[139855] in North American Network Operators' Group
Re: VPN over slow Internet connections
daemon@ATHENA.MIT.EDU (William Herrin)
Thu Apr 21 13:24:53 2011
In-Reply-To: <4DB06184.30508@mube.co.uk>
From: William Herrin <bill@herrin.us>
Date: Thu, 21 Apr 2011 13:24:10 -0400
To: Ben Whorwood <bw-ml@mube.co.uk>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Thu, Apr 21, 2011 at 12:55 PM, Ben Whorwood <bw-ml@mube.co.uk> wrote:
> Can anyone share any thoughts or experiences for VPN links running over s=
low
> Internet connections, typically 2kB/s - 3kB/s (think 33.6k modem)?
>
> We are looking into utilising OpenVPN for out-of-office workers who would=
be
> running mobile broadband in rural areas. Typical data across the wire wou=
ld
> be SQL queries for custom applications and not much else.
>
> Some initial thoughts include...
>
> =A0* How well would the connection handle certificate (>=3D 2048 bit key)=
based
> authentication?
Fine. The certificate isn't sent very often and is only 256 bytes when
it is sent.
> =A0* Is UDP or TCP better considering the speed and possibility of packet=
loss
> (no figures to hand)?
TCP is more likely to pass firewalls at the user's end, especially if
you put your VPN server on port 443. UDP will allow the user's various
sessions to recover from packet loss independently (i.e. faster). I
would pick UDP and provide an alternate TCP configuration for users
who experience trouble.
> =A0* Is VPN over this type of connection simply a bad idea?
No worse than using this slow a connection in the first place. VPN
overhead is 5% to 10% tops. I would use a split tunnel though; let
general internet destinations go directly through the Internet
connection rather than through the VPN.
Regards,
Bill Herrin
--=20
William D. Herrin ................ herrin@dirtside.com=A0 bill@herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004
