Looking for something to be my SSH bastion box and Wireguard server.
- Not against scouring Ebay/homelabsales etc.
- Could be x86 or ARM.
- Ideally this box would be very power efficient so getting a giant/cheap rack mounted server isn’t what I’m looking for. I’ve looked at a few used alix2d3 but I don’t think it can handle the speeds I’m looking to get.
It depends largely on how many network interfaces you need. If this box will be your firewall/router too, the APU2 board https://www.pcengines.ch/apu2.htm ticks all of these boxes:
If you only need 1 network interface, then the sky is the limit. Virtually any used x86-64 hardware manufactured in the last decade can work, so hit up your friends and family for their old netbooks and whatnot. If you want to buy new, there are Intel NUCs, NUC knock-offs, Chinese-made embedded systems on Amazon (one brand name of these is QOTOM), low-power ATX mobo+CPU combos off of Newegg, old chrome boxes, the new $35 Atomic Pi.
And those are just the x86 options. If speed is not super important, the Raspberry Pi can work okayish. There are some pretty decent higher-powered ARM devices on the market now, especially in the $50-$100 price range. If I was to buy one of those, I would try to get one supported by Armbian: https://www.armbian.com/
I currently have the old ALIX board which has the advantage of power over ethernet which is missing from the APU2 boards.
+1 for the APU line of stuff. initial setup over serial can be a pain, but they are uniquely capable and well made.
That’s a great point. I’ve seen old Intel Atom NUCs around $50 on eBay, those might fit the bill.
If you need a board with more than one network interface you could look at an ESPRESSObin: it has three gigabit interfaces, 1/2GB DDR3 memory and an ARM Cortex A53 processor. It is really small and cheap.
I’m running pfSense on it, bonding two interfaces, and using also as a VPN.
I am using the espresso bin as my main router as well, running openwrt. I don’t how’s pfSense support on this SBC, but openwrt can max out my uplink with wireguard.
pfSense support is still really experimental due to the lack of hardware support of FreeBSD systems.
Oh nice! I’ll have to look into these a bit more.
The atomic pi looks interesting. https://dlidirect.com/products/atomic-pi
I thinks it’s fairly new, not sure if it works well or is a PITA, but it looks to check those boxes.
I use a VPN running on my Synology NAS and couldn’t be happier. Dual bonded GigE to my router then gigabit fiber from there out to the world. It was dead simple point-and-click to set up a couple flavors of VPN. I know you didn’t mention needing additional storage, but QNap and Synology are crushing it with turnkey solutions in this space. Heck, it even runs Docker containers if you can’t find a server/service pre-packaged.
If you don’t like the built-in VPN options there are packages like https://github.com/runfalk/synology-wireguard
Synologys are great just a little more than I’d like to spend.
What’s your budget?
< $100.
Sorry to hear Synology is out of range. I use mine as a VPN as well and it works great.
If you’re not averse to off-the-shelf solutions, Ubiquiti’s EdgeRouter line is great. I previously ran an EdgeRouter Lite (now using an EdgeRouter 4) which runs a Vyatta derivative (which is a Debian derivative). The ERL is a pretty cheap unit and quite performant. It has hardware offload for some things, like some types of crypto (e.g. for IPsec).
There’s an unofficial Wireguard port which I’ve been using for a while and it works great.
I’m not averse to off-the-shelf stuff and I’ve heard good things about the ERL. I’ll keep it in mind, thanks!
I’ve certainly not had any regrets since I switched to EdgeRouter hardware. Before that I had m0n0wall on a Soekris net4501 and pfSense on an ALIX (I forget which board). Both the Soekris and ALIX were pretty underpowered and were fine as basic routers, but anything on top and they suffered.
The ERL and ER4 have been really performant and are quite nice to configure from the CLI (at least I thought so; but then I’ve got JunOS experience and Vyatta largely copied Juniper’s config format).
Nice! Have you ever run a non-stock OS on your ERL, some folks seem to have success getting OpenBSD on there?
OpenBSD runs fine on the ERL. I just wish there was binary patches for octeon. I should have waited and bought an apu2.
Not yet, although now that I’ve got the ER4 I do intend on trying to put OpenBSD on the ERL.
Mikrotik routers are another alternative to Ubiquiti’s EdgeRouter line. The entry level ones are rather cheap and power efficient (10W at max load). They can be a bit of a pain to configure though.
Raspberry Pis have 100Mbit networking.
If you need a decent CPU as well I’d get an Odroid XU4 (those even have gigabit iirc).
I read the question as “I want my 100mbps ethernet link to be the bottleneck instead of than the CPU running the VPN software being the bottleneck”.
So, most or all models of raspberry pi don’t check the box, right?
Anecdotally, I pull 100mbps through wireguard using a Raspberry Pi 3 without issue. As long as you aren’t relying on it for complicated firewall rules you should be fine.
That’s good to know. I have an old raspberry pi at the moment that can’t crack 20mbps through WireGuard. Hence my question :)
Older Raspberry Pis are really slow. Anything that’s not a Pi 3 (or better) won’t work (as you’ve found).
Pi 3 is not very good either (other than the terrible I/O: it doesn’t even support AES instructions!). Try the ROCK64.
I guess wireguard doesn’t use AES
According to this article/post strongly but tangentially related to our topic here, no, wireguard does not use AES.
Wow. Thank you for this data point.
I picked up a Protectli FW4B for use on my home network, which includes VPN use. They seem to be a lesser known brand but it’s been great for me. Ships with no OS and I installed pfSense on it.
Looks like a nice product but it’s out of my budget.