Hello everyone,
im lookin for recommendations for a mini pc to serve as main office router for a small team of 45 users, with 25 of these 45 doing almost vpn access remote working via rdp on 2016 win server at office.
If any good recommendation for a mini pc with every of its items fully compatible onboard for openwrt.
Had anyone had experienced the huidun h20 alderlake97? is it board, lan and wifi compatible with owrt?
most info welcome,
thank you
Any Intel CPU (within reason, i.e., made since say 2010) will work just fine with OpenWrt (since Linux's primary development platform is x86).
I can't find specs on any of the PHY devices, so I'll assume Intel or Realtek for the 1 GbE, either of which will have solid Linux drivers and work fine.
If it has Intel Wifi, that won't ever work, they're broken in AP mode. Maybe get a box with more ports and use real external APs? How many of your local ~20 connections will be Wifi vs wired?
An N97 should be able to handle VPN traffic at near line speed, but it might be tight. Might want to jump off the Celeron line and get a Core i3-N305 to give you some room (plus those usually come with 4x2.5 GbE NICs, so you can make the local net a bit faster).
The publicly available specs do not list the WiFi adapter model. Also, this is a case of deceiving specs (WiFi 6, 9.6 Gbps) on Walmart, so I would be wary of this manufacturer.
In any case, the most common WiFi adapters are made by Intel, and they cannot be used as access points in the 5 GHz band.
For a VPN router use case without WiFi, please consider Protectli Vault VP2430 (EDIT: sorry for suggesting an unnecessarily expensive model earlier)
For WiFi, there were success reports on Reddit with this module, which can be installed in the mini-PC: https://asiarf.com/product/wi-fi-6e-m-2-ae-key-module-mt7916-aw7916-aed/ , but I have no direct experience.
In any case, please also consider GL.iNET Flint 2 (GL-MT6000) as a cheaper alternative that delivers 40% of the VPN throughput (good enough on a 400 Mbps line with WireGuard) and has unquestionably better WiFi.
Protectli Vault VP2430 appears to be the only game in town, since PCEngines stopped. Every other MiniPC has documented reliability problems. The only other way to beat the Vault is to build an mITX yourself with server grade hardware (which can have dual-channel memory), which will use more power, or to get a Supermicro rack server, costing 2.5x, making more noise, and using more power. The OOB-management features of a proper server are probably worth it in your case, however.
For maximum reliability you can also just install NixOS on it, instead of OpenWrt; I use OpenWrt on some devices, because https://www.liminix.org/ isn't supported on those. For the Protectli existing users have published configuration files, which means that you can even virtualize your setup based on theirs and test all the services you require before you buy the device. Via OpenWrt this is possible too, but it's more cumbersome.
OpenWrt is nicer than vendor firmware, but NixOS has been designed to be reliable to update and OpenWrt was not.
For what you are doing, you need to think about what you are going to do when your MiniPC fails and 45 people can't work. Are you going to buy two? Hot swap them? Pray that one will just continue to work? What's the time to replace and reconfigure? What if you are on a holiday? What about someone DDoS'ing your VPN-endpoint?
While I do think this might be a little pessimistic, you could broaden your selection significantly by including SFF sized systems (yes, there might be some impact on idle power consumption, but within reason).
What is the maximum amount of Memory supported by OpenWrt?
You don't state the speed of the Internet link, but with 25 VPN connections is OpenWrt suitable for such a task?
The AP should be wall mounted, trying to do an All in one box does not sound like a suitable approach.
You are right. I know there's a whole second hand thing going on for those as well. I don't know what comparable fanless SFF systems would cost.
I think I was briefly aware of those, but I think fanless was hard requirement for my use case (if I mess up, I am the one sitting in the noise).
They are typically not fanless, but very quiet.
--
It is much harder to design a fast and fanless PC, than a PC whose fan doesn't spin in all but the most stressful/ hot circumstances, respectively remains at low RPMs 95% of the time. Even very low -inaudible- RPMs, very low airflow, make a huge difference in terms of cooling.
OpenWrt probably can be made to work with TBs of RAM. Not sure where your question comes from, since the entire point of any "open" system is to remove limitations.
Presumably you know that OpenWrt runs Linux and Linux supports probably more than physical memory exists in the world on one machine.
Why hasn't Intel addressed this? Which WiFi chip works best with OpenWRT?
40%? So the Flint 2 will only deliver a max of 400Mbps on a gigabit connection? Is this supposed to be impressive?
Intel has not addressed this limitation because not including any radar-detection circuitry saves them money. For client systems, radar-detection is not needed, as it is done by the AP. And, in fact, Intel cards do work as repeaters even on 5 GHz.
There's a sticky topic about exactly your expectations.
If you want Gb speeds, you need semi-professional gear and you need to pay more than historically was the case for a router.
Having said that, the only application I see for gigabit is if you are a large enterprise with services for many people or have some data intensive business otherwise.
You don't need Gb/s to browse the web, because no server supports it.
I was talking about full-on VPN throughput, where nothing bypasses the VPN. Without the VPN, the router can of course saturate the gigabit connection easily.
There are claims online that WireGuard on Flint 2 can reach 900 Mbps. I don't have a good-enough line to test this claim over the internet.
I think there's no real problem, because you can also just use three routers in that case. One splits the traffic to the other two and those then do the work.
It's just that what you save in hardware is going to cost you in terms of time of a network engineer.
You do need the router to be able to handle the full line speed, otherwise, there will be bufferbloat.
I don't think any human can notice that in the setup I described, which is a kind of load balancing architecture.
Read A Wireguard comparison DB to get an idea what kind of VPN throughput you could expect from x86 CPU's...
I hear you, but I'm also paying for a gigabit fiber optic connection. I would love to take full advantage of it when the use cases do arise.
You aren't paying for that, probably. It's a fiction. For every subscriber like you there are probably a hundred people who will never fully use it.
I am not saying you can't try to optimize your Infrastructure, but I am saying it's probably pointless.
Depending on the ISP there are often hidden limits imposed, so I fully expect you will hit those then. For example, I couldn't even saturate a 100Mbit connection some years ago, because it would overheat the modem/router combination.
My opinion is that probably a business fiber connection is a fair product, but consumer fiber products are basically elaborate lies exploiting ignorance.
Let's take this to an extreme: suppose you continuously send 1 packet to the farthest places in the world at line speed and let's say everyone were to do that; it would use so much power that every ISP would go bankrupt.
It's a system and it works as long as most people behave.
Once you pay for a business fiber with associated guarantees, perhaps then you are paying for it, but the fine print of your ISP-contract will not say what you think it does.