VPN recommendations?
Ben Scott
dragonhawk at gmail.com
Thu Jun 28 18:22:03 EDT 2007
On 6/28/07, Thomas Charron <twaffle at gmail.com> wrote:
> OpenVPN can go over a single TCP socket, which is my preference.
Tunneling TCP/IP over TCP (with or without a VPN) can be a
performance disaster. If the path between the two end points is
perfect (no congestion, no packet loss, acceptable latency, etc.),
things appear find. But if it is anything other than perfect, the
connection goes to hell. TCP's retransmit mechanism does not "nest"
well. The TCP inside the tunnel ends up retransmitting while the TCP
carrying the tunnel is also retransmitting. It "piles up" and quickly
turns sour.
I recommend OpenVPN-over-UDP as the first choice, leaving
OpenVPN-over-TCP for situations where you just can't get UDP though.
FWIW, I've had no problems getting the UDP-based transport to work
with OpenVPN.
I have had some problems with path MTU discovery being borked by
broken routers on the 'net, but that's at the IP layer, so switching
to TCP doesn't help. I worked around by setting a maximum packet size
of around 1300 bytes in OpenVPN; this seems to be a good enough for
most of the 'net. I guess a popular wrong assumption these days is
"all the world is Ethernet".
> However, with additional router 'fiddling', using a PPTP connection is
> built into Windows, and works pretty much transparently.
Unfortunately, PPTP is somewhat suspect when it comes to the actual
security of the protocol. It's not good if your VPN is also
transparent to an attacker. ;-)
http://www.google.com/search?q=PPTP%20security%20analysis
-- Ben
More information about the gnhlug-discuss
mailing list