Which Router should I buy capable of DD-WRT so I can add VPN

[binaryknight]

:edit: If you really want big VPN bandwidth and you have an old PC or parts kicking around, I'd suggest making a pfSense box. It will require a bit of effort and some googling around, but large scale encryption is heavy lifting, something a proper PC should excel at compared to a low power device.[/QUOTE]

agree with this pfsense is great imo so much you can do with it, adblock , vpn ,etc works well for me only thing is the cost of running a full blown pc compared to a low wattage router however what you can do is run the likes of esxi and run pfsense in a vm and have other vms doing other stuff on there too, like a download box , game, comms server ,plex etc. i got a sff dell 990? and dropped in a quad nic worked a charm

 

[Avalon]

run the likes of esxi and run pfsense in a vm and have other vms doing other stuff on there too, like a download box , game, comms server ,plex etc. i got a sff dell 990? and dropped in a quad nic worked a charm

Generally from a security perspective that's not considered good practice, though it will work and for a home environment it's likely to be fine. I run un-raid which supports dockers and VM's (most mainstream OS' support some form of VM/Docker usage freely), several of the docker templates available bundle programs such as torrent or NZB clients with local VPN support and IPTables set-up to prevent anything not going via the VPN, they also include Privoxy. As well as the add filtering/privacy/DNS intercept bypassing the main highlights are:

• If the VPN drops the docker is isolated, it won't use another interface.
• Any hardware that will run via proxy can now have an encrypted connection without the need for VPN support or the hardware requirements to handle encryption.

If you need to have multiple end points to avoid geo-restrictions, you can run multiple instances, for example you could run a torrent based docker with a UK end point on 8118, a news docker with a US end point on 8119 etc. and configure the client based on what you wanted. Quick, free and avoids another box and the cost of buying/running it.

 

[rs1800]

Thanks for the replies but I think my original post has been forgotten. This is all way more complicated than I want or am able to do.

I originally just wanted to be able to put a vpn and if possible encryption into a router (eg ddwrt) so it protects every device in my house from isp/government censorship and spying.

Someone suggested the Mikrotek which seemed like a fast powerful router at decent cost which I bought and now have the basics working.

I just want to be able to achieve above in a simple way probably by using an external service (like PIA or ipvanish etc) but I am open to suggestion. I do not have anything that important that needs protecting, just the minimum encryption to make it awkward for my ISP to spy.

Any suggestions to what I should use without additional hardware?

 

[Bluecube]

For simplicity I'd go with a VPN service like PIA or NordVPN. They're easy enough to set up on your router or individual devices, whatever you prefer.

 

[Avalon]

The Mikrotik should support a simple VPN connection and allow you the ability to route traffic to it (and remove the possability of it falling back to the normal interface if the VPN drops) quite easily. Most VPN providers give reasonable guides on how to configure a router, the Mikrotik appears on at least one that I looked at (PIA/Pure from memory?) so combining that with a few minutes on a Mikrotik forum/guide should resolve what you need.

 

[Steveocee]

Its easily doable with the MikroTik.

Have a small look into IP>Firewall>Mangle for marking the connections you want to go out of your VPN.
Use IP>Routes to create the route (rather than allowing the VPN client to create it's own) and use the packet mark you made with mangle to signify packets that should go down that route.
Use IP>Firewall>NAT to create a NAT rule to create a masquerade rule so stuff goes up the VPN.

I have 2 VPN connections I use in this way and it's seamless. It also means that X device isn't forced to always using Y service to go out to the internet if you specify the mangle rules properly.

 

[rs1800]

ok thanks. I don't understand those terms now but will do some reading to get my head around them.

 

[rs1800]

Its easily doable with the MikroTik.

Have a small look into IP>Firewall>Mangle for marking the connections you want to go out of your VPN.
Use IP>Routes to create the route (rather than allowing the VPN client to create it's own) and use the packet mark you made with mangle to signify packets that should go down that route.
Use IP>Firewall>NAT to create a NAT rule to create a masquerade rule so stuff goes up the VPN.

I have 2 VPN connections I use in this way and it's seamless. It also means that X device isn't forced to always using Y service to go out to the internet if you specify the mangle rules properly.

May I ask what protocols you use for these and who their with?

The ones I have used I can only get PPTP to work. I tried openvpn but it seems the mikrotik has old implementation that doesn't support LZO compression that they all use now.

 

[Steveocee]

May I ask what protocols you use for these and who their with?
The ones I have used I can only get PPTP to work. I tried openvpn but it seems the mikrotik has old implementation that doesn't support LZO compression that they all use now.

One of the tunnels is a PPTP tunnel to TigerVPN (yeah I know PPTP!), I haven't gotten around to changing it to L2TP yet as last time I couldn't get it to work but I think I know what I was doing wrong now.
The other is an L2TP-Ipsec to a MikroTik CHR that I made for work so we can get back in to the working LAN.

OpenVPN is a bit fo a grey patch with MikroTik but it is being banded around v7 will fix this (although v7 has been coming for years but they do back port the really good stuff).

 

[rs1800]

Lets hope so.

I am happy now though I have PPTP woking at 70mb/s and P2P works now I have switched to foreign IP (purevpn blocks uk ones, took me ages to work out why it didnt work)