[139860] in North American Network Operators' Group
Re: VPN over slow Internet connections
daemon@ATHENA.MIT.EDU (Ben Jencks)
Thu Apr 21 14:43:24 2011
From: Ben Jencks <ben@bjencks.net>
In-Reply-To: <4DB06184.30508@mube.co.uk>
Date: Thu, 21 Apr 2011 14:43:10 -0400
To: Ben Whorwood <bw-ml@mube.co.uk>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Apr 21, 2011, at 12:55 PM, Ben Whorwood wrote:
> Dear all,
>=20
> Can anyone share any thoughts or experiences for VPN links running =
over slow Internet connections, typically 2kB/s - 3kB/s (think 33.6k =
modem)?
>=20
> We are looking into utilising OpenVPN for out-of-office workers who =
would be running mobile broadband in rural areas. Typical data across =
the wire would be SQL queries for custom applications and not much else.
>=20
> Some initial thoughts include...
>=20
> * How well would the connection handle certificate (>=3D 2048 bit =
key) based authentication?
Should be fine. Might take 30 seconds to connect, but after connection =
it makes no difference
> * Is UDP or TCP better considering the speed and possibility of =
packet loss (no figures to hand)?
Since you're running TCP applications (database connections), you =
definitely want UDP. TCP-in-UDP behaves correctly in the presence of =
packet loss, TCP-in-TCP behaves horribly (it causes exponential backoff =
on the outer VPN connection, which causes queueing of the inner packets =
when they should be dropped. I've seen 20-30 second latencies with TCP =
VPNs over slow/lossy links).
> * Is VPN over this type of connection simply a bad idea?
It shouldn't be any worse than running directly over the connection. =
With a UDP VPN it does packet-by-packet encapsulation, so it only adds =
the fixed per-packet overhead.=
