Hey all. Been drifting back and fourth on what my options are for the best OpenWRT VPN router. I need to utilize OpenVPN with a TAP interface to support tunneling multicast between two devices on two remote networks that will allow me to bridge one of the subnets. The network devices only see each other if they’re on the same subnet.
I’ve gone from researching Banana Pi R3 router boards to looking into expensive Zyxel gateways, but it seems OpenVPN supports what I’m attempting to do as the TAP tunnel captures the entire Ethernet frame. I’m just concerned about CPU power as OVPN can be notoriously slow. Each network is on gigabit fiber.
Any suggestions on modern OpenWRT routers that have good speed and processing power?
This use case is firmly in the x64 territory (some really muscular ARM might do the trick as well, but I don’t know the ARM space well enough to offer advice).
Since you’re specifically interested in OpenVPN, you will need a processor that supports AES-NI cryptography. Since you intend to maintain a Gigabit connection, you will need quite a bit of processing power to encrypt/decrypt a Gigabit stream on the fly. Note that OpenVPN is single-threaded, so more cores/threads are not going to help you attain faster throughput; rather, you need a faster processor.
All of the above basically forces you into using an Intel Core processor, which should be at least somewhat recent. AES-NI has been supported on i3 since 4th gen; on i5 and i7, AES-NI support was definitely available in the 2nd gen. So look at clock speeds and see how high you can go on your budget. Number of cores is not likely to be important in your case, unless you forgot to mention something important. :)
If you need OpenVPN more than 500Mbps there is only one way - x86-based systems.
For the routers on ARM is wireguard better. It is efficient and has support on many good routers.
I use RT-AX86U running under the latest Merlin. I have 680-700 Mbps real speed (p2p) with AirVPN on my 1 Gbps connection. 700Mbps VPN throughput is the HW limit for this router.
RT-AX86U can properly run the multicore workload with wireguard.
See one of my test - here
Just reading up on this one. Thanks for the recommendation! Similar specs to the Banana Pi R3 open source router board. Looks like OpenWRT still isn’t officially supported on it and flashing it seems like a bit of a process. I’m not too fussed about wifi as everything requiring speed is hardlined in my home. Will definitely read up on it some more later.
Thanks for the suggestion. Despite setting up OVPN tunnels in the past I’ll have to read up on how to configure this as it’s slightly beyond my level of comprehension. I did order a BPi R3 board to run some tests and it will hopefully be here in a few days.
u/Yetjustanotherone Looking at the R6S now. Love the two LAN ports as I can plug in an AP for tablets and phones and still have an available LAN port to achieve my OpenVPN/TAP needs. Is there much of a difference between running FriendlyWRT compared to an official OpenWRT? Can I force OpenWRT to run on it?
Wouldn’t need the HDMI capabilities. The price point is right too. Amazon lists it as includes Wifi?
u/Yetjustanotherone Hey there. Sorry to resurrect this. Finally getting around to making this project happen. Was wondering if you could give any info/links on setting up OpenVPN with ECDSA or EdDSA certificates? I’m seeing that EasyRSA should support the former, but not sure how to generate the certs.
Well if that is the case,check out a lenovo tiny that has a pcie adapter, and add a intel quad nic there, can beat that , p330 tiny, or m920q, there are a bunch of them that would be very powerfull(compute vwse) .
I too have BPI R3, just replaced my old router this weekend. My idea was to run OpenVPN straight on it (which worked). But my knowledge was too limited on how to setup a correct vlan that only uses the OpenVPN to connect to the internet…
So I left that part out and still using my gluetun docker instance to run my other Dockers through that for now.
As is common with FOSS software in general, you won’t find a guide that suits your combined hardware, software environment and required configuration exactly.
It’s a case of open 5 guides that do elements of what you want, and use them to piece together a configuration workflow that does it all.
Installing and reading guides on using openvpn-easy-rsa will make up a fair chunk. That’s what is commonly used to create the PKI infrastructure openVPN needs.
The rest is generating (modern) server and client openVPN configs
R6S definitely doesn’t include WiFi, that’s just not true.
FriendlyARM images don’t get patched as often as they need to. That’s fine if you’re going to use it as a general purpose SBC running Ubuntu, not so much if it’s your router.
HDMI I’d bet is never going to work under openWRT. No reason to put the time in.
It’s a really good device, but as I understand it, really needs > Linux kernel 6.3 for hardware support (or a LOT of patches).
openWRT 23 is going to be released this year, but that uses kernel 5.15.*
I’m not the author, so deserve no credit, but this repo has an SD install compatible build of openWRT for the R6S: