VPN Server: On my router or on my Server?

Hi everyone,

Recently bought a new system to house my Plex server that is WAAAAAY overpowered to just use as a Plex server. Wanted to create a VPN server so I could tunnel in and reset the Docker container with Plex whenever there are issues, if I’m not at home. Turns out my router (ASUS rt-ac87r) supports OpenVPN. Question for you guys: should I set up OpenVPN on the router or on the new server (and if the server, should I put it in a Docker container or no)?

Wireguard VM on your server.

  • Better control of security fixes/updates
  • Typically better performance
  • Can upgrade your router with little impact

Either way would be fine. You could even do both. In my lab I have an ASUS router with openvpn on it. Behind that I have a Fortigate. Behind that I have a PiVPN virtual machine.

Personally, I look at VPNs as back doors, they are used when you are physically not capable of being near your network. That means you typically want it to be in the most reliable location of your network. If you host your VPN on your main server and your main server goes down/fails/etc you also lose VPN connectivity. So if you werent home and something went wrong, you wouldnt be able to VPN into your network to fix it. In contrast if you put it on your Asus router, if your main server goes down, you can still access drac/mgmt ports in your network as well as other resources. If your Asus router goes down, your VPN access would go down either way. The only reason to put it on your main server is if the asus router is not providing the performance you need. Typically those asus routers are weak ARM processors that would limit VPN bandwidth to something like less than 100mbps.

I personally have an overpowered server for Plex (running a Ryzen 3900X), I virtualized a pfSense box (router / firewall) on which I installed OpenVPN, it has a great client export utility but I guess running it on your physical router should work just fine as well

I would think that having it on a more powerful machine would be better due to increased throughout vs the small router SOC trying to run it.

Reduced downtime if one ever wants to upgrade the router when a new one comes out

I think this is the route I’m going to go. I’ve heard that running it on my router can end up limiting my bandwidth, which isn’t cool. I’m planning on running most apps through docker, but should I install wireguard directly to the OS so all of the containers are routed through?

You dawg I heard you like VPNs! So we put a VPN IN YOUR VPN!

Oooof on that bandwidth. Those are definitely good points on losing access if the server goes down, but at present, the only reason I need to backdoor into my network would be specifically to access that server. I can’t think of any other home devices I would need to access remotely. Thank you for responding! This is very helpful.

Thank you! I’m going to be running Plex and a few bots through docker containers, but should I run the VPN directly from the OS so that all the containers are routed through it?

This is a good point I didn’t think about.

You can run in Docker or VM.

Either deployment scenario can be configured to allow access to any machine on the internal network.

Let’s see whose REALLY behind this VPN!

If I install wireguard via docker, do I just make the Server OS a client? I need ssh and RDP access.

Server. Basically you set it up and port forward connections from the Internet through your router to Wireguard. This will give you full access to anything on your private network.

I would look at tutorials… there are plenty that discuss all of the details.