[139878] in North American Network Operators' Group
Re: VPN over slow Internet connections
daemon@ATHENA.MIT.EDU (Phil Regnauld)
Thu Apr 21 16:31:43 2011
Date: Thu, 21 Apr 2011 22:31:32 +0200
From: Phil Regnauld <regnauld@nsrc.org>
To: Steven Bellovin <smb@cs.columbia.edu>
In-Reply-To: <C47FAE48-E13F-4D0A-B36C-0B5487F6AA93@cs.columbia.edu>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Steven Bellovin (smb) writes:
>
> I should note: IPsec, being datagram-based, will also work well. PPTP,
> which runs over TCP as far as I know, will suffer all of the ills I just
> outlined.
PPTP uses 1723/tcp for control, but the tunneled traffic is GRE,
so that would work fine as well.
> If you do it correctly, a VPN is actually better: you can assign a
> static internal IP address to each certificate. If the modem connection
> drops, when you reconnect the applications will still have the same
> IP address, so their connections won't be interrupted.
Absolutely, that's the case with OpenVPN, if you assign static IPs to
each profile. PPtP can do this as well, for instance using MPD.
Very big advantage in fact.
> Someone suggested trying it using a FreeBSD flakeway; that's a good idea.
Using a dummynet box as a router (or bridge for that matter), you have
the benefit that you can run tcpdump on the trafic, and record the packet
sizes with and and without VPN, then derive the actual observed overhead.
Cheers,
Phil
