VPN over slow Internet connections

Ben Jencks ben at bjencks.net
Thu Apr 21 18:43:10 UTC 2011

On Apr 21, 2011, at 12:55 PM, Ben Whorwood wrote:

> Dear all,
> Can anyone share any thoughts or experiences for VPN links running over slow Internet connections, typically 2kB/s - 3kB/s (think 33.6k modem)?
> We are looking into utilising OpenVPN for out-of-office workers who would be running mobile broadband in rural areas. Typical data across the wire would be SQL queries for custom applications and not much else.
> Some initial thoughts include...
>  * How well would the connection handle certificate (>= 2048 bit key) based authentication?

Should be fine. Might take 30 seconds to connect, but after connection it makes no difference

>  * Is UDP or TCP better considering the speed and possibility of packet loss (no figures to hand)?

Since you're running TCP applications (database connections), you definitely want UDP. TCP-in-UDP behaves correctly in the presence of packet loss, TCP-in-TCP behaves horribly (it causes exponential backoff on the outer VPN connection, which causes queueing of the inner packets when they should be dropped. I've seen 20-30 second latencies with TCP VPNs over slow/lossy links).

>  * Is VPN over this type of connection simply a bad idea?

It shouldn't be any worse than running directly over the connection. With a UDP VPN it does packet-by-packet encapsulation, so it only adds the fixed per-packet overhead.

More information about the NANOG mailing list