Question Wireless Router with multiple networks and VPNs

[sharkeyboy]

Hi Guys

This is probably a really vague question, but I'm looking to basically have a home office setup whereby I have the ability to connect to different networks, for different clients. Clients might require a VPN. So ideally simply switching networks will mean that I'm automatically connected to their VPN. I know some routers allow installing VPNs on the router. What I'm asking basically what would be recommended such that I could have multiple networks off a single router, perhaps up to 4. 2 clients with separate networks each with a VPN installed on the router that automatically works, a normal VPN bare network, and perhaps a guest network

Am I imagining the impossible or is this setup available without having a massive in-depth knowledge that would need a few weeks reading about routing tables etc and over £1000 to make happen

I know this is vague...hope this isn't like SO 😂🙈

 

[bill001g]

Your best bet with a consumer router is going to be asus with a merlin firmware. You might also consider another router that runs third party firmware similar to dd-wrt. In addition I would look at the asus router that have cpu that support AES acceleration instructions. I forget the exact models but they tend to have a clock of 1.8. Last time I looked they have not used this cpu in their latest models.
The problem is without the AES accelerator most consumer routers top out at about 30mbps where with the AES instructions in the cpu they can get 200mbps. This is using OPENVPN, wireguard can run a bit more.

Most other firmware other than merlin does not support the vpn accelerations and I have not seen this feature on other brands of router even ones that use the same cpu chip.

Merlin is your best option. I know it can run multiple vpns and it can run multiple ISP and it can direct some clients to one path and other clients to the other. What I don't know is if you can do the complex thing you want to do. It has the ability to change stuff with commands rather than the GUI and since it is a linux based OS it should be possible to do it with the correct IPTABLES settings. The GUI is just making changes to that file anyway.

Now your other option especially with your budget is to use a small PC that has at least 3 ethernet ports...2 wan and a lan. You can run one of the many linux firewall/router variants. These all can likely do what you want just depends on how complex it is to setup. Again you can manually do a IPTABLES and it will work.....I hate IPTABLES it is not very obvious.
You should get massively better VPN performance using a pc both because the CPU is a lot more powerful and because all modern cpu support AES instructions. Key thing to watch out for is not the number of cores but the clock speed of the core. VPN and routing tends to be single threaded so only a single core is going to do all the work.

 

[nigelivey]

Pfsense as a router, multiple gateways (VPN etc), some pro grade APs,vlan tagg the SSIDs to exit through required gateway.

 

[failboat]

Little nuc like device can be had for $200 and handle that easily. figuring out how to set it all up might take a while. I have a pretty nice setup for something similar to this. I run proxmox with vms for each vpn and those lie nested between pfsense on my lan side and another router on my edge. I use dynamic rules to route what ever I need into the vpn it needs to go. all traffic from x client to vpn1. traffic to y destination goes to vpn2... etc.

I nest my routers so all traffic from my clients are going through my firewall rules before hitting the vpn. if you setup the vpn using pfsense it also does this without the need for it. I prefer to have dedicated vms. if you can get all your vms setup in the pfsense gui it will handle a lot of the routing for you.

like bill mentioned openvpn has speed limitations. wg does not. my upload is <200Mbs so I use openvpn since it's hardware offloaded with AES-NI and using the correct cipher. you need an intel cpu on both sides for that. AMD has something too but named different.