VPN appliance?
August 12, 2008 3:57 PM   Subscribe

Most of the home networking gear makers (Linksys, D-Link, Netgear, etc) make versions of their DSL/cable gateways that support VPN termination. Add a DynDNS account so you can reach your box without memorizing a possibly changing IP, and you should be in business. There are also standalone boxes called VPN concentrators but they're pretty expensive.
posted by zsazsa at 4:11 PM on August 12, 2008

I asked a similar question about a year and a half ago. I've been very happy with a WRT54GL running DD-WRT.
posted by willnot at 4:18 PM on August 12, 2008

We've used the ProSafe stuff in small businesses before with good luck - your router must support the appropriate VPN passthroughs, though.
posted by odinsdream at 6:36 PM on August 12, 2008

The extremely small amount of flash memory (2MB) in the WL700gE means that getting alternative firmware with OpenVPN support like OpenWRT installed would be tricky.

Perhaps you could use an old laptop or a PC built around a low-power CPU and chipset? Since Via released the Nano, you can find the older C7 and the ancient C3 quite cheap.
posted by PueExMachina at 8:39 PM on August 12, 2008

depends which type of VPN you use as to what you need on the forwarding router.

The simplest and not hugely secure VPN (though still vastly better than bugger all) is microsoft supported PPTP. It's safe enough to leave running with strong passwords, but your connection can be decoded by a determined man in the middle. To forward PPTP, you need to forward GRE and TCP port 1723 - GRE (IP protocol #47) is a protocol like TCP or UDP. If you need to forward IPSEC/ESP TUNNEL, you'll need to forward IPSEC (IP protocol #50) and UDP port 500. OpenVPN just uses UDP. L2TP

IPSEC is the general VPN type on hardware VPN concentrators like the netgear prosafe, and you'll also need NAT traversal support on the VPN concentrator if you're planning on hiding it behind your NAT router, which the netgear has (assuming you don't just use the 'DMZ' method or additional fixed external IP to make it visible to the outside world)

I can't find on the specification for your asus whether it has VPN-passthrough support (i.e. the SPI firewall supports GRE and IPSEC forwarding), though that doesn't mean it doesn't. Generally, you don't actually need to configure the non TCP or UDP side of things, it'll be negiotated and passed through automatically if supported.

At a pinch, you may need to set the prosafe as the DMZ exposed host; i.e. all traffic that would normally be dropped by the asus firewall as unrequested is bounced to the VPN concentrator instead, including VPN traffic and hacking attempts etc.
posted by ArkhanJG at 12:36 AM on August 13, 2008

Another option is to setup a 2nd router. Take the linksys WRT160n running dd-wrt VPN, for example. You could connect that to your modem, and then use your asus just as a WAP, connecting to the internet via the linksys, still using all the NAS/UDP stuff on the ASUS as before. You'd also get 2.4GHz 802.11n for free for when you want it (the range improvement alone over 11g is incredible), while having an internet exposed VPN that's easy to configure, with a really powerful firewall, for about the same price as the netgear prosafe.
posted by ArkhanJG at 12:53 AM on August 13, 2008

Yeah, best idea IMO is ArkhanG's second one. Put up a second router with dd-wrt. Installing this on cheap Linksys hardware is very well documented and supported. Then, I wouldn't even bother with a client-server VPN. It's overkill. Just do portforwarding with ssh to it, and any SOCKS-aware application on your laptop can use ssh's encryption. This will work great for browsing, IM, fat client email, etc.

Do you have a static IP address from your ISP for home? You need some way to know where it is when you're not there. There are a few options there...Purchasing a static one from your ISP, using DynDNS, etc.

Also, if you're putting up a second router, where are you going to put it, logically-speaking? Either it gets NAT behind your main router/hub, or else you could ask your ISP for another separate static IP for it.

Further, if you're going to incur some ongoing cost like purchasing a static IP: For just a couple bucks more in some cases, you could just purchase a subscription to a linux based VPS from any number of hosting companies. Again, with only sshd installed on it, you could accomplish most of the privacy you want. This is what I do, both from work and public spaces.
posted by poppo at 6:30 AM on August 13, 2008

I also have a WRT54G running ww-drt and just used SSH to create a socks proxy. I configure firefox to use that. Its a poor man's VPN. I guess I could install the vpn stuff on the router and laptop, but right now, it seems like quite a bit of hassle. I also remember having to support openvpn on windows a few years back and it was incredibly buggy. SSH is rock solid.

Also, I dont believe you need local admin rights to connect to a socks proxy, so I can do this on any machine I come across just by running putty.
posted by damn dirty ape at 6:45 AM on August 13, 2008

Get an SSH account on Dreamhost and use it as a SOCKS proxy?
posted by blue_beetle at 8:33 AM on August 13, 2008

This isn't a direct answer to your question, but another alternative. I wanted to be able to securely get on the internet from anywhere, not just places that have free WiFi, so I got a Verizon Blackberry with tethering option (about $30 extra per month). Now I can go into any coffee shop, park, library, or anywhere else I want to work, and get online.
posted by lsemel at 4:36 PM on August 13, 2008

This thread is closed to new comments.