Choosing the Right VPN for SmoothWall Express
SmoothWall Express is a purpose-built, headless firewall/server distribution tailored for network administrators who demand a lean, secure environment. Unlike desktop-oriented distros, SmoothWall Express provides a web GUI and a minimal console. It uses ipkg for add-on modules, applies strict partitioning (separate /boot, /, /var, /log), and is optimised for iptables. As such, any VPN client must install via ipkg, integrate cleanly with the existing netfilter rules, and run stably on limited hardware.
The top candidates for this scenario are:
- OpenVPN – mature, very configurable, with an ipkg package already in the SmoothWall repository.
- WireGuard – modern, lightweight, and in-kernel (as of 3.18 ), delivering excellent throughput on small footprints.
- StrongSwan (IPsec) – enterprise-grade IPsec for site-to-site tunnels more complex but well-supported in ipkg.
Comparison of Top VPN Clients
| VPN | Protocol | Kernel / Userland | ipkg Package | Repository Link | Official Site |
|---|---|---|---|---|---|
| OpenVPN | SSL/TLS | Userland | openvpn |
SmoothWall Modules | openvpn.net |
| WireGuard | WireGuard | In-Kernel Userland Tools | wireguard-tools |
SmoothWall Modules | wireguard.com |
| StrongSwan | IPsec | Userland (kernel modules) | strongswan |
SmoothWall Modules | strongswan.org |
Installing Configuring OpenVPN
1. Install the OpenVPN Module
# Update module list ipkg update # Install openvpn ipkg install openvpn
2. Upload Certificates and Config
Use the SmoothWall web GUI or SCP to place your client or server .crt/.key files into /usr/local/openvpn/. Then create a config file at /usr/local/openvpn/yourvpn.conf:
port 1194 proto udp dev tun ca /usr/local/openvpn/ca.crt cert /usr/local/openvpn/your.crt key /usr/local/openvpn/your.key dh /usr/local/openvpn/dh2048.pem cipher AES-256-CBC user nobody group nogroup persist-key persist-tun keepalive 10 120 verb 3
3. Adjust Firewall and Enable Service
# Allow OpenVPN port in iptables (via console) iptables -I INPUT -p udp --dport 1194 -j ACCEPT # Save the rules iptables-save > /etc/iptables.rules # Enable on boot: add to /etc/rc.d/rc.local echo /usr/local/sbin/openvpn --config /usr/local/openvpn/yourvpn.conf >> /etc/rc.d/rc.local # Start immediately /usr/local/sbin/openvpn --config /usr/local/openvpn/yourvpn.conf
Installing Configuring WireGuard
1. Install WireGuard Tools
ipkg update ipkg install wireguard-tools kmod-wireguard
2. Generate Keypair
# Generate server private and public keys wg genkey tee /etc/wireguard/server_private.key wg pubkey > /etc/wireguard/server_public.key # Secure permissions chmod 600 /etc/wireguard/server_private.key
3. Create wg0.conf
[Interface] Address = 10.0.0.1/24 ListenPort = 51820 PrivateKey = (cat /etc/wireguard/server_private.key) # Example peer [Peer] PublicKey =AllowedIPs = 10.0.0.2/32
4. Enable and Start WireGuard
# Bring up interface wg-quick up wg0 # Persist on boot (add to rc.local) echo wg-quick up wg0 >> /etc/rc.d/rc.local
Don’t forget to open UDP/51820 in your iptables configuration and save it just like in the OpenVPN example.
Conclusion
For a firewall-only environment such as SmoothWall Express, OpenVPN and WireGuard stand out: OpenVPN for its maturity and fine-grained controls, and WireGuard for its minimal overhead and modern kernel integration. Both install effortlessly via ipkg, slot into your iptables policy, and can be automated in the SmoothWall boot sequence. With these in place, your network perimeter will be both secure and performant.
Leave a Reply