| 1 |
Am Mon, 15 May 2017 08:53:15 +0100 |
| 2 |
schrieb Mick <michaelkintzios@×××××.com>: |
| 3 |
|
| 4 |
> On Sunday 14 May 2017 11:35:29 Kai Krakow wrote: |
| 5 |
> > Am Sun, 14 May 2017 09:52:41 +0100 |
| 6 |
> > |
| 7 |
> > schrieb Mick <michaelkintzios@×××××.com>: |
| 8 |
> > > On Saturday 13 May 2017 23:58:17 R0b0t1 wrote: |
| 9 |
> [...] |
| 10 |
> > > |
| 11 |
> > > OpenVPN is not the most efficient VPN implementation for |
| 12 |
> > > connections to a server because it is not multithreaded |
| 13 |
> > |
| 14 |
> > Probably true but it works well here for connections of up to 100 |
| 15 |
> > MBit. |
| 16 |
> |
| 17 |
> It can work well for well above that throughput, but the limitation |
| 18 |
> is the tun/tap mechanism and the CPU of the device/PC it is running |
| 19 |
> on. |
| 20 |
|
| 21 |
I think most important is to use the UDP transport and not TCP, because |
| 22 |
the tunnel protocol doesn't need to ensure packet delivery. This is |
| 23 |
done by the protocols running inside the tunnel. Also, we usually |
| 24 |
enable compression at least for low-bandwidth uplinks (which become |
| 25 |
rare these days fortunately). |
| 26 |
|
| 27 |
To compensate for the UDP protocol, we usually also give the tunneling |
| 28 |
packets higher priority at the edge router to reduce drop rate under |
| 29 |
uplink pressure. |
| 30 |
|
| 31 |
This works well for most dial-up links we encounter (currently up to |
| 32 |
100 MBit). I probably won't consider it for higher throughput links |
| 33 |
because I fear the appliance CPU may become a bottleneck. But so far, |
| 34 |
no problems, even not with CPU usage. |
| 35 |
|
| 36 |
|
| 37 |
> > > and also because unlike |
| 38 |
> > > IKE/IPSec it operates in userspace, not in kernelspace. |
| 39 |
> > |
| 40 |
> > IPsec also doesn't work without help from userspace processes. |
| 41 |
> |
| 42 |
> Sure, but this is only for managing the (re)keying process, which BTW |
| 43 |
> takes longer with IKE than with OpenVPN (we're talking about |
| 44 |
> milliseconds here). Once the keys have been agreed and set up between |
| 45 |
> peers the rest happens exceedingly fast in kernelspace, managed as a |
| 46 |
> network layer interface (L3). I recall seeing IPSec tunnels running |
| 47 |
> 10 times faster than OpenVPN, being processed even faster than VLAN |
| 48 |
> trunking, but this is very much dependent on the resources of the |
| 49 |
> device running the tunnel. |
| 50 |
|
| 51 |
I use IPsec only between to endpoints directly connected to the |
| 52 |
internet (without NAT) and static IP. And only then it was really |
| 53 |
reliable, and it performed well. No question about it... |
| 54 |
|
| 55 |
And I like the fact that I don't need an intermediate transfer net as |
| 56 |
opposed to OpenVPN. |
| 57 |
|
| 58 |
OTOH, only OpenVPN has been reliable enough (and very reliable so far) |
| 59 |
when one or both sides were NATed with dynamic IP. |
| 60 |
|
| 61 |
And we had one customer running two networks across four sites, and |
| 62 |
their IPsec solution never ran reliable. And this was with |
| 63 |
professional, expensive firewall appliances. We replaced it with |
| 64 |
site-2-site OpenVPN and it runs faster now and without any disconnects. |
| 65 |
All sites use static IPs so that was never the problem. I don't know |
| 66 |
what caused this. The old appliances were mostly blackboxes, and at |
| 67 |
least one was faulty hardware (which explained problems at one site). |
| 68 |
|
| 69 |
|
| 70 |
> > But I |
| 71 |
