Topology help - what should go where? (for best VPN performance ;) )

Hardware MikroTik hardware general
1

First, hi :slight_smile:
Second, am very new to ROS, but have business experience in configuring networks incl. site-to-site IKEv2. Not any fancy routing or ISP setups though.

I am trying to piece together my home network in a sensible way - ultimate aim is to get the best throughput from my commercial VPN, at this point PureVPN.

Here are the pieces I have:

  • Mikrotik CRS-326 running ROS
  • TP-Link Archer C2600 running OpenWRT
  • Netgear R7800 running DDWRT
  • Netgear R7000 running DDWRT
  • D-link 868L running DDWRT
    And also here, but trying to avoid using:
  • Dell Powerconnect6248 w/ 2x twin 10Gb SFP+ modules (uses 80W at idle :E)
  • Watchguard XTM 330 (noisy)

Internet connection 500/40. I’ll be leaving the ISP modem in full mode in order to provide a Guest Wifi at this level.

So basically one of these guys needs to run the VPN tunnel. Or should I pick up an extra RB750Gr3 for example and let that handle all the VPN deals?

THanks in advance..

2

Thought designing something would be fun.. :confused:

3

What kind of VPN tunnel?

I run a IPSec between two RB750Gr3. Basiclly maxes out the Internet connection.

4

Commercial provider.. no Wireguard as yet.. I believe it’s in the works though.

What speed is your connection? Any idea what an x86 with AES-NI will do on OpenVPN/WG? Guess I should be looking to the future…

5

Okay, So not a site to site VPN but a commercial VPN breakout service. I run a site to site between two locations.

Well, openvpn works great with AES-NI on Linux, but OpenVPN is generally slow.
Wireguard can’t use AES-NI at all (different ciphers). Router OS 7 will have Wireguard support.

6

BTW, the only ROS-running gadget from the list (CRS-326) doesn’t have any HW support for encryption and a pretty slow CPU. So it will suck as VPN end-point big time regardless the VPN type chosen. And that’s not likely to improve with ROS v7.