The proposed rollback of consumer internet privacy by our new FCC chairman has everyone watching intently. While the recent push of “just doing everything over HTTPS” is a move in the right direction, it does not solve all of our problems. To further protect myself I embarked on a research project to find a consumer grade router capable of handling my 80/20 cable internet connection. With that connection I want to test out securing all traffic through a VPN at the router.
Unfortunately this led to the realization that even the most expensive consumer grade routers simply would not work for my needs. They either require you to run custom firmware such as DD-WRT, OpenWRT, and Tomato or you have to deal with the router manufacturer and the terrible interfaces and options they provide. Now I did explore the custom firmware route, but after reading about various compatibility issues, I decided that was not for me.
If you want to read more about an actual successful project like this you can check out this article from Charles Perry. After exhausting my options I began to look at other software based approaches that I could run on commodity hardware. I have always wanted to learn how to setup a software router running Linux but the sheer amount of knowledge and new tools I would need to learn was daunting.
I am an engineer and love tinkering but when it comes to my internet connection, I would rather set it up once and forget it.
During my research I stumbled upon a distribution of FreeBSD that has been packaged and built explicitly for running routers on commodity hardware called pfSense. Not only is pfSense open-source, it is actively supported and maintained by a company and I could even BUY support if I needed it. After browsing the documentation on the install process, and some great videos on YouTube I decided pfSense would fit all of my needs and more.
The next task was to figure out what could pfSense run on. The answer is just about anything with 2 ethernet ports (one port for a WAN connection, the other for your LAN interfaces) but there are some other items I was concerned about.
- I wanted the device to be low power (Something under 15w would be great)
- I needed enough CPU and RAM to fully support an 80/20 connection over OpenVPN. This is a serious challenge for consumer routers and I have yet to find one that doesnt degrade significantly when all traffic is routed over the VPN
- I wanted the device to be small and have high quality Intel NIC ports
With these items in mind I was pleasantly surprised to find a plethora of excellent options.
PC Engines APU2 ~ $169 is an embedded board designed for low power servers, networking and surveillance applications
- The CPU is a quad core AMD Jaguar chip running at 1GHZ with 64-bit AES-NI
- RAM options are available with 2GB and 4GB of RAM and they even have options with cellular capabilities
- mSATA and mini PCIE support for internal storage and expansion
- They have a nice anodized case that serves as a heatsink for the board
- Runs off 6-10w of power with a simple DC power supply
Lanner NCA-1020 ~ $220 is a similar all-in-one network device based on the Intel platform
- The CPU is a dual core Celeron N3010 running at 2.24ghz with AES-NI
- RAM options go up to 8GB
- A number of mSATA options for drives
- embedded antenna ports if I wanted to have wireless built in
- Any of the pfSense products from the website. These were pretty pricey compared to a BYO solution
I ultimately went with the PC Engines APU.2C4 from mini-box.com due to the fact that I could easily order it online. They also carry the matching case and power supply (I ordered the mSATA drive from Amazon).
With Lanner Inc. you have to call them and order things - not really my style, but I have no doubt that any similar embedded Celeron board would work. In fact SuperMicro has a number of embedded boards with Intel NICs and Intel Celeron chips that would work.
Current Network Setup
A few words about my current setup before I get to the installation and configuration. I have the following networking gear:
- A Motorola SurfBoard modem with an 80/20 cable internet connection
- An Airport Extreme acting as my router and serving Wifi to the back half of my condo
- An 8-port gigabit switch serving various wired devices in my office (FreeNas Server, Desktop, etc)
- A NetGear Powerline device that extends a wired connection to the front of my condo
- An Airport Express running in Bridge Mode connected to the Powerline device which serves wireless to the front half of my condo
With this setup I am able to max out my 80/20 connection wirelessly anywhere in my condo. I also can get a around 100 megabytes/sec from my FreeNas server to wired clients.
I use FreeNAS for Time Machine backups, Plex Server and general storage for just about everything. I HIGHLY recommend it.
In order to install pfSense on the PC Engines board you are going to need a USB -> DB9 Null Modem cable and a USB stick that has the correct pfSense image. For the PC Engines board I am using the installer with the following options.
- File Type : Install
- Architecture : AMD 64
- Platform : USB Memstick Installer
- Console : Serial
Thats right folks this embedded board has no VGA output!
This may sound scary, but in reality, if you are comfortable using a terminal and SSH, you will be fine. Once the install is complete, we configure and manage everything from a Web GUI.
After mounting the motherboard into the case with the included heatspreader, I popped in the mSATA SSD and then connected the DB9 cable to my desktop.
Next up we need to run the screen application to see the console output from the motherboard. The screen tool in our case needs two arguments.
- The path of the serial device. This path depends on the cable you buy but should be easily identified by looking through the available paths in /dev
- The second is the baud rate of the serial port which I found from the PC Engines support site
bash$ screen /dev/usbSerialDevicePath 115200,8n1
Once we have this up and running we can plug in the router (which will play a nice little jingle) and we should see the console output of the device booting up.
We hit F10 to get to the boot menu and select the option to boot from our USB stick containing pfSense.
Once booted up we can start the installer by hitting the I key when prompted.
There is a "Quick Install" option that should be fine for most users so I selected that option. The install took a few minutes and the machine rebooted into pfSense.
WAN and LAN Configuration
The next thing we need to do is configure what the ethernet ports actually do. Your typical consumer routers will usually have icons that specify what to plug your modem into and what to plug your other devices into. We have to configure that ourselves here.
pfSense actually has a nice utility for this. Select the Assign Interfaces option from the console menu. It will ask you if you want to configure VLANs first (which I did not).
It then prompted me to setup the WAN interface. I chose the automatic option that tells pfSsense to auto-detect my WAN port. After hitting a for auto and then enter, I plugged in my modem and then hit enter again. I then did the exact same process for my LAN port and connected it directly to my computer.
Once you plug your computer into the LAN ethernet port you should be able to access the Web GUI via 192.168.1.1. If you can you can disconnect your USB->Serial cable!
Chrome and other modern browsers will complain about the Web GUI using HTTPS with an invalid certificate. You can bypass this and fix it later in the Web GUI.
After walking through the basic GUI setup which sets your timezone and enables some standard things like DHCP, you should have access to the internet again through your new router! If you need help you can watch the excellent YouTube series I mentioned earlier.
I made a number of other configuration changes but the one you are likely wondering the most about is the configuration of OpenVPN. By configuring OpenVPN at the router level I can set all traffic behind my router to be sent over a VPN.
The VPN provider I tested out (Private Internet Access) has an excellent walkthrough on how to secure all traffic from the router using OpenVPN here. You can use any VPN provider that supports OpenVPN.
Once completed I navigated back to PIA and the top of the page indicated I was secured! But what about the speed? Am I losing any bandwidth in the process?
I did a quick check on the Netflix FAST site and SpeedTest and I was happy with the results. I was still getting a full 80/20 connection! I then did some basic testing by turning on Netflix on my AppleTV, downloading a large ISO from the internet and some basic browsing. I didn't notice any speed issues at all.