Routers

For several years I have been using non-ISP provided routers. Mostly because these allow greater customisation of how the services on the router behave such as local DNS names or secure VPNs. Equally, since I have been using desktop or server hardware, these systems typically perform better in terms of LAN to LAN connections and DHCP lease speeds. The main outcome of this has been the chance to test configurations in a practical way and gain an appreciation for networking concepts.

For the past few years I have been using pfSense from Netgate as my router and firewall, both virtualised and on bare metal. While pfSense is both very capable and has a clean and responsive web interface, its comparatively high resource requirement and lack of a comprehensive CLI makes it an awkward choice for VPS usage.

Last March I discovered Mikrotik's range of affordable and compact routers and got myself a hAP ac lite router with a list price of only $50. This router provides 5 100Mbps ethernet ports and dual-band ac wi-fi, but most importantly it provides almost complete access to the RouterOS software. Mikrotik also releases this software as a virtual machine with a one-off cost based on the link speed required.

Since the main motivation of setting up a router on my VPS is to be a VPN endpoint for my mobile devices, I have being looking at the process and performance of setting up various types of VPN. As there are many different types of VPN currently available it is hard to know which to focus on. I chose to look at OpenVPN, SSTP and IPsec VPNs as these are available by default in RouterOS and OpenVPN and IPsec are available in pfSense.

To test these VPNs I setup 4 VMs each with 1 core and 1GB of RAM, they are all interconnected with a virtual 10+Gbps connection. The tests were carried out using site-to-site VPNs between iPerf3 servers, as reference throughput through an Ubuntu server VM with NAT masquerade achieved 19.4Gbps.

VPN Types pfSense RouterOS
LAN -> WAN Baseline ~1.5Gbps ~1.7Gbps
EoIP - ~1.9Gbps
EoIP with IPsec - ~450Mbps
SSTP - 25Mbps
OpenVPN TCP tun tba 35Mbps
OpenVPN UDP tun tba -
IPsec IKEv2 Mutual RSA tba 890Mbps