[wellylug] Linux VPN Router Hardware
Ewen McNeill
wellylug at ewen.mcneill.gen.nz
Thu Aug 4 15:06:24 NZST 2005
In message <20050804023449.GA31061 at ninja.nobiscuit.com>, Nigel Roberts writes:
>On Wed, 03 Aug 2005 at 13:49:52 +0200, Martin B=E4hr wrote:
>> On Tue, Aug 02, 2005 at 11:53:01PM +1200, Rob Giltrap wrote:
>> > It is also desirable if it has low power consumption as it'll run 24*7
>> > [...] Can handle a full 10Mb/sec traffic load (this is critical)
>>=20
>> you might want to look at the wrt54gs and related machines.
>
>I second this suggestion. I have openwrt running on a Linksys WRT54GS
>at home.
While the WRT54G(S) will route 10Mbps of traffic (probably a bit more), I
rather doubt that it will encrypt at 10Mbps (into a VPN). Especially
not with 3DES (IPSec), but probably not even with something more
efficient like AES. It's only got a 200MHz MIPS CPU in it (and the
older models had even slower CPUs), and for most crypto algorithms the
MIPS targets are just using compiled C code, rather than optimised
assembly like the i386.
Since Rob's original requirement was VPN endpoints, passing 10Mbps, I'm
not sure that it's suitable for the job. My WRT54G does seem to pass
2Mbps (cable modem limit) with 3DES though. So if the requirement can
be reduced somewhat it might be sufficient. (I have heard reports of
WRT54G(S)es rebooting under excessive load when trying to use them for
high speed VPNs, but I'm not sure what software was on them.)
Also keep in mind that the WRT54G(S) hardware has been refreshed about
3-4 times in the last 12-18 months, which means that OpenWRT and other
alternative firmware images are frequently in "catch up" mode and hence
it may not be possible to buy hardware which will run with "production"
quality software.
All that said, I'd happily recommend OpenWRT on a WRT54GS for anything
where the hardware suits the task. Mine runs very well, and has done
so for the last 6 months. Although it does occassionally reboot (last
time seems to be about 3 months ago - uptime is about 100 days) which
may even be due to power fluctuations. (Mine isn't on a UPS.)
Another thing to consider would be something like a Soekris unit with a
hardware crypto accelerator card (see http://www.soekris.com/). Off the
top of my head I'm not sure if Linux supports these crypto accelerator
cards, but OpenBSD will. If Linux will support the crypto card then
some variation of LEAF is probably the most appropriate Linux
distribution.
And of course there are various proprietary VPN units at "enterprise"
prices, which will handle towards 10Mbps sustained encryption. (Eg,
most router vendors have products along these lines.)
Ewen
More information about the wellylug
mailing list