Risks of VPN server in home router

Hi @ all

I googled and read a lot but could not find an answer to my question(s). I just got recently into network stuff so my knowledge is not that big.

I want to make my home network available from outside via VPN to e.g. access my NAS. I also want to send traffic from e.g. my mobile phone via VPN over my home router because of encryption (when in open wifi) and also to utilize my pihole in my home network.

Now there are two possibilities. Let the router be the VPN server to connect to or install a separate VPN server on another device inside my home network. For latter I think I have to open a port in the router and forward it to the server.
I think I also need to use DDNS in both cases then because of the changing IPs.

Questions:

  1. Does activating the VPN server utility of the router + DDNS increase the risk of being attacked (and how much) and decrease the safty of my network?

  2. Which of the two ways mentioned above is the safer one in terms of getting attacked from outside?

I hope I made my point clear and give enough infos.
Thanks in advance.

Be mindful of what ports are open (don’t open too much), use certificates to verify your VPN profiles and avoid password only based VPN configurations, and know that if a VPN Profile is stolen from you without your knowledge, the thief has access to your entire LAN.

What might be a great option for both learning and to have an exceptional router is to set up Pfsense (a routing OS that also can handle a VPN) on old hardware or a really popular choice is buying a Dell R210ii for ~$130 off of eBay. While more expensive than a pi it will handle routing for your entire network, be a great learning experience, and allow many more options in the future for a homelab.

I use Subsonic to access my files with AirVpn

What model of router do you have?

Thanks … that sound very good. I will take a look at wireguard … sounds very nice.

Can Wireguard be something you can setup virtually with Linux? Possibly do this on a VM that i have existing.

I think at first I will work with what I currently have at my disposal (hardware). But maybe thats a good tip for the future.
Pfsense I will take a look at.

Thanks for those tips.

Currently a Fritzbox 7490

+1 for wireguard and for the Pi.

Sounds like you have a pretty good grasp of what you need to do for being a beginner in networking :slight_smile:

yes it runs on any linux distro vm or physical mine are in vmware

No problem. Pfsense does not take a lot so likely you could grab an extra Ethernet card throw it in an old system and be good to go. Ppl like the r210ii as they are cheap and sipp power which adds up quickly in a home lab. Best of luck!

OK, so this seems to fall under the category of “trying to be everything to everyone”. There’s no mention on the manufacturer’s website about what kind of processor it has or how much memory is installed, but I’m going to go with the assumption that it’s “shitty” and “not enough”.

That said, if you want to give it a shot, I’d say setup the VPN at home on the router first, then if it’s not up to snuff, then look at something a bit beefier. You’re running on DSL, so your performance is going to be pretty poor compared to a fiber connection, regardless.

Thanks… read and watched some stuff on networking to understand the fundamentals and then I like to read trought multiple opinions and options to evaluate the best thing for my usecase to start with.

My NAS is custom build with freenas as OS. It has a pentium dual core and 8gb ram.

NAS access is not the only primary purpose. I also want to route my mobile traffic via my home the utilize my pihole and the vpn encryption. Its multipurpose.

Thanks for the additional info. I will keep that in mind and will look up more info on those points.

So you’re saying that when I setup Wireguard it’s totally secure? & What client would you use if on a windows machine. Tunsafe?

Yeah thanks … thats what I want to do.

The DSL connection is not the best. I get around 60 MBit downstream and 20MBit upstream. But atm its ok.

what kind of processor it has or how much memory is installed

A dual core 600MHz MIPS CPU and 512MB RAM as far as I can tell. (For the OS, it has dedicated CPUs for wifi, DSL and the switch part.)

AVM Fritzboxes tend to be relatively powerful for their price point, they do have a reputation of running hot though.

That said, the only built-in VPN is IPSEC IKEv1/XAuth, if you want something different, you need to flash a custom firmware.

thats the only windows client i know of for wireguard so yea. Nothing will ever be totally secure but wireguard is very secure compare to other vpn protocols but its also very fast

OK, that’s a lot better than I expected by about a factor of 10.