OpenVPN Options - Router vs. unRAID Server

[Pinozul]

I have OpenVPN running on a Windows 10 laptop and can successfully establish a VPN connection to my Netgear R7000 router.  From there, I can access my unRAID server as well as the rest of the LAN.

 

If I were to load the OPENVPN-AS Docker onto unRAID and establish the VPN there rather than the router, what advantages would that provide compared to using the router-based VPN?

 

Also, I didn't have to set up any explicit Port Forwarding to implement the router-based VPN but I believe I would need to configure Port Forwarding to my unRAID server if I wanted to run the OPENVPN Docker on it, correct?

[gubbgnutten]

Sounds like you have a fully functional setup at the moment, do you have any reason to mess with that?

 

The main reason to run OpenVPN on a full computer instead of a consumer router would be speed. A full computer will likely be able to encrypt/decrypt more bytes per time unit than the router. But do you have a need for faster VPN connections? And does your internet connection even support faster connections, or is it saturated already? No idea what speeds you get from the N7000, what your server would be capable of, or the specs of your internet connection...

 

Another potential reason would be the ability to update the OpenVPN server software independent of the router's firmware releases, should some horrible security hole be discovered.

 

And yes, you would have to setup port forwarding.

[Pinozul]

Sounds like you have a fully functional setup at the moment, do you have any reason to mess with that?

 

Of course, I do!  Messing with stuff (and wasting untold hours doing it) is my mission in life. Just ask my wife... 

 

So from a purely functional perspective, no, the current setup of OpenVPN client to Netgear router works. But I was curious if I might be able to use the built-in Win10 VPN client to connect to the OPENVPN-AS Docker setup on unRAID.  That Win10 client cannot be used to connect to the Netgear router.  And I also have an old Windows Home Server 2011 that supports VPN so I guess I'll try that as well and just see which of the alternatives I like best.

 

With respect to security, I guess in theory all three methods should be equivalent unless, as you mentioned, one or another of the VPN implementations has a security hole.

 

 

[Helmonder]

I have OpenVPN running on a Windows 10 laptop and can successfully establish a VPN connection to my Netgear R7000 router.  From there, I can access my unRAID server as well as the rest of the LAN.

 

If I were to load the OPENVPN-AS Docker onto unRAID and establish the VPN there rather than the router, what advantages would that provide compared to using the router-based VPN?

 

Also, I didn't have to set up any explicit Port Forwarding to implement the router-based VPN but I believe I would need to configure Port Forwarding to my unRAID server if I wanted to run the OPENVPN Docker on it, correct?

 

I would not change it... From an architectural perspective it is nicer to have your vpn terminate on your router...  Unless there is a specific reason you would want to change it..

 

Also.. routers tend to not crash... Suppose your server crashes, your vpn will no longer work..

[Pinozul]

Yes, I think that's a compelling point so I'll just leave the VPN terminating at the router.

 

But as I was messing around setting up VPN access using my Windows Home Server, it dawned on me that these different VPN methods look like they can coexist.  The router implementation appears to be a certificate-based L2TP configuration.  Using WHS, it is a password-based SSTP implementation.

 

So in theory, I guess you could have a multiple VPNs running on a router and one or more servers in your network.  I get that this is unnecessary and probably decreases your security somewhat but is there any other problem multiple VPNs would cause?

[CHBMB]

Yes, I think that's a compelling point so I'll just leave the VPN terminating at the router.

 

But as I was messing around setting up VPN access using my Windows Home Server, it dawned on me that these different VPN methods look like they can coexist.  The router implementation appears to be a certificate-based L2TP configuration.  Using WHS, it is a password-based SSTP implementation.

 

So in theory, I guess you could have a multiple VPNs running on a router and one or more servers in your network.  I get that this is unnecessary and probably decreases your security somewhat but is there any other problem multiple VPNs would cause?

 

A crap ton of confusion? 

[Helmonder]

Yes, I think that's a compelling point so I'll just leave the VPN terminating at the router.

 

But as I was messing around setting up VPN access using my Windows Home Server, it dawned on me that these different VPN methods look like they can coexist.  The router implementation appears to be a certificate-based L2TP configuration.  Using WHS, it is a password-based SSTP implementation.

 

So in theory, I guess you could have a multiple VPNs running on a router and one or more servers in your network.  I get that this is unnecessary and probably decreases your security somewhat but is there any other problem multiple VPNs would cause?

 

Well... As long as you mix protocols you could mix.. Lets say your have L2TP with IPSEC running on the router, then it would be hard to implement that also on your server. You would need to forward the L2TP ports to your server and that would make sure your router cannot use them..

 

If you mix L2TP/IPSEC with PPTP and OpenVPN you could mix them..

 

Be aware though that you do not STACK them... In theory you could have a PPTP tunnel running inside an OpenVPN tunnel.. But that makes it likely that you run into MTU size issues..

[NeoDude]

I kinda have both, as my router is a VM