On 2008-04-16 12:56:34 -0400, Damon Getsman <dgetsman@amirehab.net> said:

> The office that I work at is connected to several satellite offices
> via 3 separate dd-wrt openVPN linksys routers. Each is a separate
> gateway, 2 for specialized services and one for general internet and
> GNOME desktop traffic (which is normally on the local subnet of the
> WAN to conserve bandwidth). Our current projected expansion has my
> superior thinking that it would be a good idea to replace these 3
> linksys routers (and their associated 200MHz processors) with a
> dedicated linux routing machine, short on memory and HDD space, with
> 1GHz or slightly higher processor so that we can handle whatever
> bandwidth needs we're thrown in the next year.


I'd highly recommend OpenBSD for routing / security / VPN work as well.
The OS is not known for being a serious OS performer, but does very
well with minimal hardware configurations - for example, I've been
running my home firewall box and OpenVPN connectivity to myself and
other distant personal machines where I work, inclusive of routing
protocols, on a 486DX5-133 with 32MB for the last few years very
reliably. :D The anti-DDoS, anti-spoof, AuthPF and some other features
with PF are just awesome, IMHO.

The PF language for implementing firewall rules is very robust and
feature-rich (available in other *BSD's too).

I'd consider spec'ing some new / cheap machines to do all this work, if
you can do that, here's a running list of ideas:

Consider these issues / ideas when spec'ing your box:

- Every network packet on an untuned OS represents a hardware
interrupt. This chews up CPU on a system, along with the impact that
running OpenVPN in whatever cryptographic configuration you have.
Modern Linux systems do do interrupt coalescing, which mitigates this
somewhat, but you could go all the way up to ToE (TCP Offload Engines)
& SSL offload engines on a box (both are supported on Linux, I
particularly like Chelsio for ToE cards, and some SSL accelerators on
*BSD).

- Whatever OS you choose, take a good look in the documentation for
kernel tweak-ables for network buffers and size appropriately to create
necessary queues for traffic flows, etc.

- Consider the use of transparent bridging in any firewall
configuration for additional security - transparent bridging is where
you place an IP-aware firewall configured in the middle of an Ethernet
bridge configured with two or more Ethernet interfaces in your OS. The
cool part about this is that there's not much "to hack" here, as the
firewall doesn't have an addressable IP end-point. This may not fit
into your VPN plans well, just toy with the idea.

- FWBuilder is a cool GUI tool for configuring firewalls of disparate
types, however, it's support for full PF features is kind of lagging
somewhat.

Hope this helps a little

/dmfh

--
_ __ _
__| |_ __ / _| |_ 01100100 01101101
/ _` | ' \| _| ' \ 01100110 01101000
\__,_|_|_|_|_| |_||_| dmfh(-2)dmfh.cx