> > see what you mean: With OpenVPN, traffic bounces between kernel and |
| 72 |
> > userspace multiple times before leaving the machine. But I don't |
| 73 |
> > really see that as a problem for the scenario OpenVPN is used in: |
| 74 |
> > It best fits with dial-up connections which are really not gigabit |
| 75 |
> > yet. For this, performance overhead is almost zero. |
| 76 |
> |
| 77 |
> Yes, at dial-up throughput even a smart phone has enough resources to |
| 78 |
> manage OpenVPN without it becoming a constraint. |
| 79 |
> |
| 80 |
> |
| 81 |
> > IPsec can be a big pita if NAT is involved. For Windows client, L2TP |
| 82 |
> > may be a good alternative. |
| 83 |
> |
| 84 |
> IKE/IPSec uses NAT-Traversal (NAT-T) by encapsulating ESP packets |
| 85 |
> within UDP over port 4500. This will allow clients to initiate a |
| 86 |
> connection with the server over port 500 and then switch to 4500 as |
| 87 |
> part of NAT-T detection. Trivia: many routers/VPN concentrators use |
| 88 |
> Vendor ID strings to determine if the remote peer can implement NAT-T |
| 89 |
> among other attributes to shorten this NAT-T detection process. |
| 90 |
> |
| 91 |
> Of course the server will have to be accessible over port 500 for the |
| 92 |
> clients to be able to get to it, but this is a port forwarding/DMZ |
| 93 |
> network configuration exercise at the server end. |
| 94 |
|
| 95 |
Oh wait... So I need to forward port 500 and 4500 so NAT-T does work |
| 96 |
properly? Even when both sides are NATed? I never got that to work |
| 97 |
reliably for one side NATed, and it never worked for both sides NATed. |
| 98 |
And my research in support forums always said: That does not work... |
| 99 |
|
| 100 |
|
| 101 |
> [...] |
| 102 |
> > > |
| 103 |
> > > If the users are helpless then you may be better configuring a VPN |
| 104 |
> > > tunnel between their Internet gateway and the server, so they can |
| 105 |
> > > access the server as if it were a local share, or using the built |
| 106 |
> > > in ftp client that MSWindows comes with. SMB will work securely |
| 107 |
> > > in this case too. |
| 108 |
> > |
| 109 |
> > This is what I would recommend, too. Put the VPN endpoints on the |
| 110 |
> > network edges and no clients needs to worry: They just use the |
| 111 |
> > connection. |
| 112 |
> |
| 113 |
> If there is a large number of client PCs this is the only sane |
| 114 |
> solution. |
| 115 |
|
| 116 |
There are enough users that are overwhelmed with clicking anything else |
| 117 |
than the browser symbol for network access, that this may be the only |
| 118 |
sane solution even for two users. ;-) |
| 119 |
|
| 120 |
|
| 121 |
> > > [...] |
| 122 |
> > > |
| 123 |
> [...] |
| 124 |
> [...] |
| 125 |
> > |
| 126 |
> > I wouldn't recommend running your own CA because you will have to |
| 127 |
> > deploy a trust relationship with every client. |
| 128 |
> > |
| 129 |
> > > For secure connections you will have to set up CA and TLS keys |
| 130 |
> > > with any option. Even ftps - unless the ftp server is already |
| 131 |
> > > configured with its TLS certificates. |
| 132 |
> > |
| 133 |
> > Or you use certificates from LetsEncrypt. Their CA is already |
| 134 |
> > trusted on most machines my default. |
| 135 |
> |
| 136 |
> Thanks for mentioning this! I had forgotten about |
| 137 |
> LetsEncrypt ... :-) |
| 138 |
|
| 139 |
And don't forget to setup auto renewal... ;-) |
| 140 |
|
| 141 |
|
| 142 |
-- |
| 143 |
Regards, |
| 144 |
Kai |
| 145 |
|
| 146 |
Replies to list-only preferred. |
Archives