April 11, 2016

It’s been a busy week. I lost many hours to the American Idol finale. Had to keep up on The Voice, of course. Then add in the massive (and very painful) project we’re in the middle of at the ever-dreaded job… The little time remaining was devoted to “final" tweaks to my internal network, and a major rework of my Amazon VPC in the hope of making my Amazon budget go a bit further.

It’s with the latter task that this story starts.

The Issue

My original site-to-site VPN to Amazon used their offical VPN service. This works pretty well, but it isn’t ideal — for one thing, it’s overly expensive. I decided to make two changes: one, I moved the endpoint on this side out of VMware and onto a Raspberry Pi. Two, I hand-rolled my own VPN endpoint in Amazon on a t2.nano instance.

Piece of cake, and saves me nearly $40 per month.

But the Pi 2 can only handle about 25Mbit/s of VPN traffic, so I got to wondering if I could speed it up a bit…

Background

I’ve been tinkering with the Pi 2 for a while now. I gave up on Raspbian quickly because I have all my stuff connected to an IPA server for user authentication and automount maps. Last time I checked, Raspbian doesn’t come with the ipa-client packages.

Besides, I vastly prefer RPM-based distributions.

This led me originally to the RedSleeve project. It’s a port of RHEL 7.1 to ARM, and supports the Raspberry Pi (among others). I’ve been running it for several months now, and it’s pretty decent. There are, however, a couple of drawbacks:

  • Their yum repositories are fairly disorganized, and it takes some spelunking to figure out what you need to get it installed properly.
  • Only armv5tel is supported.  No hardware floating point.

Earlier this week I ordered a couple of Pi 3’s with the intention of replacing my git server (also on a Pi 2) and VPN endpoint. Some quick checks revealed that there’s no Pi 3 image for RedSleeve (as of this writing), and I didn’t feel like rolling my own.

Enter the CentOS AltArch Arm32 project. It’s the canonical RHEL clone, built for ARM.

The main benefit of CentOS ARM32 is that it’s armv7hl, which means that it uses the more advanced hardware capabilities, including the FPU. I’m not entirely certain how much difference that’s going to make for IPSec with AES encryption, but I’m curious. And it works on both the Pi2 and Pi3.

Now only if I could find a public mirror… I’m considering setting one up, but there’s a real cost concern there.