On 09/12/14 21:40, Samuli Seppänen wrote: > Would 3 pings and ping replies adequately measure the overall > performance of OpenVPN server even for one particular VPN session? What > if there's a temporary congestion somewhere between the "best" server > and the client? I think that reliably determining the best server (on > average) would require long-term statistics to be any good, but that > would only work for clients that don't move around. In a road-warrior > scenario what you suggest would work better. Exactly. Static clients don't need any such feature because obviously it would be worth the manual effort figuring out what server would be best to connect to long-term, but "road warriors" involve end-users and I can tell you from our experience with 6000 employees with Cisco Anyconnect, that they don't think much about it :-) They will 99.9% of the time use the same server that they used last time - and will then complain how poorly it performs
As far as 3 pings not being enough, I'd argue in general it would - as long as you don't have servers geographically "competing" with each other. eg servers on the East and West coast of the USA and same for Europe, plus one in China and one in Asia Pacific would mean every client would "see" a server that is fundamentally closer to it than all the rest - irrespective of temporary congestion. But if you were to (say) start populating the USA with servers all over it, then they would start making that decision point "fuzzy" - but frankly even that's a win because the USA clients would be "mostly happy" using any of them - but would be "mostly unhappy" if they were using China (for example) ...and of course it could be 5 packets instead of 3 - that was just a figure :-) > > In what kind of scenario would an OpenVPN server not be available, if > the server itself still responds to pings? Firewalls. It's not impossible that a client be on a network that blocks all outbound traffic except for tcp port 443 (ie including ping). Running openvpn on tcp port 443 would allow that client to get a tunnel. Basically as no-one can predict what every network firewall in the world has in common, then relying on something outside your own control to test the availability of your product is risky (IMHO). In general icmp-ping works - but I've been involved with companies that disabled it - so there will be others -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
