I've read that OpenWrt doesn't scale very well, although currently I prob don't need to scale from Pi4 -> Mini PC. However if I'm hoping to implement a VPN across 2 or 3 sites (maybe 5 devices each site), I dunno the hw requirements for Wireguard in those circumstances.
So, 1st question.... Could OpenWrt & Wireguard cope with a VPN spanning 2 or 3 sites of 5 devices/IPs per site..... when installed on a Pi4 router at each site?
Also, if I'm scaling up to a Mini-PC for router, OpenWrt, or OPNsense?
Apologies if OPNsense is a banned topic here, thought I'd try asking anyway...
Wow, I'm blessed w all the responses... its only been 20min since my post!
This forum just doesn't sleep... Its almost like there's a PRIZE for the fastest response lol !!
Very interested in unetd..... tnx for info....
It may not seem logical, & I'm no stranger to Linux, but most of the docs/info I've seen on OpenWrt is re embedded router/APs.... So thats the way I was thinking.
.... Again, lots of info from this forum to keep me busy..... Tnx.
OpenWrt is increasingly used on x86_64 (but x86 was already supported since the early kamikaze days), because that's where the performance is for medium- to high-end fibre connections. In general it just works, so there's very little need to talk about it - it's just boring, in the good sense of it. I've been using OpenWrt as router on x86_64 for around 2.5 years now (moving over from ipq8065), it's drop dead stable and reliable and has the oomph I was looking for, no compromises necessary. While I'm (obviously) still using OpenWrt on ARM/ mips for APs and switches, I don't see myself replacing OpenWrt on x86_64 in the router capacity any time soon (high-end ARMv8 wireless routers are slowly catching up to the performance levels Atom platforms offered over a decade ago and the modern alderlake-n/ n100 four 2.5GBASE-T port systems would be very attractive, if I had to replace my current system).
I do look at OPNsense (and pfsense, before they commited Seppukko) regularly, but I'm not going to replace my OpenWrt x86_64 router with it (for many reasons). It is nice to have the same configuration semantics and syntax throughout the whole stack of networking gear, from router, managed switches to APs.
both will easily support Wireguard. Question is the top link speed you require. Most x86_64 devices will be very capable.
OpenWrt is Linux so just ssh in and use your Linux-foo for debugging, experimenting, scripting, etc. OPNsense is BSD so some things are done differently
OPNsense has great firewall UI. OpenWrt is lower level and probably needs pbr to make things easier
OPNsense has builtin gateway failover stuff
SQM seems more advanced in OpenWrt, but easier to manage in OPNsense
OpenWrt has amazing configuration setup with clean text files where OPNsense has tons of ugly XML. With OpenWrt you usually post your config on this forum and get great feedback. Not really possible with OPNsense.
OPNsense has autoupdate that works very well
on x86_64 you can have both installed at the same time and see what works for you better
In fact this platform you see least (to almost none) issue, it's X86 and no WiFi by default, nowadays almost any hardware would work with it as Linux upstream has great support to most PC hardware, as a result you don't really see too much discussions about it (probably only talking about new hardware)
Shouldn't you think about your line speed first? Assume you have 1G symmetric internet connection, with little mini PC equipped probably N100 you can already saturate the line, even SBC like Raspberry Pi 4B can do close to 900Mbps so nothing to worry about, if your line speed is slower then the bottleneck is at the WAN side not the router end.
This is an interesting topic re bottlenecks for me....
I was comparing a Pi to a Mini-PC, partly bc of a better processor.
I was assuming that a Pi cpu would struggle w VPN session cpu usage, esp the more VPN sessions (devices attached to the VPN) were active/open.
Perhaps I'm 100% wrong & VPN sessions/cpu usage are swimming in Pi4 CPU capacity?..... which is why the discussion around ISP line speed (obv ISP/WAN speed will be much less than LAN speed).
BTW my current (5g) WAN speed is 200down/50up. I hope to have 1G in the future, but currently don't need that.
If an ISP line speed 1Gb or less is the bottleneck compared to router WAN of 1Gb, or any cpu the router is running is great to know. Gives more flexability on the router HW.
You can have some references with the following thread about the processing power of different devices when dealing with Wireguard connection, it clearly that Pi4 itself is doing pretty well, yes multiple connections together would have a bit more overhead but probably you won't feel much difference.
The actual routing of IP packets in OpenWrt is handled by the Linux kernel itself. I believe that's also the case on OPNsense, except with BSD instead. So routing performance is more of a "Linux vs BSD" comparison as opposed to "OpenWrt vs OPNsense", IMHO.
Absolutely. But instead of a Pi 4B, consider using a Pi Compute Module 4 (CM4) with a carrier board designed specifically for routing. Here's an example setup explained in one of my previous posts:
The CM4001000 requires an SD card to function. You could instead use the CM4001008 which comes with 8 GB eMMC. This hilariously exceeds what is needed for OpenWrt.
