Posted: Mon Jul 10, 2017 0:24 Post subject: to vpn or not vpn?
i understand that vpn provides additional cryptography with network communication. what's not so clear is if i never plan to access any device on my home network from the web (www), how important / secure is my dd-wrt router without vpn?
thanks in advance. _________________ asus rt-ac86u stock: 3.0.0.4.384_45149
wrt3200acm: r34578 {sunset}
"why nibble when u can take a byte."
not at all? vpn allows you to connect to the net securely to ANOTHER exit point on the internet, be it a different country or behind your business's firewall. But your router is still reacting to internet traffic it receives from the usual port scans (ie, attacks) and once your traffic leaves the VPN exit node it is no more or less vulnerable then without vpn.
VPN is primarily used for 2 things, remotely connecting to your businesses's very secure network , and avoiding government spying and port blocks in very restrictive countries. Doesn't avoid the fact that a compromised site can still attack your browser when you connect to it, and your router is still on the internet with a public IP and thus vulnerable to those types of attacks.
Posted: Mon Jul 10, 2017 2:33 Post subject: to vpn or not vpn?
jeffmd wrote:
not at all? vpn allows you to connect to the net securely to ANOTHER exit point on the internet, be it a different country or behind your business's firewall. But your router is still reacting to internet traffic it receives from the usual port scans (ie, attacks) and once your traffic leaves the VPN exit node it is no more or less vulnerable then without vpn.
VPN is primarily used for 2 things, remotely connecting to your businesses's very secure network , and avoiding government spying and port blocks in very restrictive countries. Doesn't avoid the fact that a compromised site can still attack your browser when you connect to it, and your router is still on the internet with a public IP and thus vulnerable to those types of attacks.
i appreciate your response but i'm a bit confused. are u saying that i should install vpn anyway and let my devices be clients for normal web traffic? btw, it's more for personal use than business.
i get that my router is exposed to all types of traffic but i have a sw firewall and as u know, the router protects attached devices via dns. in fact, my access point is also a router, but most of my devices are connected to my dd-wrt router which is a secondary router "behind" the access point/router. i hope that doesn't confuse u.
i've been fairly free from malware but if i could be even less of a target, i'm all for that. _________________ asus rt-ac86u stock: 3.0.0.4.384_45149
wrt3200acm: r34578 {sunset}
"why nibble when u can take a byte."
Posted: Mon Jul 10, 2017 5:17 Post subject: Re: to vpn or not vpn?
128bit wrote:
i appreciate your response but i'm a bit confused. are u saying that i should install vpn anyway and let my devices be clients for normal web traffic?.
There are basicaly 2 types of VPNs that can be setup with ddwrt
First, you can setup a VPN Server, where you are able to access your network from another location.
Or more importantly, you can use ddwrt as a VPN Client for a VPN service such as AirVPN, PIA, or many other services. This allows you to protect your identity, where your ISP cannot track what you do on the web. Also if you use any torrenting software, your location cannot be tracked since your true IP address is hidden and only the adress of the VPN is seen. You can also use a VPN service that allows you as being seen as being in another country
Posted: Mon Jul 10, 2017 15:04 Post subject: Re: to vpn or not vpn?
macsbug wrote:
128bit wrote:
i appreciate your response but i'm a bit confused. are u saying that i should install vpn anyway and let my devices be clients for normal web traffic?.
There are basicaly 2 types of VPNs that can be setup with ddwrt
First, you can setup a VPN Server, where you are able to access your network from another location.
Or more importantly, you can use ddwrt as a VPN Client for a VPN service such as AirVPN, PIA, or many other services. This allows you to protect your identity, where your ISP cannot track what you do on the web. Also if you use any torrenting software, your location cannot be tracked since your true IP address is hidden and only the adress of the VPN is seen. You can also use a VPN service that allows you as being seen as being in another country
got it! i'm convinced now. i will be the client. if i may, of the services u mentioned, openvpn was not one of them. do i use the dd-wrt openvpn page settings to subsequently use one of those mentioned services? if i'm being a pest, is there a section that better describes how to configure a dd-wrt router as a client? _________________ asus rt-ac86u stock: 3.0.0.4.384_45149
wrt3200acm: r34578 {sunset}
"why nibble when u can take a byte."
Joined: 03 Jan 2010 Posts: 63 Location: Stockholm / Sweden
Posted: Tue Jul 11, 2017 17:44 Post subject:
I have used a couple of VPN Services.
The one I'm most satisfed with is ExpressVPN. Also because I'm gaming a lot, the Ping/Latency is good with this server. I haven't had any disconnects yet. The Speed is good was well.
