To be fair there are lots of small and silent x86 machines nowadays, ASUS Eee Box and subsequently Intel NUC changed that.

Wouldn't this open up for leaking the address of the connected node? Send a ping to 0.0.0.0 and read where the reply comes from, alternatively mask away half of the subnet until you've isolated a single address?

That's laptop-grade hardware. Similar stuff existed even before them (laptops). Not reliable for 24/7 use.

Something similar but not stupid are APU boards from PC Engines.

I'll stick with LibreSwan thanks. Interoperates with, cisco, checkpoint, fortinet etc etc etc

something something standards proliferation...

Seriously though - it does seem cool

Can definitely confirm. I got tired of not being able to find a VPN that wouldn't drop my connection or had decent bandwidth. So I started rolling my own VPN server. It ended up being great but if I ever really increased my bandwidth usage e.g. torrenting, I would sometimes get reports from Linode's notification system that my server CPU was at high or max capacity for long periods of time. I was able to reduce this after some configuring but it wasn't great. It also limited what else I was able to put on the server which also wasn't ideal.

I've been using FrootVPN for awhile now and they're pretty nice. The downside is it's not so nice that my latency is relatively low like it was when I ran my own box. Things like gaming through the VPN is a no go. I might try again with WireGuard and see how it goes.

Also, I was under the heavy impression that IPsec would underperform compared to OpenVPN? His benchmarks seems to be quite the contrary: https://www.wireguard.io/performance/

Maybe you were running L2TP/IPsec with the L2TP part in userspace (xl2tpd). If you use OpenL2TPd instead (uses a kernel module), it should be tons faster than OpenVPN.
Haven't run tests with IKEv2, but I would expect that to be faster than OepnVPN too.

I think the quite large number of people running an Intel NUC 24/7 would disagree.

I'm running both an Intel NUC and a Gigabyte BRIX (AMD) 24/7, coincidentally the NUC is even running OpenWRT and an OpenVPN client with enough performance to utilize the entire bandwidth of our fiber connection. The computers themselves have zero stability issues but the BRIX is running an ancient driver for the WiFi card which occasionally drops the connection (though it is two years older than the NUC).

I'm not sure what you mean by "PC Engine" but I'll assume it's unrelated to what's also known as TurboGrafx from the late 80's. Please elaborate.

I don't care, the point is that consumer hardware is reliable enough for consumers where most units will not be run for so long and those that do will probably last enough with some luck, and even if they fail there is no big loss for everyone.

But for a company you need to be SURE that something is fire and forget and that tiny crappy fan or cheapo PSU will not come biting your ass 4 years down the line as the cost of sending a tech around is high and downtimes are fucking expensive.

Google "PC Engines apu board"---> http://www.pcengines.ch/apu.htm

"PC Engines" is the brand name.

That's more or less professional hardware for competitive prices, fanless (heat spreader connected to heavy-duty metallic case), plenty of connectivity where it matters for an embedded or network device, and so on and so forth.

They are making a newer version with a more powerful quadcore jaguar APU, but for most things these boards are OK.

I'm not sure why you think that pcengines brand boards are somehow "better" than what you refer to as "laptop grade" hardware. But be aware that there is a big difference between a LAPTOP and something like a NUC. For one, the biggest weakness of laptops is in the process of being phased out -- spinny disks. The second and third big issues with laptops doesn't even apply -- bending display cables and being subject to hostile use like being bumped around and coffee spills.

If you take a NUC-like device with an ssd and no cooling fan, and stick it safely up on a shelf where it is well protected, then I don't see ANY reason why it wouldn't run very reliably for many many years.


Also, that pcengines website does NOT provide me with feelings of confidence. Some hack wrote up the website in a few minutes with no care.

Bad idea. Avoid.

Does not use TCP => *really* silly idea
Does not use port 443 => will never work in 50%+ of places you need VPN
Is not userspace and is new => so will 100% for sure have exploitable holes, running with root permissions...
Has no Forward-Secrecy => written by someone who doesn't seem to grasp cryptography or modern threats properly => not safe to use
Does not use multifactor => poor forward planning

Has no clients for ios/android/osx/windows, not that you would ever want (or be able to) use this in the 1st place.