With 8GB eMMC you can make it a container host to run more network related services, but I would prefer to get at least 2GB RAM module. However the price isn't really competitive to the NanoPi R4S (4GB) now, not to mention that R4S allows you to have 2 x USB3 ports to connect something else.
OK, I really like your idea of using dedicated routing hardware, but I'm confused by the resources that you've linked to. How on earth does it all link together. There are instructions like, designed to be used with xxx.
I'm in Austria/EU, so US stores don't help me. However Amazon.de does list most things..... ie .....
The NanoPi definitely has all the hardware needed for routing, so I'm not sure what makes you think that. Both the NanoPi and CM4 are excellent wired router options.
You "plug" the CM4 onto the DFRobot board on the side opposite of the Ethernet jacks. You can see how it's all assembled in this blog post by Jeff Geerling. You then write the OpenWrt firmware onto the SD card and plug it in the same way you would with a Pi 4B.
Note that you don't need custom OpenWrt nowadays as some older instructions on the Internet may state. Official OpenWrt has images for both Raspberry Pi CM4 and NanoPi R4S.
Well I think I've found my routing solution.... Either the CM4 or the NanoPi. Both ca E100 in Austria.
I'm trying to decide which one.... Seems to me CM4 is a DIY project, NanoPi comes built. I like DIY projects.... Have built several computers, inc my current Ryzen7.
Does the NaniPi routing hardware equal the CM4+CarrierBoard?
CM4 has 4x 1.5 GHz Cortex-A72 @ 1.5 GHz, R4S has 2x Cortex-A72 @ 2 GHz + 4x Cortex-A53 @ 1.5 GHz. It's hard to make direct comparisons since R4S uses big.LITTLE and CM4 doesn't. But in any case, both are actually rather overpowered for "ordinary small-office/home-office" routing scenarios. In practice there's probably not much of a difference in that regard.
R4S does have USB 3.0 ports, so you could use it as a poor-man's NAS with an external USB hard drive. I prefer using a dedicated device for this role, so it didn't really matter to me, but it might to you. The DFRobot board does have a USB 2.0 Type-C port, so you could still attach some USB device to it if speed wasn't an issue.
I don't have CM4, but I do have Pi4B + NanoPi R4S myself so I might be able to give some idea.
As mentioned above, CM4 has 4xA72 while R4S has 2xA72 + 4xA53, for 1G line rate in fact only 2 of A72 are enough, note that the single core clock rate of A72 on R4S is significantly higher, when you run some applications (or SQM) that only works in single thread, R4S will outperform CM4 (or Pi4B).
For VPN applications, if you have a need for OpenVPN, crypto engine on R4S will definitely help, while the on on CM4/Pi4B has usable hardware acceleration (Pi Foundation didn't pay for it, so it's there but not usable), a YouTuber did a rough test on R4S that the OpenVPN speed can saturate his 200Mbps internet link which is really great.
USB ports as mentioned, the USB-C with only USB2 mode on DFRobot Router Mini is not that useful, for me, my router can run NUT server and connect my UPS with direct USB connection, most likely you need a USB-C hub for CM4 board. I'm also a lazy person that I run transmission torrent download to my temp USB HDD at home (then pull the content to my server later), but if you don't need all these, nothing is wrong with CM4.
About power, I don't have CM4 so I cannot comment, but for my Pi4B, it draws more power when compared with my R4S, and RPi series is known to be extremely picky about power supply (why they always love 5.1V?), if you don't buy their official power supply, pretty high chance of getting throttling (it happens a lot on my Pi3B, less on Pi4B but it does happen), for the R4S I never encounter such issue, also the metal casing is really solid.
4GB ram on R4S (only 4GB model is supported by OpenWrt) is definitely a plus (well you can get 4 or even 8GB on CM4 but price higher), I run containers like PiHole inside my R4S and it's great.
I find it very interesting that R4S apparently outperforms CM4.
I will be running Wireguard VPN, or unetd version of WG, so encryption support would be very useful.
I initially ordered R4SE from Amazon DE, then realised bc of R4SE use of eMMC, that the official OpenWrt software did NOT support booting from eMMC, only from SD. So changed the order to R4S, SD version of hardware.
Yes, don't waste money on the extra eMMC since the controller code is not open source which you can't use it under OpenWrt, I believe it's not only it can't boot from it, even with SD card loaded with OpenWrt you still can't see it.
Previously I connected my Samsung FitPlus/Lexar JumpDrive S47 to my R4S, it's flash drive which is smaller than a finger tip but.....speed > 100MB/s over USB3 and it's really a great storage for my containers under OpenWrt.
. But someone may be able to weigh the pros and cons for you.