ExpressVPN uses a DNS-address to connect to it's servers which makes the OpenVPN client automatically connecting to the next available server in case the one server you are connected to goes down due to maintenance or other things.
I also used AirVPN, but their Swedish servers are so bad when it comes to speed. Anyway, they use DNS addresses for there Country-Servers as well.
NordVPN is good as well. The problem here is, when you change the server, you have to change all Certs / Keys in the config as well. Also each server has it's one IP address to connect to each server.
On AirVPN or ExpressVPN you just change the server address to connect and keep the rest. For example changing from the Swedish VPN servers to their Germany VPN servers by just chaning the DNS address of the server to connect to. This makes the usage of NordVPN difficult because you are only connecting to one unique server at the time.
The one I'm most satisfed with is ExpressVPN. Also because I'm gaming a lot, the Ping/Latency is good with this server. I haven't had any disconnects yet. The Speed is good was well.
ExpressVPN uses a DNS-address to connect to it's servers which makes the OpenVPN client automatically connecting to the next available server in case the one server you are connected to goes down due to maintenance or other things.
I also used AirVPN, but their Swedish servers are so bad when it comes to speed. Anyway, they use DNS addresses for there Country-Servers as well.
NordVPN is good as well. The problem here is, when you change the server, you have to change all Certs / Keys in the config as well. Also each server has it's one IP address to connect to each server.
On AirVPN or ExpressVPN you just change the server address to connect and keep the rest. For example changing from the Swedish VPN servers to their Germany VPN servers by just chaning the DNS address of the server to connect to. This makes the usage of NordVPN difficult because you are only connecting to one unique server at the time.
so i've been gettin' "primed" today and needed a break. i have a much better understanding now and will likely use the service. so this may very well be my last question. are there any benes from using the host (win 10) vpn setup over the dd-wrt page on the router? i recognize when implemented via win10, the service will be limited to that single host but does that eliminate the performance penalty i'm reading about when configuring our dd-wrt router by using its openvpn page? given a choice, i'd rather protect my pc transactions over the amazon/netflix connected tv stuff. _________________ asus rt-ac86u stock: 3.0.0.4.384_45149
wrt3200acm: r34578 {sunset}
"why nibble when u can take a byte."
so i've been gettin' "primed" today and needed a break. i have a much better understanding now and will likely use the service. so this may very well be my last question. are there any benes from using the host (win 10) vpn setup over the dd-wrt page on the router? i recognize when implemented via win10, the service will be limited to that single host but does that eliminate the performance penalty i'm reading about when configuring our dd-wrt router by using its openvpn page? given a choice, i'd rather protect my pc transactions over the amazon/netflix connected tv stuff.
re VPN terminology:You may have this all figured out by now, but maybe this will help a bit at least. (to experts if I got this wrong do let me know (kindly that is))
To use a vpn connection, one connects to a VPN service, like Nordvpn etc, using a VPN client program.
OpenVPN has both client and server programs. In your case you would be using the OpenVPN client program.
Many of the better VPN services will let you use either their proprietary client program or OpenVPN. OpenVPN is generally considered more secure in that you are not forced to use a proprietary vpn client program. OpenVPN is pretty well vetted and well maintained.
As you noted, one can run a vpn client either A) on a PC, MAC, etc or B) on an appropriately capable router etc.
For A) only the PC which runs the client program gets the benefits of the VPN encryption.
For B) running VPN on your router can get your whole system the benefits of VPN; Adding the task of VPN encryption to a router does require more router power. Currently OpenVPN seems to be vpn client of choice for running on a router. One's OpenVPN installation is then setup for your specific VPN service.
on Speed: Since you are adding more processing for every internet activity, there is a "cost" involved. This shows up often as a decrease in speed. However that comes from a number of factors including, the VPN services server speeds, server relative location, & the time/power it takes your system to handle the encryption. And note that Open VPN is still written to use only 1 cpu core. So for type A) VPN run on a PC, you have more computing power, ram etc available than you get with most any affordable router. For type B) VPN run on router, The wrt3200 does provide a good level of power.
Another difference is that PC based vpn clients often make it easier to change the specific server you connect to. And in terms of the type of VPN sevice account one needs, note that a router connection "counts as ONE connection" where as if you are using multiple PC's each would count as a "connection" against your VPN account.
So this is a trade off. For the most part, I prefer to run vetted opensource software. From what I'm reading here, the speed penalty seems to be decently low at ~10% or so. Not sure what one gets with the super speed connections up at 940Mbs, but my ISP would only be able to get me 250Mbs anyway.
