Home page logo

nanog logo nanog mailing list archives

Re: VPN over slow Internet connections
From: Ben Jencks <ben () bjencks net>
Date: Thu, 21 Apr 2011 14:43:10 -0400

On Apr 21, 2011, at 12:55 PM, Ben Whorwood wrote:

Dear all,

Can anyone share any thoughts or experiences for VPN links running over slow Internet connections, typically 2kB/s - 
3kB/s (think 33.6k modem)?

We are looking into utilising OpenVPN for out-of-office workers who would be running mobile broadband in rural areas. 
Typical data across the wire would be SQL queries for custom applications and not much else.

Some initial thoughts include...

 * How well would the connection handle certificate (>= 2048 bit key) based authentication?

Should be fine. Might take 30 seconds to connect, but after connection it makes no difference

 * Is UDP or TCP better considering the speed and possibility of packet loss (no figures to hand)?

Since you're running TCP applications (database connections), you definitely want UDP. TCP-in-UDP behaves correctly in 
the presence of packet loss, TCP-in-TCP behaves horribly (it causes exponential backoff on the outer VPN connection, 
which causes queueing of the inner packets when they should be dropped. I've seen 20-30 second latencies with TCP VPNs 
over slow/lossy links).

 * Is VPN over this type of connection simply a bad idea?

It shouldn't be any worse than running directly over the connection. With a UDP VPN it does packet-by-packet 
encapsulation, so it only adds the fixed per-packet overhead.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]