Sign in with
Sign up | Sign in
Your question

Simple question: "home class" routers don't have very good VPN capabilities?

Tags:
  • Routers
  • VPN
  • Networking
Last response: in Networking
Share
June 5, 2014 8:44:51 AM

We have fibre optic FTTC broadband, which runs at around 20mbs download and 1.8mbps up.

Until recently we were using a Cisco Linksys WRT160NL as the primary router after the BT Openreach FTTC modem, and my wife could use her VPN connection to her works server with no problems.

However, the Cisco Linksys WRT160NL started to fall over and need re-booting from time to time so I replaced it with a TP-Link TL-WR741ND. At first everything seemed to be OK, but then my wife started having problems with her VPN. Because the two things occurred separately, I switched the modems over a weekend and my wife didn't try to use her VPN for a few days after that, I didn't make the connection between the switch of routers and the VPN problem, and everything else in the house that uses broadband was working fine.

I tried switching the TP-Link router with two others that I had on hand, an Asus RT-N10E and a Belkin F7D1391, but neither of them sorted out the problems with the VPN. However, this morning, after a long telephone conversation with my wife's IT support people the difference in capability between "home" and "business" class routers was first mentioned. This was the first time that I have heard this. I reinstalled the Cisco Linksys WRT160NL and the VPN problems have gone!

I don't think the Cisco Linksys WRT160NL is a "business class" router, so it would seem that the fact that it works with my wife's VPN is just chance. Clearly this is not very satisfactory and I would like to get a decent business class router that is going to give my wife a reliable VPN connection. Any suggestions?

More about : simple question home class routers good vpn capabilities

June 5, 2014 9:04:10 AM

Is the VPN between your wife's PC and her work or between your router and her work? If it is between her PC and her work then the router has very little to do with it (consumer VS business class). If the VPN is indeed between her PC and her work then you just need to make sure your router can forward VPN traffic (called VPN Passthrough). Most can and it should be a documented feature for any router you are looking to purchase.
Also what are the "problems" your wife is seeing with the VPN?
June 5, 2014 9:20:30 AM

The VPN is between my wife's laptop and her work, the router just passes it through.

It worked perfectly for about a year with the Cisco Linksys WRT160NL in place, but when I changed that to the other routers I mentioned (first the TP-Link TL-WR741ND, and then the Asus RT-N10E and Belkin F7D1391 when she started complaining about the problem) she experienced frequent breaking of the VPN connection, even though the broadband appeared to be working perfectly. She uses Microsoft Outlook and manages both her own and her boss's email and calendars, and every time the VPN connection broke she had to restart Outlook or reboot her computer, which was a serious time waster. Since I put the Cisco Linksys WRT160NL back in place this morning the VPN connection has only broken once.

PS:
The TP-Link TL-WR741ND spec says "VPN Pass-Through: PPTP, L2TP, IPSec (ESP Head)"
The Asus RT-N10E spec doesn't seem to mention VPN
The Belkin is actually an F7D1301 not F7D1391. I couldn't find out any specs for it, but I did find someone saying that you have to enable VPN passthrough in most routers for VPN traffic to pass. I guess this can't be true or else my wife wouldn't have got a VPN connection at all.
Related resources
June 5, 2014 9:32:54 AM

Is her laptop wireless? If so are you using the wireless signal from the routers you are trying? It only takes a little interruption to cause a VPN to terminate. It may be your Linksys provides a steadier wireless connection than the other routers. Of course all that is mute if she uses a wired connection. Most modern home routers have VPN passthrough. That's why I think the problem is probably something else not directly related to the VPN itself.
June 5, 2014 9:43:42 AM

The laptop is connected by cable to the router via powerline adapters. This setup, with the Cisco Linksys WRT160NL, worked perfectly for about a year, no complaints about the VPN connection, it was only after I switched that router because it seemed to be going faulty that the VPN problems started. And now that I have put it back as it was, with the Cisco Linksys WRT160NL, it seems to have gone back to being OK.

