1 |
On Fri, Feb 10, 2012 at 1:05 PM, Pandu Poluan <pandu@××××××.info> wrote: |
2 |
> |
3 |
> On Feb 11, 2012 12:42 AM, "Michael Mol" <mikemol@×××××.com> wrote: |
4 |
>> |
5 |
>> On Fri, Feb 10, 2012 at 12:29 PM, Pandu Poluan <pandu@××××××.info> wrote: |
6 |
>> > |
7 |
>> > On Feb 11, 2012 12:16 AM, "Michael Orlitzky" <michael@××××××××.com> |
8 |
>> > wrote: |
9 |
>> >> |
10 |
>> >> On 02/10/12 11:46, Pandu Poluan wrote: |
11 |
>> >> > |
12 |
>> >> > On Feb 10, 2012 10:08 PM, "Mick" <michaelkintzios@×××××.com |
13 |
>> >> > <mailto:michaelkintzios@×××××.com>> wrote: |
14 |
>> >> >> |
15 |
>> >> >> > > |
16 |
>> >> >> > > The need: a VPN client that: |
17 |
>> >> >> > > + can selectively send packets fulfilling a criteria (in this |
18 |
>> >> > case, dest= |
19 |
>> >> >> > > IP address of internal server)* |
20 |
>> >> >> |
21 |
>> >> >> As far as I know typical VPNs require the IP address (or FQDN) of |
22 |
>> >> >> the |
23 |
>> >> >> VPN |
24 |
>> >> >> gateway. If yours changes because ISP A goes down then the tunnel |
25 |
>> >> > will fail |
26 |
>> >> >> and be torn down. |
27 |
>> >> |
28 |
>> >> I must have missed the original message. OpenVPN can do this. Just |
29 |
>> >> specify multiple "remote vpn.example.com" lines in your client configs, |
30 |
>> >> one for each VPN server. |
31 |
>> >> |
32 |
>> >> It also handles updating the routing table for you. Rather than match |
33 |
>> >> "IP address of internal server," it will match "IP address on internal |
34 |
>> >> network" and route through the VPN automatically. |
35 |
>> >> |
36 |
>> > |
37 |
>> > I'm still torn between OpenVPN and HAproxy. The former works with both |
38 |
>> > TCP |
39 |
>> > and UDP, while the latter is lighter and simpler but works with TCP |
40 |
>> > only*. |
41 |
>> > |
42 |
>> > *The traffic will be pure TCP, but who knows I might need a UDP tunnel |
43 |
>> > in |
44 |
>> > the future. |
45 |
>> > |
46 |
>> > Any experience with either? |
47 |
>> > |
48 |
>> > Do note that I don't actually need a strong security (e.g. IPsec); I |
49 |
>> > just |
50 |
>> > need automatic failover *and* fallback. |
51 |
>> |
52 |
>> We're not using multiple internet connections to the same network |
53 |
>> where I work, but we do use UDP-based OpenVPN to connect a few |
54 |
>> networks. |
55 |
>> |
56 |
>> TCP OpenVPN connections are very, very bad, IMO. With a TCP VPN, you |
57 |
>> easily break systems' TCP stacks' link bandwidth estimation. I once |
58 |
>> had a 30s ping time, because the pipe was hogged and backlogged from a |
59 |
>> mail client synchronizing. |
60 |
>> |
61 |
> |
62 |
> No, no, no. What I meant was running TCP and UDP *on top of* OpenVPN (which |
63 |
> uses UDP). |
64 |
> |
65 |
> HAproxy seems to be able to perform its magic with TCP connections. |
66 |
|
67 |
That's what I was talking about. Where I work, we use OpenVPN, |
68 |
operating in UDP mode. This is after several bad experiences using it |
69 |
in TCP mode. |
70 |
|
71 |
By "UDP mode" and "TCP mode", I mean OpenVPN's connections to other |
72 |
OpenVPN nodes were in UDP or TCP, respectively. When OpenVPN's |
73 |
connections operate over TCP (and thus it gets guarantee'd delivery), |
74 |
you can create a situation where a tunneled TCP connection attempts to |
75 |
push data faster than your Internet connection can allow because it |
76 |
never gets any congestion feedback; OpenVPN was accepting packets |
77 |
faster than it could shove them through, and was buffering the rest. |
78 |
|
79 |
In the situation I encountered, I was syncing my email over the vpn, |
80 |
but I couldn't quickly reach any internal services; their response |
81 |
time got slower and slower until I bounced my openvpn daemon (breaking |
82 |
any outstanding tunneled TCP connections), but then they rapidly |
83 |
degraded again. Towards the end, I discovered I had a non-tunneled |
84 |
ping time of <100 ms, but a tunneled ping time of 30m. |
85 |
|
86 |
If HAProxy is smart about congestion management, you shouldn't see |
87 |
this behavior. If not, you may. |
88 |
|
89 |
-- |
90 |
:wq |