|
⇤ ← Revision 1 as of 2021-11-09 12:11:32
Size: 3341
Comment: initial writeup dump
|
Size: 3527
Comment: add CM4 carrier board
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 44: | Line 44: |
| There's also the RPi CM4-based solutions, like this one: https://www.dfrobot.com/product-2242.html - note that this is the carrier only, you still need to buy the CM4 itself as well. |
I've been pondering how best to do this, and I have some ideas. What we all want is a magic box that you plug in ("bump on the wire"), and it makes your VPN stuff just work.
But I'd also like something that can do site-to-site VPNs. We just want "a box at each end". How best to do that too?
Hardware
Assume ethernet.
For a site-to-site you can use a single-port device I think, but 2-port is nicer. The single-port case uses VLANs to separate the traffic, unless your remote-clients live in the same subnet. That's actually a really nice setup, but it's a little more complex to manage.
If your router/gateway has a LAN2 port (thinking of Unifi gateways here), you can plug the "remote" port of the VPN appliance into that, so the router/gateway treats it as a separate LAN and should just work when it comes to routing.
For a road warrior setup, a 2-port device lets you have a clean "inside" and "outside" port separation. This assumes you'll proxy all your traffic via the "home" end.
DIY or off the shelf
For DIY I'd use a raspberry pi or similar. For off the shelf it looks like Microtik's RouterOS has it builtin, so that'd be a great option there.
Microtik
Gigabit ports and actually in stock, $120 AUD: https://wisp.net.au/mikrotik-hex-s-rb760igs-5-gigabit-ethernet-sfp-256-mb-ram-usb-microsd-routeros-l4-ipsec.html
100Mb ports, $88 AUD: https://wisp.net.au/mikrotik-rb750upr2-hex-poe-lite-650mhz-64mb-5-lan-usb.html
Above those prices, you find the Routerboard devices like this, $158 AUD: https://wisp.net.au/rb2011ils-in-1sfp-5fe-and-5gbe-includes-case-and-power-supply.html
DIY
Depends on how much traffic you want to handle, but gigabit is a good futureproof option if you can spend the dollars.
- An RPi 3B+ is about 60 AUD plus shipping. Can we do it cheaper? All we need is ethernet, and a decent amount of CPU grunt.
Rock Pi S is $15 USD (about 20 AUD) plus shipping, only 100Mb ethernet and low power, 512MB RAM and no wireless 'cause it costs extra. https://shop.allnetchina.cn/collections/frontpage/products/rock-pi-s?variant=29067635458150
- Powered by USB-C 5V
Rock Pi E is $35 USD (about 47 AUD) plus shipping, 1Gb + 100Mb ethernet, better CPU, 1GB RAM and has wifi 'cause it's only $3.50 extra. https://shop.allnetchina.cn/collections/frontpage/products/copy-of-rock-pi-e?variant=31974543392870
- Powered by USB-C 5V
The RK3328 in the Rock Pi E is about half as performant as the BCM2711 in the RPi4, but the board is way cheaper. I'd call it a win for this application. https://www.cpubenchmark.net/compare/Rockchip-RK3399-vs-BCM2711-vs-Rockchip-RK3328/3987vs4297vs4295
The Rock Pi S has an RK3308, and is probably even slower, but it's not made for speed. It's made for IOT stuff
Accessories:
Rock Pi S has a convenient case: https://shop.allnetchina.cn/products/rock-pi-s-case?variant=31957891088486
Rock Pi E passive heatsinks: https://shop.allnetchina.cn/collections/frontpage/products/rock-pi-model-e-heat-sink-kit
There's also the RPi CM4-based solutions, like this one: https://www.dfrobot.com/product-2242.html - note that this is the carrier only, you still need to buy the CM4 itself as well.
Config in RouterOS
GPS NTP time server
Unrelated, but a good spot for it because it's a Rock Pi S inside: https://centerclick.com/ntp/