| 1 |
On Fri, Feb 10, 2012 at 1:05 PM, Pandu Poluan <pandu@××××××.info> wrote: |
| 2 |
> |
| 3 |
> On Feb 11, 2012 12:42 AM, "Michael Mol" <mikemol@×××××.com> wrote: |
| 4 |
>> |
| 5 |
>> On Fri, Feb 10, 2012 at 12:29 PM, Pandu Poluan <pandu@××××××.info> wrote: |
| 6 |
>> > |
| 7 |
>> > On Feb 11, 2012 12:16 AM, "Michael Orlitzky" <michael@××××××××.com> |
| 8 |
>> > wrote: |
| 9 |
>> >> |
| 10 |
>> >> On 02/10/12 11:46, Pandu Poluan wrote: |
| 11 |
>> >> > |
| 12 |
>> >> > On Feb 10, 2012 10:08 PM, "Mick" <michaelkintzios@×××××.com |
| 13 |
>> >> > <mailto:michaelkintzios@×××××.com>> wrote: |
| 14 |
>> >> >> |
| 15 |
>> >> >> > > |
| 16 |
>> >> >> > > The need: a VPN client that: |
| 17 |
>> >> >> > > + can selectively send packets fulfilling a criteria (in this |
| 18 |
>> >> > case, dest= |
| 19 |
>> >> >> > > IP address of internal server)* |
| 20 |
>> >> >> |
| 21 |
>> >> >> As far as I know typical VPNs require the IP address (or FQDN) of |
| 22 |
>> >> >> the |
| 23 |
>> >> >> VPN |
| 24 |
>> >> >> gateway. If yours changes because ISP A goes down then the tunnel |
| 25 |
>> >> > will fail |
| 26 |
>> >> >> and be torn down. |
| 27 |
>> >> |
| 28 |
>> >> I must have missed the original message. OpenVPN can do this. Just |
| 29 |
>> >> specify multiple "remote vpn.example.com" lines in your client configs, |
| 30 |
>> >> one for each VPN server. |
| 31 |
>> >> |
| 32 |
>> >> It also handles updating the routing table for you. Rather than match |
| 33 |
>> >> "IP address of internal server," it will match "IP address on internal |
| 34 |
>> >> network" and route through the VPN automatically. |
| 35 |
>> >> |
| 36 |
>> > |
| 37 |
>> > I'm still torn between OpenVPN and HAproxy. The former works with both |
| 38 |
>> > TCP |
| 39 |
>> > and UDP, while the latter is lighter and simpler but works with TCP |
| 40 |
>> > only*. |
| 41 |
>> > |
| 42 |
>> > *The traffic will be pure TCP, but who knows I might need a UDP tunnel |
| 43 |
>> > in |
| 44 |
>> > the future. |
| 45 |
>> > |
| 46 |
>> > Any experience with either? |
| 47 |
>> > |
| 48 |
>> > Do note that I don't actually need a strong security (e.g. IPsec); I |
| 49 |
>> > just |
| 50 |
>> > need automatic failover *and* fallback. |
| 51 |
>> |
| 52 |
>> We're not using multiple internet connections to the same network |
| 53 |
>> where I work, but we do use UDP-based OpenVPN to connect a few |
| 54 |
>> networks. |
| 55 |
>> |
| 56 |
>> TCP OpenVPN connections are very, very bad, IMO. With a TCP VPN, you |
| 57 |
>> easily break systems' TCP stacks' link bandwidth estimation. I once |
| 58 |
>> had a 30s ping time, because the pipe was hogged and backlogged from a |
| 59 |
>> mail client synchronizing. |
| 60 |
>> |
| 61 |
> |
| 62 |
> No, no, no. What I meant was running TCP and UDP *on top of* OpenVPN (which |
| 63 |
> uses UDP). |
| 64 |
> |
| 65 |
> HAproxy seems to be able to perform its magic with TCP connections. |
| 66 |
|
| 67 |
That's what I was talking about. Where I work, we use OpenVPN, |
| 68 |
operating in UDP mode. This is after several bad experiences using it |
| 69 |
in TCP mode. |
| 70 |
|
| 71 |
By "UDP mode" and "TCP mode", I mean OpenVPN's connections to other |
| 72 |
OpenVPN nodes were in UDP or TCP, respectively. When OpenVPN's |
| 73 |
connections operate over TCP (and thus it gets guarantee'd delivery), |
| 74 |
you can create a situation where a tunneled TCP connection attempts to |
| 75 |
push data faster than your Internet connection can allow because it |
| 76 |
never gets any congestion feedback; OpenVPN was accepting packets |
| 77 |
faster than it could shove them through, and was buffering the rest. |
| 78 |
|
| 79 |
In the situation I encountered, I was syncing my email over the vpn, |
| 80 |
but I couldn't quickly reach any internal services; their response |
| 81 |
time got slower and slower until I bounced my openvpn daemon (breaking |
| 82 |
any outstanding tunneled TCP connections), but then they rapidly |
| 83 |
degraded again. Towards the end, I discovered I had a non-tunneled |
| 84 |
ping time of <100 ms, but a tunneled ping time of 30m. |
| 85 |
|
| 86 |
If HAProxy is smart about congestion management, you shouldn't see |
| 87 |
this behavior. If not, you may. |
| 88 |
|
| 89 |
-- |
| 90 |
:wq |
Archives