Hey guys,
I’m looking for a secure alternative to eoip to connect two routers to one another over Ethernet. It must also be something that I can then add as a mesh port.
EoIP does what it needs to do but the performance knock is massive. Over a Gbps ethernet link I’m only getting around 10MB/s of real performance before the cpu hits 100%.
Any ideas?
EoIP is not secure. To make it secure you use IPsec. EoIP over IPsec.
It’s just like GRE only it passes ethernet frames too.
It has small overhead and can definitively max out a gbit link. I use many such tunnels on gbit links.
The high CPU usage you see is most likely because you use IPsec with EoIP (that ‘IPsec Secret’ field in EoIP interface settings).
If your CPU does not support hardware acceleration for AES encryption/decryption then it would be slow as hell.
There’s no ‘secure’ approach that can do gbit without a CPU that supports AES encryption/decryption or at least a beefy x86 CPU.
In other words the problem is not EoIP but IPsec encryption.
EoIP does what it needs to do but the performance knock is massive. Over a Gbps ethernet link I’m only getting around 10MB/s of real performance before the cpu hits 100%.
Which routerboard?
If your CPU does not > support hardware acceleration for AES encryption/decryption > then it would be slow as hell.
Hex is really good suited for this. (Also RB1100AHx2, CCR)
The RB in question is the RB922. Unfortunately not super beefy. What’s the best I can do on RB922?
Ultimately the security has to be comparable to a wired version of wpa-psk2.
You’ve got that backwards.
ipsec existed long before WPA anything.
Yeah I know that, but I am primarily using wifi and falling back to ethernet when the signal is too bad or the distance too great. If the wifi security is good enough for the wifi links, then something equivalent should also be good enough for the ethernet links. At the moment with wifi and wpa-psk2 I can still get speeds close to 100Mbps. If I can get that with comparable security on the ethernet I will be happy for now.
As far as I understand, WPA encryption is done on the wifi chip not on CPU.
So these chips are designed to handle that amount of traffic and encryption/decryption.
IPsec and other VPNs are done on CPU.
Your routerboard simply doesn’t have a powerful enough (or with AES support) CPU to do what you ask.
No matter what you use (I assume you look for something secure) your bottleneck is the CPU.
OpenVPN uses AES too.
SSTP too.
PPTP is long broken so it’s not secure.
You can try different encryption algorithm in IPsec (ie: DES, 3DES, etc) to get more bandwidth out of the same CPU, but the encryption will be less strong and there’s no way you’ll get a gbit still.
Thank you Cha0s, that is a very detailed response!