VPN tunnels between US and China dropping/slow

William Pitcock nenolod at systeminplace.net
Tue May 10 14:35:33 UTC 2011

On Tue, 10 May 2011 10:12:57 -0400
"Thomas York" <straterra at fuhell.com> wrote:

> At my current place of business, we have several manufacturing plants
> in China as well as the United States. All of the plants have an OVPN
> tunnel to a datacenter here in Indianapolis which connect all of the
> plants. Our China plants pay for the basic 3mbit/3mbit fiber internet
> connections. I've had a hell of a time keeping their tunnels up.
> They're running on port 443 over TCP now, but every month or so the
> tunnel degrades so badly I have to switch the port. I've recently
> tried tunneling OVPN (UDP) over a GRE tunnel and that has worked for
> a few months..but even now is degrading. The interesting thing is
> that ONLY the tunnel traffic gets degraded. I've replaced all of the
> equipment on both ends of all of the VPN tunnels, which changed
> nothing.

This is actually caused by the Chinese firewall trying to reset the VPN
connection.  The reason why they are doing this is because people are
buying VPN services to get around the firewall.  As of late, they have
become a lot more clever about VPN blocking.

> Currently, we're talking to Time Warner and some of our customers who
> have plants in China to see what solutions they're using to get
> around this kind of issue. One thing we are hearing quite often is
> that they're using a MPLS based connection to Hong Kong, then going
> to the USA from there. We're happy to try this, but due to cost
> issues we're (management mostly) considering this a last resort
> option. Are there any other options maybe some of you have to fixing
> this issue? Thanks

The only option is to get transport to an endpoint outside China, e.g.
in Hong Kong.


More information about the NANOG mailing list