of 30€ over 2 years with worse FreeTV packages.
So the German Telekom sent me a modem for their old ass cable network and I had to buy another piece of hardware, a PC Engines APU2 (https://pcengines.ch/apu2.htm).
I put pfsense on it, then opensense. It was all shit.
The cable network wasn't part of the German Telekom's network, but some partner company in Leipzig. No IPV6 and terrible speed. Problems with https connections stemmed from the APU2 and the software that was on it. I felt like I travelled a century back in time.
After a month I switched to their VDSL offer and bought the FB7590.

Don't get me started on the Croatian Telekom which is an even worse band of liars and thieves. The salespeople promise you the world and in the end you get half of what was promised and if you're not happy you can quit your contract. For instance I had 20/1.2 MBit/s before a switch to a package with more TV programs and after the switch they reduced the speed to 16/0.8. No matter how much I protested they just "lol nub"d. Deutsche Telekom and all their differently named companies and affiliates around the world are a band of liars and thieves. And a de-facto monoply where the German state owns parts of it. It still acts as if it's a publicly owned entity. You don't order new tariffs, you plea for a new tariff to be granted to you. You only receive a new tariff by the generosity of their divine grace. Fucking assholes. But the alternatives in Croatia are worse and in Germany - not present. All the telcos need to be cleaned up but that will never happen because of dirty politicians profiting from them. I could go on about the state of the world and its corporations, but let's leave it at that.

Well the Fritzbox 7590 has VPN but I can't trust it. It's good enough when I ssh into my boxes in Germany and it works in Linux. But there's no client in Windows. So whenever I want to copy something for Windows I have to boot Linux, establish a connectino, copy to external USB and boot Windows. Apart from that I don't trust its security. Oh apparently it can be used now: https://en.avm.de/service/fritzbox/fritzbox-7590/knowledge-base/publication/show/1639_Can-FRITZ-VPN-be-used-in-Windows-10/
Only not in English.

Here's someting about wireguard connecting 2 locations and 2 subnets:
https://blog.tastytea.de/posts/wireguard-vpn-with-2-or-more-subnets/

What is good hardware? That is the question. I can tell you that the PC Engines APU2C4 isn't, at least with opnsense or pfsense and the SSD of 16GB I put in there. I installed Centos7 headless on it and yum update takes like 4 hours to complete when there's something to update. So it might be the SSD.
However I see that openwrt supports it, so once I'm back in Germany I'll have to check that out. Could take a longer while though, COVID19 and all.
The FritzBox 7590 is currently priced around 185€.

Then you've probably seen https://openwrt.org/toh/views/toh_available_16128?datasrt=ram%20mb
It's not properly sorted by RAM, you have to scroll down to find the good pieces.

[strike]It also shows the rPI4, which might be something that doesn't cost all that much and possibly performs ok.[/strike] actually the rip4 only has 1 LAN port so that's not an option.

Your mentioned edgerouter 8 costs ~280€.

And sorry for hijacking the threat but there has been no reply in a week.

And finally
https://forum.openwrt.org/c/hardware-questions-and-recommendations/13

My 1st go to address is also the gentoo forums, when you think custom solutions you think gentoo, or at least I do.
But well Gentoo has lost a lot of appeal to me, not just because i was banned from the bugtracker for telling the php5 maintainer what I though of his stupidity.
I also fully support Torvalds' way to tell people they're idiots. And the php5 maintainer is no exception. Dumbass.
That ban is also why I'm moving away from Gentoo asap.
The Gentoo people were always strange. I mean so it's ok when this Polish guy swears and yells but when a user does it, it leads to a ban? Fuck you.
Gentoo can DIAF for all I care. They'be been "bought" be Google anyway. Just another ignorant group of people who thinks they're someone and something.
Why did the guy create Funtoo? Because the people of Gentoo sucked.
They missed the bus on getting the youth's attention.
They're intransparent and shady.
Look at the off-topc forum. Conspiracy theorist nutjobs in a circle jerk.

It's time for Gentoo to die. Also in light of the increased CO2 emissions from everyone compiling their own system and not using binaries.
I know, the dumbass "me first and my dish only" American peasants here won't see it that way.

Not everyone here is like that though, take Ned, he's a great guy, always helpful and trying to be, also friendly.
That's the spirit.
But the PHP maintainer? Fuck that guy and everyone supporting that lazy piece of shit with no sense of responsibility but his own limited horizon.


