Re: VPN over slow Internet connections

[Steven Bellovin <smb () cs columbia edu>]

On Apr 21, 2011, at 5:28 46PM, Terry Baranski wrote:

> On Apr 21, 2011, at 4:20PM, Steven Bellovin wrote:
>
> > For your application or for the VPN?  For the VPN, I *strongly*
> > suggest you use UDP, or you're going to get dueling retransmissions
> > and spend a lot of time sending many copies of the same thing. Consider:
> > if a packet is dropped, either due to line noise or queuing delay for
> > the slow link, the sending TCP will resend.  If you're using TCP for
> > OpenVPN, that session's TCP will resend.  Of course, the TCP running
> > on top of it will resend as well, so you'll get two copies of the data
> > sent to the application's TCP, wasting precious bandwidth.  
>
> Is this actually how OpenVPN's TCP encapsulation works? I'd be curious to
> know. It isn't how Cisco's TCP/10000 encapsulation works, at least not with
> the IOS devices I have experience with.
>
> Cisco's TCP/10000 looks like TCP to a firewall, but it really isn't. There
> is no reliability -- no retransmits, etc. It's pretty close to UDP behavior
> but with a TCP header, which was confusing to troubleshoot at first but
> quickly made perfect sense to me for the reasons you state above.
To the OS, OpenVPN is an application that uses the underlying TCP (or UDP)/IP
stack; it can't behave any differently than any other application.  Since
(as far as I know) Windows, Linux, NeBSD, FreeBSD, MacOS, and all of the other 
platforms that OpenVPN runs on just have normal TCPs, that's what OpenVPN
does.


                --Steve Bellovin, https://www.cs.columbia.edu/~smb