I would continue with the setup as it is now since it seems to be working OK, but I am concerned that the Cisco Linksys WRT160NL might fail at any moment and I haven't got a router on hand that I can replace it with, because all the others I have tried seem to cause problems with the VPN connection.

Thanks for your help BTW.
June 6, 2014 1:30:06 AM

Having run a few speedtests recently using the TP-Link TL-WR741ND and the Cisco Linksys WRT160NL, with the TP-Link I was seeing about 19.5Mbps download. With the the Cisco Linksys I am back to the 21.5Mbs that I was getting before. This is quite a difference, an extra 2Mbps is about +10%!

I would like to replace the old Cisco Linksys, or at least have a backup in place for when it eventually fails. I guess I don't need a business class router with VPN capability built in, I just need a router with good "VPN passthrough", and I would like one that gives me the same 21.5Mbps as the Cisco Linksys. Any suggestions?
June 6, 2014 3:07:03 AM

I would suspect you have a different problem. The only feature you need is what is called VPN passthough. This is very simple feature and should put almost no load on the router. In many cases you do not even need this feature. You would have to look at exactly what type of VPN is being run. If it uses PPTP (highly unlikely) or it uses normal IPSEC it will need this feature. Most businesses know this is a issue and run IPSEC in NATT mode. This allows it to pass though any router since the traffic appears to be standard UDP data on port 4500. Most remote access VPN have gone to SSL based vpn since these pass though anything including proxy servers. This appears a normal HTTPS traffic.

Now if you were to terminate the VPN on the router itself then there is a huge difference between consumer and commercial routers but just allowing data to go though the router from the client it is unlikely there is much difference. I suspect we have more than 5000 people using the remote access where I work on any given day into various gateway around the world. I would doubt many are using commercial routers and a number are using public wifi and hotel hotspots.
June 6, 2014 4:53:36 AM

bill001g said:
I would suspect you have a different problem. The only feature you need is what is called VPN passthough. This is very simple feature and should put almost no load on the router.

Thanks for your info, but it leaves me rather more baffled than before.

Until I switched the router from the Cisco Linksys WRT160NL to the TP-Link TL-WR741ND my wife had no problems with her VPN connection for a period of about a year. However, with the TP-Link TL-WR741ND, Asus RT-N10E and Belkin F7D1391 she experiences disconnections from the server a few minutes after establishing the connection. (She did say that if she kept the link "alive" by replying to emails quickly one after another, then it would remain up, but if she stopped to think about something for a few moments the connection would drop - I don't know whether this might tell you something?)

Since I have put the Cisco Linksys WRT160NL back in place yesterday her VPN connection seems to have been up for over 24hrs.

All these routers look like plain, ordinary, consumer routers to me, so why does the VPN work perfectly well with one, but not with the other three? Presumably there must be some difference in the specification of the router that does work from those that don't, but the is not much detail in the manufacturers literature, and all the tests that I look at seem to concentrate of the WiFi performance rather than wired throughput?

And why does is there a variation in download speeds between the routers? I expected the to all be much the same, but that doesn't seem to be the case, and naturally I want to have the fastest I can get.
June 6, 2014 5:52:39 AM

The only thing that can sometime bite you is if the NAT were to timeout too quickly. Most times it is using UDP 4500 to run IPSEC over. Since the router only has so much memory it wants to get rid of any unneeded nat entries. TCP is simple since it can see the request to close the session. UDP does not do that so what most routers do is set a timer and if it does not see any traffic using it it removes the entry.

This is where a commercial router has a huge advantage, it has commands that let you examine these timers and ability to monitor stuff like this. Consumer router you are lucky if they even have a way to display the nat table at all.

It is really hard to guess this. The first step is to get details of exactly how the VPN is running. If it were using SSL then it uses TCP so the above discussion does not apply.

If the IT guys were stronger they would be asking for a wireshark capture on your wifes PC since you can to a point tell why the connection is dropping...especially if you have a capture from the server end at the same time. If you want you can do a wireshark capture but debugging VPN at the packet level is not exactly a beginner project but you will learn a lot.
June 6, 2014 8:01:30 AM

bill001g said:
It is really hard to guess this. The first step is to get details of exactly how the VPN is running. If it were using SSL then it uses TCP so the above discussion does not apply.

