Building A Debian Based VPN Router

A few months ago based on the laws being brought in around the snoopers charter and digital economy bill in the UK, I decided that I needed to start pushing most of my traffic over VPN.

The thing is I really don't want to run a VPN client for every device that I have on my network, some don't allow me to run OpenVPN for a start and ensuring that all of those clients are working all the time is a pain. I needed some way of consolidating this on my network.

So really what I wanted was a router that would ensure all my traffic was being passed over my VPN provider. I was at the time running little Buffalo WZR-1750DHP and I knew that it definitely wasn't going to keep up with the CPU demands of OpenVPN at 350Mbps, and certainly wouldn't give me the flexibility for software.

So originally I started with something out the box and something I knew a lot of friends were already using, PFSense.

Here's the thing about PFSense, I really hated it, I know there are a lot of fans out there. However what doesn't sit right is a PHP frontend (running as root) sitting in front of core network services on BSD managing them for me.

Especially when trying to work out what this abstracted interface is doing behind the scenes when you're running into problems.

Even PFSense devs seem to have come to a conclusion that PHP was a bad idea because they're actually migrating to Python now.

Ultimately I had a few problems with PFSense that made me decide just to abandon the entire thing:

So ultimately what I wanted was a lightweight solution where I knew exactly how the firewall was set up and I could customize any part of it. The following is an example setup showing how this can be implemented. I also have an ansible repo at the end of this that details all of the steps required to set this up from scratch.

Before you start you need a basic Debian install, or really any Linux OS as long as you know how the steps apply to your distribution.


So for my setup I did quite a bit of research into what would be required for a router, if you're not doing OpenVPN then realistically this can be a really low power PI if you really wanted it to be. But as soon as you start pushing bandwidth over OpenVPN links then this requirement will soon change and you'll find your CPU won't be able to cope.

As an example I'm currently using this:

  • Intel(R) Core(TM) i3-4160 CPU @ 3.60GHz (2 Cores, 4 Threads)
  • 8GB RAM - Massively overkill. I use <512MB most of the time.
  • Intel Pro/1000 PT (82571EB) - You can pick these up on ebay for £10-15 for the dual port cards.

I just happened to have this hardware lying around but I can say this will comfortably push 350-400Mbps.

There are a few things to bear in mind.

  • OpenVPN is single threaded, you're not looking for thread count here, you're looking for frequency.
  • You will want your CPU to support AES-NI.
  • Ideally get an Intel NIC with offloading, you're probably asking for trouble with some of the Broadcoms, and realistically you're talking £10-£15 to remove this as a problem.

At the end of this post you can see the kind of performance I'm getting from this hardware, which will hopefully guide you as to what kind of hardware you need.