If you pick a good VPN service that will work with either A) or B), you can experiment and see which you like.
hth
_________________ multi-tier router stack
wrt 3200's for speed & cpu power, NG R6300v2's for WiFi AP's,
wrt 1200v2 for one of my secure subnets.
wrt54GLs for ad'l 3rd tier machines.
. . . on Speed: Since you are adding more processing for every internet activity, there is a "cost" involved. This shows up often as a decrease in speed. However that comes from a number of factors including, the VPN services server speeds, server relative location, & the time/power it takes your system to handle the encryption. And note that Open VPN is still written to use only 1 cpu core. So for type A) VPN run on a PC, you have more computing power, ram etc available than you get with most any affordable router. For type B) VPN run on router, The wrt3200 does provide a good level of power.
Another difference is that PC based vpn clients often make it easier to change the specific server you connect to. And in terms of the type of VPN sevice account one needs, note that a router connection "counts as ONE connection" where as if you are using multiple PC's each would count as a "connection" against your VPN account.
So this is a trade off. For the most part, I prefer to run vetted opensource software. From what I'm reading here, the speed penalty seems to be decently low at ~10% or so. Not sure what one gets with the super speed connections up at 940Mbs, but my ISP would only be able to get me 250Mbs anyway.
If you pick a good VPN service that will work with either A) or B), you can experiment and see which you like.
hth
so u guys are really good, k. i'm actually pumped! before i saw your response, i was "priming" along last night and noticed that the wrt3200acm was down to $155. on a different post i asked about it and another member advised me about an even lower price of $120 +tax on ebay! i subsequently canceled my amazon order and bought a refurbished 3200acm from belkin.
these days with tw/spectrum bumping us up to 100mb, it seems like i have more transmission bandwidth than my devices can use. hopefully, the 3200acm will protect the future.
thanks much for your comments as they have cemented my understanding. (so much so, i bought a new router even though the old one was working fine!)
javascript:emoticon('') _________________ asus rt-ac86u stock: 3.0.0.4.384_45149
wrt3200acm: r34578 {sunset}
"why nibble when u can take a byte."
. . . on Speed: Since you are adding more processing for every internet activity, there is a "cost" involved. This shows up often as a decrease in speed. However that comes from a number of factors including, the VPN services server speeds, server relative location, & the time/power it takes your system to handle the encryption. And note that Open VPN is still written to use only 1 cpu core. So for type A) VPN run on a PC, you have more computing power, ram etc available than you get with most any affordable router. For type B) VPN run on router, The wrt3200 does provide a good level of power.
Another difference is that PC based vpn clients often make it easier to change the specific server you connect to. And in terms of the type of VPN sevice account one needs, note that a router connection "counts as ONE connection" where as if you are using multiple PC's each would count as a "connection" against your VPN account.
So this is a trade off. For the most part, I prefer to run vetted opensource software. From what I'm reading here, the speed penalty seems to be decently low at ~10% or so. Not sure what one gets with the super speed connections up at 940Mbs, but my ISP would only be able to get me 250Mbs anyway.
If you pick a good VPN service that will work with either A) or B), you can experiment and see which you like.
hth
so u guys are really good, k. i'm actually pumped! before i saw your response, i was "priming" along last night and noticed that the wrt3200acm was down to $155. on a different post i asked about it and another member advised me about an even lower price of $120 +tax on ebay! i subsequently canceled my amazon order and bought a refurbished 3200acm from belkin.
these days with tw/spectrum bumping us up to 100mb, it seems like i have more transmission bandwidth than my devices can use. hopefully, the 3200acm will protect the future.
thanks much for your comments as they have cemented my understanding. (so much so, i bought a new router even though the old one was working fine!)
javascript:emoticon('')
@128bit
Glad to have been some help with this. Thanks for letting us know. Good luck with your new wrt3200.
Sam _________________ multi-tier router stack
wrt 3200's for speed & cpu power, NG R6300v2's for WiFi AP's,
wrt 1200v2 for one of my secure subnets.
wrt54GLs for ad'l 3rd tier machines.
these days, in most place around the world, OpenVPN TAP is the way to go!! Really nice day and age we live in to have the speeds necessary to make TAP viable. When I started off, TUN made sense, but not anymore. OpenVPN + DDWRT = SWEET:)
TAP is layer 2 mostly for bridging, and TUN is layer 3, for routing. Most will and should use TUN. Also, less overhead. That's because layer 2 must be simulated, breaking down packets into frames.
Last edited by FredS on Fri Jul 21, 2017 11:22; edited 1 time in total