Thanks again for your help. I have asked the support team for details of the VPN connection and as soon as I have those I'll get back.

June 6, 2014 11:33:24 AM

The guys at my wife's support team came back with the answer "The VPN connection is PPTP."

So from what you said before I need VPN passthrough - or I guess I at least need to check that a router has this capability and that it is turned on.

May I ask why in your earlier post you said that PPTP was highly unlikely?
June 6, 2014 11:40:38 AM

PPTP is not very secure anymore. Most companies have moved away from it.
June 6, 2014 12:02:55 PM

Your router does have vpn passthrough for pptp or it would not work at all. This is a pretty stupid feature and I can't see how difference in routers would make a difference. It has a TCP session open for the control if this session closes for any reason the pptp goes down. The data is carried over a GRE tunnel. The passthough feature just keeps track of a special code inserted in the GRE headers and allow traffic with the same code to be send back. It does a similar feature if you were to map ports but this is automated. I would not think you were losing this mapping randomly.

PPTP I have little experience troubleshooting it is considered insecure so it is not used commercially much. You usually see this with home users.

It likely is some form of packet loss but I can't see why a different router would make any difference
June 7, 2014 4:26:17 AM

Could it just be that the Cisco Linksys WRT160NL is a better/faster router than the others? The others were all fairly cheap, and the increase in download speed that I got when I switched back to using the Cisco Linksys was noticeable. Perhaps it is just a performance issue?

I think all the routers I have are only 10/100 rather than gigabit. Maybe if I got a new router with gigabit capability and top of the line performance like the Netgear R7000 or Linksys EA6900 then that would do the trick. But naturally I am reluctant to shell out the cash without knowing that the new router will solve the problem.
June 7, 2014 9:25:33 AM

You would have to do lots of digging to guess if it is memory or processor speed. Wikidevi has lots of router info mostly based on data from the FCC filings.
The function is actually pretty simple it is just looking at a header in the tunnel rather than looking up port numbers like it does for NAT. If you go to say smallnetworkbuilders most routers can easily exceed any internet connection but they are also testing a simple single session not vpn passthough.

June 19, 2014 3:19:02 AM

In my experience the intermittent problems you're getting are just as likely to be caused by bugs or inadequacies in the Cisco firmware which you can do very little about. I would firstly check on Google to see if many other people are having the same sort of trouble and try to confirm that it is the firmware. Either way you should check to see if there's a newer version available which might solve your problems in a shot.

You might not be aware of this but in many ways you already have a "business" class router in the WRT160NL. You just need to turn it into one. And there is a way to do that. Have you considered flashing dd-wrt onto it (http://www.dd-wrt.com/wiki/index.php/Linksys_WRT160NL)? Doing this will replace the Cisco firmware and interface with dd-wrt and add loads more features including all the VPN stuff and security you'll ever need. It's really quite eye-opening and one of the first things I do whenever I buy a new router.

Here's a couple of links: WRT160NL ddwrt upgrade (http://linux.wxs.ro/2013/05/03/wrt160nl-ddwrt-upgrade/) ; Enter your model number here (http://www.dd-wrt.com/site/support/router-database) and the database will show you what's available, although you can often find newer and better firmware if you read through the forums.

A few things to think about first. It is relatively easy to brick your device if you flash the wrong firmware or don't follow the instructions carefully. Just follow them carefully or ask on the forums and you'll be fine. When you do succeed in flashing dd-wrt, the router interface it will be substantially different and initially seem quite overwhelming with many more features and options than the Cisco one.

It scared the crap out of me until I realised you don't have to use them all and most of them are set by default anyway. Failing that there's plenty of plenty of places on the web where you can get help to configure them. I'd say if you're already considering buying a replacement router, give dd-wrt a go - you have nothing to lose. I'm pretty sure the new dd-wrt firmware will solve whatever problems you have.....as well as performance and a whole bunch of others you never knew you had. One more thing, if it doesn't fix your problems or you don't like it you can always flash it back to the original Cisco firmware
!