|
||||
If it were me, I'd just use OpenBSD with IPSec at all three locations, instead of SOHO routers at the remote sites. I say that primarily because I've used both OpenVPN and IPSec with OpenBSD, and the latter is much, much easier to configure and use.
OpenVPN has its advantages, but I don't see any in this particular situation unless DD-WRT is required. |
|
||||
This isn't totally out of the question, except the routers are pre-existing (but available for re-provisioning) and I don't have any spare computers to run OpenBSD. I could get some used, but it will still cost probably $300 or more in hardware after purchasing the 2nd NIC's and new hard drives. I was just trying to save money.
|
|
||||
Quote:
The Linksys' switch ports (switch port to switch port) will, but then you're not routing or VPN'ing. The WAN port may not, especially with openVPN encrypt/decrypt running. /S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience. |
|
||||
A citation in support of s2scott's comment:
From Performance Analysis of OpenVPN on a Consumer Grade Router, http://www.cse.wustl.edu/~jain/cse567-08/ftp/ovpn.pdf: Quote:
|
|
||||
If I interpreted correctly, it seems my desired configuration above would be summarized by this statement from the study:
Quote:
|
|
||||
Just FYI regarding cipher and key sizes.
The computational work units needed to crack the AES block cipher strength at 128 is the same computational work units needed to crack a DH key at 3072 bits. DH 1024 is no longer sufficient. DH 2048 is becoming insufficient. AES128 is MORE then sufficient for a real-time stream, especially if you cipher block chain as openVPN does by default, and is out of reach for a fair while still given today's available processing power, including grid computing and Moore's Law factored in. DH3072 is out of reach for quite a while. I love Admin's who use a weak 512 or 1024 DH key to secure an overly-strong AES256 cipher key. Recommend you dial down the AES and dial up the periodic-event DH strengths. It'll help with your throughput. /S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience. Last edited by s2scott; 1st September 2009 at 04:11 AM. |
|
||||
Oh, if the AES128 cipher operations uses a pre-shared key instead of a DH key exchange, then a pre-shared key of 63 characters of an "alphabet" of [0-9][a-z][A-Z][the other printable chars] is way out of reach.
Twelve (12) or fewer characters is vulnerable. Sixteen is considered "safe" minimum at today's processing power. BTW, this is true for all the WPA and WPA2 wireless access points out there. So amp-up the "password"/"key" lengths. https://www.grc.com/passwords.htm is my favorite random key generator site. Notice it's SSL only access. /S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience. |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Need suggestions on what to name this project | TerryP | Off-Topic | 10 | 6th November 2010 03:13 PM |
looking for external drive buy suggestions | gosha | General Hardware | 20 | 5th September 2009 05:32 AM |
Suggestions for Web Traffic Logging? | Bruco | FreeBSD Ports and Packages | 16 | 18th September 2008 10:54 PM |
Mini-ITX motherboard suggestions | twisted_steel | General Hardware | 28 | 18th August 2008 09:32 PM |
Software suggestions | rex | FreeBSD General | 10 | 17th May 2008 12:00 AM |