I am looking to setup some hardware with openWrt at a remote location to serve as VPN server.
I have a 17 year old x86 PC lying around (Dell XPS 420).
Is it just as secure to use this computer, or would a new router be more secure? I am asking purely about remote attacks, assuming no physical access (I made a separate question for that issue).
I feel like the biggest area of vulnerability would be the BIOS.
Physical access = owned. I don't know of any remote BIOS exploits for a machine of that vintage. Keeping OW up-to-date should make that device as secure as any other running OW.
my only concern would be the idle power consumption and noise when used 24x7. If power consumption is reasonably above 20W, I would rather get any recent 30-50€ off shelf router. Should pay off in around 12 month in most countries.
I second @darksky and @Pico advices.This PC should run OpenWrt very fine, despite one may argue about vulnerabilities in the CPU. Anyhow, you need to invest into another NIC (or wifi) to transform it into a router.
I would focus about its power consumption that will be high compare to today standards. It would be wiser to invest in a mini PC, or a classical router. But you can keep it for testing purpose. Other idea is to donate it as charity.
For a system of that vintage (core2 duo), I would expect 75-100 watts idle (probably in the middle, a tad closer to the lower side). A better suited, low-power, device (x86_64 (>= baytrail-d or >= haswell) or otherwise) probably pays for itself in a year or less on the electricity bill.
From a security point of view, these systems (CPU, mainboard, BIOS) are out of support, there are no bugfixes anymore - and the status for spectre/ meltdown/ rowhammer and friends, the situation is somewhere between unknown/ not checked and known broken (with linux doing some mitigations).
" I am asking purely about remote attacks, assuming no physical access (I made a separate question for that issue)."
As far as remote attacks, OpenBSD boasts that they have only had 2 remote exploits "in a long time" Their kernel also disables some of the Intel CPU vulnerabilities by default.
They use their own packet filtering but it is relatively elegant.
Good marketing.... disabling these vulnerabilities typically means also disabling some features and sacrificing performance... which can be the right thing to do, but it is just not as simple as "disabling vulnerabilities"...
I also remember OpenBSD being quite 'creative' when it comes to (re-)defining what constitutes the base system when new security issues are being found…
Respectively which packages are not counted there.
No question its is a tradeoff and one that the project made the default.
Others have wisely pointed out the intrinsic vulnerabilities of the older hardware - BIOS/CPU security issues, power consumption, etc.
One more consideration - and this is the main reason why I'd NOT use old hardware like this - is reliability.
Presumably you're not using this for a commercial purpose (so downtime doesn't correlate to missed revenue), but it serves a purpose for you (and perhaps for others), and failure will at least be inconvenient - and it will always happen at the least convenient time.
Even with a new SSD, a new power supply, a UPS providing protected mains power, electronics fail over time because board-level components drift out of spec - particularly the electrolytic capacitors that keep the power supply rails accurate. While it can be an interesting educational exercise to proactively replace all of the components that may be falling out of spec, it would likely be a far better use of your (presumably) limited time and resources to pick up an appliance dedicated to this purpose.
Why not look at a little box like a GL-Inet travel router (I own a GL-MT300N-V2)? They're less than $30, consume less than 3W, and run the current OpenWRT. If it doesn't have enough horsepower for your needs, there are more powerful versions for a few bucks more.
Dells were notorious, at some point back about then, for motherboard capacitor failures.
You might not notice it under light usage, but it could fail suddenly, or just degrade until you noticed it being unreliable.
If it's not easy for you to physically get there to replace it, I would not entrust the task to a machine that old.
Consider a RasPi4 or similar. More than enough CPU to handle a VPN's traffic (unless it's a mux for dozens of clients).
unfortunately rpi4 are in the unobtanium domain as well as highly priced.
Yes, the RasperryPi4 makes sense, but these days I can only find them from scalpers, and it feels wrong to buy it for 4 times the price.
I think the XPS is from their consumer line, but Dell and HP business grade machines have better design margins on the capacitors etc. and rarely fail.
NanoPi or Banana Pi are other options but still $110+
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.