1 |
Am Mon, 15 May 2017 08:53:15 +0100 |
2 |
schrieb Mick <michaelkintzios@×××××.com>: |
3 |
|
4 |
> On Sunday 14 May 2017 11:35:29 Kai Krakow wrote: |
5 |
> > Am Sun, 14 May 2017 09:52:41 +0100 |
6 |
> > |
7 |
> > schrieb Mick <michaelkintzios@×××××.com>: |
8 |
> > > On Saturday 13 May 2017 23:58:17 R0b0t1 wrote: |
9 |
> [...] |
10 |
> > > |
11 |
> > > OpenVPN is not the most efficient VPN implementation for |
12 |
> > > connections to a server because it is not multithreaded |
13 |
> > |
14 |
> > Probably true but it works well here for connections of up to 100 |
15 |
> > MBit. |
16 |
> |
17 |
> It can work well for well above that throughput, but the limitation |
18 |
> is the tun/tap mechanism and the CPU of the device/PC it is running |
19 |
> on. |
20 |
|
21 |
I think most important is to use the UDP transport and not TCP, because |
22 |
the tunnel protocol doesn't need to ensure packet delivery. This is |
23 |
done by the protocols running inside the tunnel. Also, we usually |
24 |
enable compression at least for low-bandwidth uplinks (which become |
25 |
rare these days fortunately). |
26 |
|
27 |
To compensate for the UDP protocol, we usually also give the tunneling |
28 |
packets higher priority at the edge router to reduce drop rate under |
29 |
uplink pressure. |
30 |
|
31 |
This works well for most dial-up links we encounter (currently up to |
32 |
100 MBit). I probably won't consider it for higher throughput links |
33 |
because I fear the appliance CPU may become a bottleneck. But so far, |
34 |
no problems, even not with CPU usage. |
35 |
|
36 |
|
37 |
> > > and also because unlike |
38 |
> > > IKE/IPSec it operates in userspace, not in kernelspace. |
39 |
> > |
40 |
> > IPsec also doesn't work without help from userspace processes. |
41 |
> |
42 |
> Sure, but this is only for managing the (re)keying process, which BTW |
43 |
> takes longer with IKE than with OpenVPN (we're talking about |
44 |
> milliseconds here). Once the keys have been agreed and set up between |
45 |
> peers the rest happens exceedingly fast in kernelspace, managed as a |
46 |
> network layer interface (L3). I recall seeing IPSec tunnels running |
47 |
> 10 times faster than OpenVPN, being processed even faster than VLAN |
48 |
> trunking, but this is very much dependent on the resources of the |
49 |
> device running the tunnel. |
50 |
|
51 |
I use IPsec only between to endpoints directly connected to the |
52 |
internet (without NAT) and static IP. And only then it was really |
53 |
reliable, and it performed well. No question about it... |
54 |
|
55 |
And I like the fact that I don't need an intermediate transfer net as |
56 |
opposed to OpenVPN. |
57 |
|
58 |
OTOH, only OpenVPN has been reliable enough (and very reliable so far) |
59 |
when one or both sides were NATed with dynamic IP. |
60 |
|
61 |
And we had one customer running two networks across four sites, and |
62 |
their IPsec solution never ran reliable. And this was with |
63 |
professional, expensive firewall appliances. We replaced it with |
64 |
site-2-site OpenVPN and it runs faster now and without any disconnects. |
65 |
All sites use static IPs so that was never the problem. I don't know |
66 |
what caused this. The old appliances were mostly blackboxes, and at |
67 |
least one was faulty hardware (which explained problems at one site). |
68 |
|
69 |
|
70 |
> > But I |
71 |
> > see what you mean: With OpenVPN, traffic bounces between kernel and |
72 |
> > userspace multiple times before leaving the machine. But I don't |
73 |
> > really see that as a problem for the scenario OpenVPN is used in: |
74 |
> > It best fits with dial-up connections which are really not gigabit |
75 |
> > yet. For this, performance overhead is almost zero. |
76 |
> |
77 |
> Yes, at dial-up throughput even a smart phone has enough resources to |
78 |
> manage OpenVPN without it becoming a constraint. |
79 |
> |
80 |
> |
81 |
> > IPsec can be a big pita if NAT is involved. For Windows client, L2TP |
82 |
> > may be a good alternative. |
83 |
> |
84 |
> IKE/IPSec uses NAT-Traversal (NAT-T) by encapsulating ESP packets |
85 |
> within UDP over port 4500. This will allow clients to initiate a |
86 |
> connection with the server over port 500 and then switch to 4500 as |
87 |
> part of NAT-T detection. Trivia: many routers/VPN concentrators use |
88 |
> Vendor ID strings to determine if the remote peer can implement NAT-T |
89 |
> among other attributes to shorten this NAT-T detection process. |
90 |
> |
91 |
> Of course the server will have to be accessible over port 500 for the |
92 |
> clients to be able to get to it, but this is a port forwarding/DMZ |
93 |
> network configuration exercise at the server end. |
94 |
|
95 |
Oh wait... So I need to forward port 500 and 4500 so NAT-T does work |
96 |
properly? Even when both sides are NATed? I never got that to work |
97 |
reliably for one side NATed, and it never worked for both sides NATed. |
98 |
And my research in support forums always said: That does not work... |
99 |
|
100 |
|
101 |
> [...] |
102 |
> > > |
103 |
> > > If the users are helpless then you may be better configuring a VPN |
104 |
> > > tunnel between their Internet gateway and the server, so they can |
105 |
> > > access the server as if it were a local share, or using the built |
106 |
> > > in ftp client that MSWindows comes with. SMB will work securely |
107 |
> > > in this case too. |
108 |
> > |
109 |
> > This is what I would recommend, too. Put the VPN endpoints on the |
110 |
> > network edges and no clients needs to worry: They just use the |
111 |
> > connection. |
112 |
> |
113 |
> If there is a large number of client PCs this is the only sane |
114 |
> solution. |
115 |
|
116 |
There are enough users that are overwhelmed with clicking anything else |
117 |
than the browser symbol for network access, that this may be the only |
118 |
sane solution even for two users. ;-) |
119 |
|
120 |
|
121 |
> > > [...] |
122 |
> > > |
123 |
> [...] |
124 |
> [...] |
125 |
> > |
126 |
> > I wouldn't recommend running your own CA because you will have to |
127 |
> > deploy a trust relationship with every client. |
128 |
> > |
129 |
> > > For secure connections you will have to set up CA and TLS keys |
130 |
> > > with any option. Even ftps - unless the ftp server is already |
131 |
> > > configured with its TLS certificates. |
132 |
> > |
133 |
> > Or you use certificates from LetsEncrypt. Their CA is already |
134 |
> > trusted on most machines my default. |
135 |
> |
136 |
> Thanks for mentioning this! I had forgotten about |
137 |
> LetsEncrypt ... :-) |
138 |
|
139 |
And don't forget to setup auto renewal... ;-) |
140 |
|
141 |
|
142 |
-- |
143 |
Regards, |
144 |
Kai |
145 |
|
146 |
Replies to list-only preferred. |