Last edited by dalu on Tue Oct 27, 2020 2:39 pm; edited 1 time in total
Back to top
View user's profile Send private message
peje
Tux's lil' helper
Tux's lil' helper


Joined: 11 Jan 2003
Posts: 100

PostPosted: Tue Oct 27, 2020 2:10 pm    Post subject: Reply with quote

@vespaman
3. wireguard onto the server, behind the R7000 (not sure if this is this possible?)
-> is possible and no problem, you have to forward one port to the server (you could also run wireguard in docker or an vm)
1. should work also..
If you want to go with new hardware the edgerouter (ubiquity) can also run wireguard

cu Peje
Back to top
View user's profile Send private message
vespaman
Guru
Guru


Joined: 28 Aug 2002
Posts: 322
Location: Stockholm, Sweden

PostPosted: Tue Oct 27, 2020 3:19 pm    Post subject: Reply with quote

@peje,

3. wireguard onto the server, behind the R7000 (not sure if this is this possible?)
-> is possible and no problem, you have to forward one port to the server (you could also run wireguard in docker or an vm)

Thanks, for clarifying; I have decided to give this a go, after reading and thinking about it, i think I prefer the router to just route and do firewalling, to keep the set simple.

Now just need to reinstall gentoo to that server (installation is currently a mess with python, ruby and perl so it is very broken right now).
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 16206

PostPosted: Tue Oct 27, 2020 6:28 pm    Post subject: Reply with quote

dalu wrote:
And finally
https://forum.openwrt.org/c/hardware-questions-and-recommendations/13

My 1st go to address is also the gentoo forums, when you think custom solutions you think gentoo, or at least I do.
But well Gentoo has lost a lot of appeal to me, not just because i was banned from the bugtracker for telling the php5 maintainer what I though of his stupidity.
I also fully support Torvalds' way to tell people they're idiots. And the php5 maintainer is no exception. Dumbass.
That ban is also why I'm moving away from Gentoo asap.
Bugzilla comments are public indefinitely. Informing someone that they are making bad choices is fine, but you should try to be civil about it. Yes, Linus has historically gotten away with being uncivil. No, that does not make it acceptable broadly. Additionally, when posting a rant of this style, it is helpful to your case to link to the underlying incident, so that people can judge whether your complaint is justified.
dalu wrote:
The Gentoo people were always strange. I mean so it's ok when this Polish guy swears and yells but when a user does it, it leads to a ban? Fuck you.
Linus is Finnish, not Polish.
dalu wrote:
Gentoo can DIAF for all I care.
Why are you using this thread to rant about Gentoo, when it seems like your issue is with the conduct of a small number of specific contributors?
dalu wrote:
They'be been "bought" be Google anyway.
Google owns many things, but I am not aware of it owning a substantial influence over Gentoo.
dalu wrote:
Why did the guy create Funtoo? Because the people of Gentoo sucked.
They missed the bus on getting the youth's attention.
They're intransparent and shady.
Look at the off-topc forum. Conspiracy theorist nutjobs in a circle jerk.
This is a major, and largely unsupported, leap. You went from complaining about a Gentoo developer, and getting in trouble for rude comments to/about that developer, to complaining that the Forums project permits registered users, most of whom are not developers or otherwise privileged contributors, to use an off-topic forum (which exists specifically to have a place for off-topic content) in wild ways.

If you are this unhappy with Gentoo, why are you using this thread to vent about it?
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 6781

PostPosted: Thu Oct 29, 2020 12:01 am    Post subject: Reply with quote

dalu wrote:
It's time for Gentoo to die. Also in light of the increased CO2 emissions from everyone compiling their own system and not using binaries.
I know, the dumbass "me first and my dish only" American peasants here won't see it that way.

The myth of personal responsibility for CO2 emissions was thoroughly debunked this year when public life was all but shut down and overall pollution did not drop. It's rich people causing the problems.

I'll disregard the rest of your comment, but claiming Gentoo has any effect on this stuff is laughable. Bitcoiners on the other hand...
Back to top
View user's profile Send private message
pa4wdh
Guru
Guru


Joined: 16 Dec 2005
Posts: 410

PostPosted: Thu Oct 29, 2020 8:51 am    Post subject: Reply with quote

Just a tip:
If you're buying new hardware with the purpose of using it as a router with VPN, make sure the CPU has hardware crypto support. In my case (with openvpn) the difference is about a factor 10x more throughput with the use of hardware crypto. It works fire with my PC-Engines APU4d4, if the APU2 seems to have the same CPU, so with the right software you should be able to have similar results.
_________________
The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world

Free as in Freedom is not limited to software only:
Music: http://www.jamendo.com
Recipes: http://www.opensourcefood.com
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum