Original Message
Subject: VPN over slow Internet connections
From: Ben Whorwood bw...@mube.co.uk
To: nanog@nanog.org
Date: Thursday, April 21, 2011 11:55:32 AM
Dear all,
Can anyone share any thoughts or experiences for VPN links running
over slow Internet connections,
If I had to guestimate, the performance would be horrible considering the VPN
overhead in itself.
You can't choose UDP or TCP, that is all based on the applications being used
within the tunnel.
So the apps will decide what protocols they will need to use, which will then
be encapsulated by
Ben Whorwood (bw-ml) writes:
Some initial thoughts include...
* How well would the connection handle certificate (= 2048 bit
key) based authentication?
* Is UDP or TCP better considering the speed and possibility of
packet loss (no figures to hand)?
I'd go for a UDP tunnel, as
There's not that much overhead--your certs should be ok. TCP for SQL would
just make sense. I personally wouldn't want to do what you are contemplating.
Here's some stuff to think about:
1. your modems will not be able to do compression. You can't easily compress
random data (e.g.
On Thu, 21 Apr 2011 17:55:32 BST, Ben Whorwood said:
* How well would the connection handle certificate (= 2048 bit key)
based authentication?
It will hiccup for a moment (maybe a quarter or half second) for the data. The
certificate exchange is the least of your problems.
* Is VPN
We are looking into utilising OpenVPN for out-of-office workers who
would be running mobile broadband in rural areas. Typical data across
the wire would be SQL queries for custom applications and not much else.
I agree with Patrick, SSH would do nicely. You could even setup a
tunnel, and the
On Thu, Apr 21, 2011 at 12:55 PM, Ben Whorwood bw...@mube.co.uk wrote:
Can anyone share any thoughts or experiences for VPN links running over slow
Internet connections, typically 2kB/s - 3kB/s (think 33.6k modem)?
We are looking into utilising OpenVPN for out-of-office workers who would be
I vote for Patrick's idea of allowing the end user to remote into a machine
where the SQL resides.
This would eliminate a lot of potential issueswish I had thought of that
first!!!
Subject: RE: VPN over slow Internet connections
Date: Thu, 21 Apr 2011 13:10:09 -0400
From: dar
If you haven't deployed your VPN environment yet I would seriously consider
using SSL VPN instead of IPSec as your tunneling protocol. SSL VPN gives you a
lot more options than IPSec.
Gary
-Original Message-
From: Ben Whorwood [mailto:bw...@mube.co.uk]
Sent: Thursday, April 21, 2011
On Thu, Apr 21, 2011 at 1:32 PM, Gary Gladney glad...@stsci.edu wrote:
If you haven't deployed your VPN environment yet I would seriously
consider using SSL VPN instead of IPSec as your tunneling protocol.
SSL VPN gives you a lot more options than IPSec.
Hi Gary,
Ben was looking at OpenVPN,
On 04/21/2011 01:32 PM, Brandon Kim wrote:
I vote for Patrick's idea of allowing the end user to remote into a machine
where the SQL resides.
This would eliminate a lot of potential issueswish I had thought of that
first!!!
I third this idea. Using screen would be a good idea as well.
On Apr 21, 2011, at 12:55 PM, Ben Whorwood wrote:
Dear all,
Can anyone share any thoughts or experiences for VPN links running over slow
Internet connections, typically 2kB/s - 3kB/s (think 33.6k modem)?
We are looking into utilising OpenVPN for out-of-office workers who would be
not available? I'm assuming that modem is being used
because broadband is not in the area
Date: Thu, 21 Apr 2011 14:02:30 -0400
From: ryanc...@gmail.com
To: nanog@nanog.org
Subject: Re: VPN over slow Internet connections
On 04/21/2011 01:32 PM, Brandon Kim wrote:
I vote
valdis.kletni...@vt.edu wrote:
Well, 33.6k is a Bad Idea right there. :) But if you're stuck with that
for technical reasons, but need a VPN for security reasons, it won't
be all *that* much worse, unless you're doing a lot of SSH or similar
I would think so too. When I first moved to the
On 21/04/11 11:53 AM, Brandon Kim wrote:
Nothing like getting into the groove, then losing your connection, waiting for
the modem to dial back up
and then try to figure out what you were just doing!!! Again, it goes back to what I
mentioned, it could work
but how will that affect your
On Apr 21, 2011, at 12:11 PM, Jeroen van Aart wrote:
valdis.kletni...@vt.edu wrote:
Well, 33.6k is a Bad Idea right there. :) But if you're stuck with that
for technical reasons, but need a VPN for security reasons, it won't
be all *that* much worse, unless you're doing a lot of SSH or
On Apr 21, 2011, at 12:55 32PM, Ben Whorwood wrote:
Dear all,
Can anyone share any thoughts or experiences for VPN links running over slow
Internet connections, typically 2kB/s - 3kB/s (think 33.6k modem)?
We are looking into utilising OpenVPN for out-of-office workers who would be
Steven Bellovin (smb) writes:
I should note: IPsec, being datagram-based, will also work well. PPTP,
which runs over TCP as far as I know, will suffer all of the ills I just
outlined.
PPTP uses 1723/tcp for control, but the tunneled traffic is GRE,
so that would work fine as
On Apr 21, 2011, at 4:31 32PM, Phil Regnauld wrote:
Steven Bellovin (smb) writes:
I should note: IPsec, being datagram-based, will also work well. PPTP,
which runs over TCP as far as I know, will suffer all of the ills I just
outlined.
PPTP uses 1723/tcp for control, but the
On Apr 21, 2011, at 4:20PM, Steven Bellovin wrote:
For your application or for the VPN? For the VPN, I *strongly*
suggest you use UDP, or you're going to get dueling retransmissions
and spend a lot of time sending many copies of the same thing. Consider:
if a packet is dropped, either due to
On Thu, 21 Apr 2011 17:55:32 +0100, Ben Whorwood wrote:
IMHO it is not good idea to go to OpenVPN/IPSec/etc level at all (IP
layer at least, and in case of Windows it is also ethernet headers).
First of all OpenVPN for Windows/different OS sometimes become a
headache and need admin privileges.
On Apr 21, 2011, at 5:28 46PM, Terry Baranski wrote:
On Apr 21, 2011, at 4:20PM, Steven Bellovin wrote:
For your application or for the VPN? For the VPN, I *strongly*
suggest you use UDP, or you're going to get dueling retransmissions
and spend a lot of time sending many copies of the
22 matches
Mail list logo