Layer 2 VPN class B Network multiple DHCP

mrgenie · December 18, 2016, 2:28pm

Dear all,

I've used DD-WRT routers to build a continental spanning openVPN network.
Each physical location at a different subnet: 172.22.XX.00/16 where XX is 50, 51, 52, etc.

Each subnet has it's own DHCP and DNS and I used ebtables to block DHCP requests over the tap interface.

Now I installed LEDE on my WRT1200AC, WRT1900ACS and WRT3200ACM routers and I must say,
runs smooth and perfect out of the box. Everything works great! Also the web interface of LUCI is so beautiful.

But I did some openVPN performance testing just recently.
In my comparison I let the ASUS RT-AC88U, ASUS RT-AC5300, NETGEAR R9000, NETGEAR R7000 compete with my WRT3200ACM. Nothing beats the latest of the WRT series!

However, I also used an intel Xeon i3, Celeron i3 and desktop i5 under windows to handle an openVPN connection on layer 2 with the same encryption settings. All 3 support AES-NI. Results: not the fastest router on the market comes even close to what an intel chip can perform! Even an intel Celeron chip with AES-NI outperforms the fastest router CPU by factor 2. However, on windows there are no ebtables of course. Which means with multiple DHCP on the layer 2 network, kinda getting some weird results. Mostly the clients pic the first DHCP which naturally is the one located in the own physical network. Sometimes, especially with WLAN clients, they pic the DHCP from the other physical location.

To further get into this, I also noticed ebtables does have it's impact on performance.

Now I have several options:
manually add to dnsmasq.conf on each router a list of devices to be ignored:
dhcp-host=XX:YY:ZZ:AA:OO:FF,ignore

or still use ebtables on those physical networks that don't use windows for openVPN and then only
add this list of devices to be ignored on the routers serving the physical networks running openVPN over
windows.

or maybe something else someone here comes up with?

Just asking what you would do in my situation. How to handle this the best.
If you are aware of a windows layer 2 firewill which I can apply to the windows tap driver/interface
then I could use ebtables on the routers handling the tap interface and a windows layer 2 firewall handling
the windows tap interface of course.

But I'm not aware such is possible on windows and like I said, ebtables does seem to have some performance impacts.

Basically the trick is to have a very powerful "Intel AES-NI" server running openVPN as a server capable of doing over 200Mbps encryption (As my fiber optical internet is only 200Mbps upstreamd and 200Mbps downstream) and at the sime time block ports 67/68 on layer 2 for the tap interface. Once that is done server side, all port 67/68 requests over layer 2 by all clients are dropped at server side. Correct?

So basically, how do I implement this on the server.

Now I know of pfsense I know about virtual machines, running windows AD next to pfsense or even virtual run ubuntu or LEDE. But what would be the best and most stable solution taking everything into consideration?

bobafetthotmail · December 19, 2016, 11:02am

I'm not sure why you are talking of Windows.
Did you try x86 LEDE images? They will run on normal PC/server hardware (or in a VM on normal PC/server hardware) so you will have ebtables + openVPN on the same system.
https://downloads.lede-project.org/snapshots/targets/x86/
(64 is 64-bit and the one you will need, others are for specific x86 devices or for Xen virtualization)

most images in there must be extracted and then the *.img file must be flashed raw to a usb drive, on windows you can use rufus for that http://rufus.akeo.ie/ then you boot the PC from that usb drive.

If the default images lack drivers for your devices (mostly network, if that works you can install whatever through opkg), you will probably need to use the image builder to make new images with the drivers for them first
https://lede-project.org/docs/user-guide/imagebuilder
(or download and install manaully the needed packages)

EDIT: just looked at sources, the 64bit images are built by default with kmod-e1000e, kmod-e1000, kmod-r8169, kmod-igb packages, so they should be able to use most Intel and Realtek NICs without need of the image builder.

mrgenie · December 19, 2016, 2:03pm

Hi Boafetthotmail, thank you for your reply!

I understood LEDE can be installed on VM or bare metal intel architekture and I also installed it last night on a VirtualBox from oracle. Apart from "collecting data" never ending on each LUCI page it seems to work.

But the main reason I'm asking, is this the best solution?
I want to run MS AD (server2012R2 or Server2016) and don't want to buy or keep running 2 pc's

So it would be an intel running MS AD and then LEDE in virtual environment. I assume this will have a huge impact on
the performance under openVPN encryption, not?

Or is it possible to run LEDE on the PC directly, without VM and then somehow hook it into existing AD ?

bobafetthotmail · December 19, 2016, 10:28pm

I want to run MS AD (server2012R2 or Server2016) and don't want to buy or keep running 2 pc's

Is samba's active directory good enough for your needs? (probably not, just checking)

So it would be an intel running MS AD and then LEDE in virtual environment. I assume this will have a huge impact on the performance under openVPN encryption, not?

Afaik virtualization shouldn't have a big performance hit on CPU-bound applications, but Virtualbox is not the best performer.
OpenVPN offers pre-made appliances (VMs) for Hyper-V and ESXi, if you have a winserver anyway you might as well use its Hyper-V virtualization features https://openvpn.net/index.php/access-server/download-openvpn-as-vm.html

mrgenie · December 22, 2016, 5:58am

Hi Bobafetthotmail, the openVPN VM is actually a very interesting idea you put forward here. I'll give it a shot. Thank you.