Unless you want super lower power consumption, you're better off with an second hand ex-office micro computer like an Intel NUC or the various Dell/HP/Lenovo VESA mountable PCs.
Almost all of them have replaceable RAM and happily support an M2 and a 2.5" SSD if you want to RAID the storage, and you won't be relying on an SD card either.
~$100 USD will usually get you enough to run a bunch of VMs, not just a VPN.
Don't ignore the advantages of buying a used laptop (e.g. a ThinkPad), either! Battery backup against power loss, super power efficient, keyboard and screen for when your networking or SSH config is screwed up...
Not going to put a battery powered device not made for 24/7 into a corner of my flat, to be running 24/7 and be forgotten about. I've seen one too many puffed up batteries in a laptop to risk that. Nope.
When networking isn't working, SBCs have serial consoles for that.
These days power bricks are not external power sources anymore but merely charging devices.
CPU spikes can create power draws that could not be handled by power bricks as the system is designed as a whole, including a working battery to absorb such spikes, allowing for a downsized power brick (cheaper, simpler, smaller).
Gimping the CPU allows the machine to reliably operate in absence of battery, otherwise CPU spikes would result in power loss.
FWIW, ThinkPads support setting custom battery charge thresholds, which lowers the risk in this scenario. It also prolongs the battery life as the battery is not kept charged at 100% for extended periods of time.
Laptops, at least in my experience, don't turn themselves back on after a power cut so you have to pay attention to them. It was a pain for a CCTV server I had.
And if you care about power consumption, there are bunch of rockchip rk356x based SBC's with reasonable PCIe and SATA implementations popping up every other day, with 2-8GiB or RAM available for less than $100.
Can you recommend one or give hints on what you have to consider when shopping for a board like this? I mean, the thing about the Pi is that you know what you will get and what use cases are supported.
Linux 5.18 will have reasonably complete support for headless uses of quartz64-a. It's best to check https://elixir.bootlin.com/linux/latest/source/arch/arm64/bo... for whether the board is supported mainline, and how much of the hardware is enabled. Other than quartz64-a, and some bannana pi, it looks like not many others are supported, yet.
Something with an i5-6500T ($100-$120 in an 8/256 config) is insane bang-for-the-buck relative to a Pi. Especially with the tendency of Pis to multiply.
I've been lazier - I've just been buying ~$120 "Minisforum" PC's (4 now, for various people I've set them up for). They work great, but their CPU performance compared to the i5-6500T leaves a lot to be desired (1000/1400 vs 1800/4800 single/multi). They still kick a Pi's butt, and they are x86 which makes lots of things easier.
My main hesitation with buying the used USFF has been the Intel Graphics generations - I don't know enough about it, but I do use my mini PC for Plex, and have a hard time comparing the integrated graphics, which is critical. These N4000 destroy the i5-3450 I have in my NAS. It was cheaper to buy an N4000 and put Plex on it over network access, than it was to completely upgrade my NAS to a new generation of hardware, and the newer QuickSync version can actually encode with Plex.
My understanding is that QSV transcoding stopped being trash with Skylake and newer, but I'm basing that off of this thread and use an i5-10400 for my own.
My original "Pi for PiHole" replacement 5-6 years ago was a used AMD GX-415GA NUC-alike that I spent less than $40 on and half was for an SSD. I keep it around still because it cold boots incredibly fast and if there's anything you want to boot really fast, it's the thing running your DNS.
Yeah, it's kind of a bummer how many things are being designed just for Raspberry Pi usage. For instance, Klipper for 3d printers. Technically you can use it on a Linux system, but they don't officially support that or tell you how. They only support the Raspberry Pi.
I bought my pi for $5 and it runs a fully functional VPN, DNS server and as blocker on my network. Can run some custom code on there to handle DHCP leases, etc.
Chip shortage made things tough but they’re still cheap when you can find one
Keep in mind that in the last couple years I've seen a lot of public Wifi (e.g. coffee shop, business guest network) blocking common dynamic dns domains like those from Afraid, Duckdns, etc. They also block most UDP and TCP ports unrelated to web browsing.
The only VPN connection I've seen that works everywhere is one on TCP 443, with a domain name that you control. Maybe have a UDP VPN instance on another port for performance but always have the TCP 443 instance avaliable as backup so you won't get blocked out. Personally I use OpenVPN on TCP 443 and have never had issues.
