Dear all,
I've used DD-WRT routers to build a continental spanning openVPN network.
Each physical location at a different subnet: 172.22.XX.00/16 where XX is 50, 51, 52, etc.
Each subnet has it's own DHCP and DNS and I used ebtables to block DHCP requests over the tap interface.
Now I installed LEDE on my WRT1200AC, WRT1900ACS and WRT3200ACM routers and I must say,
runs smooth and perfect out of the box. Everything works great! Also the web interface of LUCI is so beautiful.
But I did some openVPN performance testing just recently.
In my comparison I let the ASUS RT-AC88U, ASUS RT-AC5300, NETGEAR R9000, NETGEAR R7000 compete with my WRT3200ACM. Nothing beats the latest of the WRT series!
However, I also used an intel Xeon i3, Celeron i3 and desktop i5 under windows to handle an openVPN connection on layer 2 with the same encryption settings. All 3 support AES-NI. Results: not the fastest router on the market comes even close to what an intel chip can perform! Even an intel Celeron chip with AES-NI outperforms the fastest router CPU by factor 2. However, on windows there are no ebtables of course. Which means with multiple DHCP on the layer 2 network, kinda getting some weird results. Mostly the clients pic the first DHCP which naturally is the one located in the own physical network. Sometimes, especially with WLAN clients, they pic the DHCP from the other physical location.
To further get into this, I also noticed ebtables does have it's impact on performance.
Now I have several options:
manually add to dnsmasq.conf on each router a list of devices to be ignored:
dhcp-host=XX:YY:ZZ:AA:OO:FF,ignore
or still use ebtables on those physical networks that don't use windows for openVPN and then only
add this list of devices to be ignored on the routers serving the physical networks running openVPN over
windows.
or maybe something else someone here comes up with?
Just asking what you would do in my situation. How to handle this the best.
If you are aware of a windows layer 2 firewill which I can apply to the windows tap driver/interface
then I could use ebtables on the routers handling the tap interface and a windows layer 2 firewall handling
the windows tap interface of course.
But I'm not aware such is possible on windows and like I said, ebtables does seem to have some performance impacts.
Basically the trick is to have a very powerful "Intel AES-NI" server running openVPN as a server capable of doing over 200Mbps encryption (As my fiber optical internet is only 200Mbps upstreamd and 200Mbps downstream) and at the sime time block ports 67/68 on layer 2 for the tap interface. Once that is done server side, all port 67/68 requests over layer 2 by all clients are dropped at server side. Correct?
So basically, how do I implement this on the server.
Now I know of pfsense I know about virtual machines, running windows AD next to pfsense or even virtual run ubuntu or LEDE. But what would be the best and most stable solution taking everything into consideration?