Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Advice On Building a Firewall With VPN Capabilities?

Posted by timothy on from the thick-pipes-and-sturdy-valves dept.

An anonymous reader writes "I currently connect to the internet via a standard router, but I'm looking at bulking up security. Could people provide their experiences with setting up a dedicated firewall machine with VPN capabilities? I am a novice at Linux/BSD, so would appreciate pointers at solutions that require relatively little tweaking. Hardware-wise, I have built PC's, so I'm comfortable with sourcing components and assembling into a case. The setup would reside in my living room, so a quiet solution is required. The firewall would handle home browsing and torrenting traffic. Some of the questions knocking around in my head: 1. Pros and cons of buying an off-the-shelf solution versus building a quiet PC-based solution? 2. Software- versus hardware-based encryption — pros and cons? 3. What are minimum requirements to run a VPN? 4. Which OS to go for? 5. What other security software should I include for maximum protection? I am thinking of anti-virus solutions."

14 of 238 comments (clear)

  1. geek or not by Anonymous Coward · · Score: 5, Informative

    This will let you connect to vpns and such http://www.buffalotech.com/products/wireless
    or for a more geek solution https://www.pfsense.org/

  2. DD-wrt by everett · · Score: 5, Insightful

    That was easy.

    --
    Sig withheld to protect the innocent.
    1. Re:DD-wrt by michrech · · Score: 4, Informative

      You realize that DD-WRT runs on far more hardware than the WRT-54x series of routers, right? In fact, I'm running it on a Netgear WNDR3700 V4 (a *far* more capable router than the WRT-54G). I'm barely using any of its features, however, it's interface is far more responsive than the Netgear "genie" interface, and it no longer randomly resets its network connections.

      In this case, I'd say a little *research* into a particular topic, before you comment, goes a long way... ;)

      --
      bork bork bork!
  3. What are you trying to do? by RobbieCrash · · Score: 5, Interesting

    A VPN? To connect to where, from where? Are you doing this for something to do, or because you want to implement the best solution? Do you just want better router software?

    Install Tomato or DD or OpenWRT or any one of their variants on your existing router.

    Building your own in the name of security isn't going to work unless you really know what you're doing, which you said you don't in your summary. That sounds like a dick thing to say, but it's not. Security is difficult for people that know what they're doing, when people who don't try to DIY it, it's almost universally bad.

    --
    Keep on knockin'
    https://robbiecrash.me
    1. Re:What are you trying to do? by Necroman · · Score: 2

      Exactly. "Firewall" is somewhat of an overused word at this point that can mean so many different things. And the capabilities of said firewall will vary highly from product to product.

      A stateful firewall will keep track of all connections going through it. A good one can help detect malformed packets and drop those. It can also detect some fun attacks people use to fake initiating a TCP connection.

      Beyond the basics of looking at port/ip/protocol data, you can start getting into more packet analysis to filter out sites. But a lot of the application detection that can be done isn't as useful now adays due to SSL becoming the standard for so many sites. So to do real good packet analysis you need a SSL model to decode traffic (MITM your own house).

      Going the next level is to use an IPS to detect bad traffic. The popular solution here is Snort or Suricata. If you want a linux distro with IPS tech built in, security-onion seems ok.

      --
      Its not what it is, its something else.
  4. Buy a Ubiquiti EdgeRouter Lite. by FictionPimp · · Score: 3, Informative

    Buy a Ubiquiti EdgeRouter Lite.

  5. IPTables and OpenVPN by MightyMartian · · Score: 2

    I build these critters all the time. Our entire multioffice infrastructure is based on Debian-based routers with OpenVPN. OpenVPN is pretty simple to get running, and I use Webmin to build my iptables rules.

    --
    The world's burning. Moped Jesus spotted on I50. Details at 11.
  6. Re:geek or not ~ pfSense by InitZero · · Score: 4, Informative

    I love me some pfSense. We use it at the office and it handles everything we can throw at it (including VPN/IPSec between offices to backfeed high bandwidth security video). It is also light weight enough to work in a home environment on minimal hardware.

    Their hardware is both overpriced and well-made. For our small branch offices their embedded devices (such as https://store.pfsense.org/VK-T...) are better than what we could create on our own in low volume and a lot less work. For larger branch offices we will stick pfSense in virtual machine with whatever else they have running. It does well as a VM, too.

    Cheers,
    Matt

  7. Get a better router? by goldcd · · Score: 3, Informative

    I picked up an Asus ac66u last year (there are later models and I suspect cheaper ones in the range that are similar) - and it supports VPN (amongst all manner of other stuff).
    Just have an extra page on the GUI to allow you to generate an openVPN cert and account privs. Pretty useful as means when I'm travelling I can just seamlessly add my phone to the home network.
    I'd thought about buying something dedicated (well was more a NAS project, I thought I could add this to) - but unless you've got some complex needs or high volume - I strongly suspect I'd make more of a mess (both function and security) trying to set it up myself.

  8. Mikrotik by PsychoSlashDot · · Score: 3, Informative

    Grab a cheap Mikrotik RB750 or similar and you'll find you have an out-of-the-box solution that's feature-rich, supported, and easy to use.

    --
    "Oh no... he found the .sig setting."
    1. Re:Mikrotik by jeffstar · · Score: 2

      I have deployed about 30 mikrotiks and I disagree with "feature rich, supported and easy to use"

      feature-rich: so many features are half baked. Like openVPN only supports TCP for transport, so you end up running TCP on TCP, which is bad.
      supported: the documentation is poor (although getting better now that they have a wiki), working examples are hard to come by since there are so many versions of RouterOS and each introduces different bugs and breaks different bits of functionality. The mikrotik people on the forum are at best surly.
      easy to use: I have had to do so much trial and error only to find out the specific piece of functionality I am trying to use is half baked.

      I've had good experiences with Watchguard VPN products - which use open VPN under the hood. so any decent openVPN based product is probably what you want.

  9. Software answer by B5_geek · · Score: 3, Insightful

    The hardware is easy:
    Either get a router that you can add DD-WRT/tomato to or build your own PC.

    Software answer:
    OS = OpenBSD
    VPN = OpenVPN

    BUT you are not asking the right questions.
    VPN's only work when 2 ends connect. So what VPN server/client will the other end of your connection use? What are you actually trying to do? Does your work have a fat-connection that they will let you use? Are you planning on paying for VPN service from a 3rd party? Do you want to create a VPN between your home and your laptop while you travel?

    If you want to build yourself a solid, dependable, 'solution' follow this guide:

    http://www.bsdnow.tv/tutorials...

    --
    "The price good men pay for indifference to public affairs is to be ruled by evil men." ~Plato (427-347 BC)
  10. Re:geek or not ~ pfSense by FatdogHaiku · · Score: 5, Funny

    AskSlashdot is a joke. I mean all you get are jokes, or whatever comes up first in a basic Google search.

    We are the Google algorithm...

    --
    You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
  11. Vyattat by brunes69 · · Score: 2

    Just download and install VyOS (fork of Vyatta) if you're building your own firewall.

    http://vyos.net/wiki/Main_Page