That's why you can run a second UDP instance on another port if you need that performance, and have the TCP one available as a fallback if that is blocked. Though to be honest the performance loss really depends on what you're doing on the VPN - if you need a low latency high bandwidth services, then UDP is the way to go. If you just use it for SSH, VDI, browsing, and file transfer I find the performance loss acceptable.
If for some reason my Tailscale instance doesn't work at a cafe, last resort is a public cheap VPS where I have sshd listening on port 443 .. to ssh -D localhost:8888 VPS .. and then socks proxy my browser over localhost:8888
I have spent lots of time fiddling with OpenVPN and Wireguard configurations. On a whim I tried out Tailscale and literally within 10 minutes I was up and running, it totally blew my mind.
Not a paid shill and I don't even use it that much but when I do I can count on it to work (which is a level of faith I never had in my own OpenVPN configs).
Or just buy a Mikrotik device, something like a HAP lite[0] can be had for much less than a Raspberry Pi + SDcard nowadays. With RouterOS 7 it supports Wireguard and Zerotier out of the box, and you can still even setup OpenVPN or L2TP/IPsec if that's your thing. With any luck you can even replace your ISP router completely and have much better control over your firewall and home network settings.
I'm just waiting for container/Docker support to be rolled out again so I can delegate some other tasks that currently run on Raspi's (like MQTT, metrics buffering, IoT, etc).
It appears that the HAP Lite uses a MIPS-based architecture, how quickly do VPNs run on it? When I was working on routers about a decade ago that was a major pain point, it would essentially limit OpenVPN connections to about 6 or 7mbps with a maxed out CPU running at a similar clock speed.
Zerotier maxes out based on the model since it's single core. On a ac3 around 20Mbps is the cap. With wireguard I max out at 300Mbps. I can't test openvpn since mikrotik doesn't support tls auth. IPsec was always my given linespeed.
Beware that you need fasttrack exclusion rules (via connection mark e.g.) for each vpn interface except zerotier.
Rather than connecting to your local network directly you run a Daemon that connects a machine on the local network to cloudflare. You then connect to cloudflare and it routes the traffic to your local network.
Very easy to setup and use, tunnel itself is free if you don't need many users. You do need a domain but not a massive cost. Plus no security worries about having an open port visible to the global internet plus no need to worry about the IP for your home network, dynamic DNS CGNat etc.
You can run the Daemon on a raspberry pi (personally I'm using the docker container on a Synology NAS)
I have CGNat and I can reach my pi from anywhere through wireguard (using Tailscale). Still can't host anything externally visible though (as you know)
The author uses a Fritz!Box router, which is a very popular device in Germany. Note that AVM, the company behind the routers, is working on providing Wireguard natively on their newer routers (no hardware-assisted encryption, though):
A much simpler solution is to buy the GL.iNet GL-SF1200 (https://www.gl-inet.com/products/gl-sf1200/ - costs only $30) which is powered by the opensource OpenWRT router OS and offers VPN support (both as client or server) with built-in OpenVPN or Wireguard. Other costlier GL.Inet routers with more CPU power and more RAM are also available.
It's using some sort of a custom installer that also downloads Cloudflare's BoringTun (https://github.com/cloudflare/boringtun) directly from the author's website (nyr[.]be), since Cloudflare doesn't seem to offer it as a binary release. Example:
The latest rasp is no longer has a default pi user. Also if your home net has same subnet as the Public wifi you’re on say 192.168.1.1 some stuff on local IPs won’t work
Had something like this running before, with an extra tunnel to a VPS, so when I was connecting to this VPS on a specific port, it was eventually connecting to my home VPN - useful with dynamic IPs.
I can't remember the tool I used for the tunnel. SSH was quite slow and I remember using something else at the TCP level. Any idea? Bonus for any solution that works with UDP.
Other than the initial writing of the OS to the SD card, is there anything Pi specific about this?
It's been a gripe of mine for quite a while that there's now this whole subset of generic linux howtos which are titled "on the Raspberry Pi" for no particular reason. In the end the exact hardware isn't really that relevant to solving the problem.
For home I get the most bang for the buck (buck is my time here) by just setting up ssh and dynamic DNS. I port forward if I have to but mostly use socks5 to proxy in.
https://rpilocator.com, specifically https://twitter.com/rpilocator
https://news.ycombinator.com/item?id=31212413 (4 days ago)