| 1 |
On Tue, Jun 12, 2012 at 9:37 AM, Datty <datty.wtb@×××××.com> wrote: |
| 2 |
> On Tue, Jun 12, 2012 at 2:21 PM, Michael Mol <mikemol@×××××.com> wrote: |
| 3 |
>> On Jun 12, 2012 8:59 AM, "Datty" <datty.wtb@×××××.com> wrote: |
| 4 |
|
| 5 |
[snip] |
| 6 |
|
| 7 |
>> More detail later...but make sure your vpn link is not TCP. UDP, fine, |
| 8 |
>> IP-IP, fine, but not TCP. TCP transport for a VPN tunnel leads to ugly |
| 9 |
>> traffic problems. |
| 10 |
|
| 11 |
> Ah it is TCP at the moment. Not something I could change too easily either. |
| 12 |
> Is it possible to work around or is it not worth fighting with? |
| 13 |
|
| 14 |
If all of these cases are true: |
| 15 |
|
| 16 |
* You only have TCP traffic going over that VPN |
| 17 |
* You don't have any latency-sensitive traffic going over that VPN (no |
| 18 |
VOIP, no interactive terminal sessions and you won't pull your hair |
| 19 |
out over 10s or more round-trips slowing down page loads) |
| 20 |
* You don't have large bulk data transfers going over that VPN (my |
| 21 |
best example of personal experience here was trying to locally sync my |
| 22 |
work-related IMAP mailbox) |
| 23 |
|
| 24 |
...then it's not worth fighting with. |
| 25 |
|
| 26 |
It's very unlikely you fall in that camp. |
| 27 |
|
| 28 |
The problem of TCP VPN transport is a confluence of three issues: |
| 29 |
|
| 30 |
1) You're likely to have packet loss underneath that transport due to |
| 31 |
things like congestion...the TCP transport will hide this from |
| 32 |
tunneled traffic and retransmit itself. |
| 33 |
2) In TCP, Nagle's Algorithm handles flow throttling, but it depends |
| 34 |
on detecting packet loss to limit how many packets it pushes. |
| 35 |
3) Your VPN endpoint will very probably buffer a very large amount of |
| 36 |
data for sending if its TCP transport link is acting slow. |
| 37 |
|
| 38 |
Here's what happens: |
| 39 |
|
| 40 |
1) Your TCP app on your computer opens a connection with a remote |
| 41 |
host. This connection is encapsulated inside your TCP OpenVPN tunnel. |
| 42 |
2) Your app's TCP connection starts exchanging data. For as long as |
| 43 |
it's not losing any packets, it figures it can send more and more data |
| 44 |
without waiting for a response; this is Nagle's Algorithm managing |
| 45 |
your TCP sliding window, and it's why TCP can scale from dial-up |
| 46 |
speeds up to 10g ethernet. |
| 47 |
3) Your VPN link's TCP connection experiences packet loss. Maybe it's |
| 48 |
because of a congested router between you and the remote side of the |
| 49 |
VPN, or maybe it's because someone's ADSL connection is pushing more |
| 50 |
than its measly 768Kb/s upstream speed allows for. Or maybe it's noise |
| 51 |
on the copper causing packet loss on the ADSL link. Or maybe it's a |
| 52 |
frame collision on the PPoE link. |
| 53 |
|
| 54 |
...time passes... |
| 55 |
|
| 56 |
4) Your VPN link's TCP stack notes the packet loss and retransmits the |
| 57 |
lost packet until the packet gets through. |
| 58 |
5) The connection traffic from step (2) is completely unaware that the |
| 59 |
VPN's TCP connection is fielding packet loss issues for it, and |
| 60 |
Nagle's Algorithm figures, 'hey, this is a high-bandwith link! Let's |
| 61 |
shove more data!' |
| 62 |
6) OpenVPN link is now receving data it can't stuff into the pipe |
| 63 |
right this second, so it buffers it for a moment, and then sends it |
| 64 |
when its turn has come. Still, no data is lost. |
| 65 |
|
| 66 |
...time passes... |
| 67 |
|
| 68 |
7) Steps 4-6 repeat themselves, causing your original connection to |
| 69 |
become more and more confident about the bandwidth of the pipe. |
| 70 |
|
| 71 |
...time passes... |
| 72 |
|
| 73 |
8) The connection from step 2 is now so confident of the connection |
| 74 |
speed of the pipe, it's pushing data to OpenVPN faster than OpenVPN |
| 75 |
could conceivably push out, even if there were no packet loss issues. |
| 76 |
You've now got a cycle of just steps 5 and 6. |
| 77 |
|
| 78 |
Presumably, you'd eventually hit OpenVPN's buffer limit. I don't know |
| 79 |
what that is, and I don't think it's tuneable. The one time I |
| 80 |
personally saw, measured and helped diagnose this, I was getting up to |
| 81 |
a *fifteen minute* round-trip ping time over the VPN, even though the |
| 82 |
round-trip time for ping outside the VPN between the VPN endpoints was |
| 83 |
only about 100ms. Watching that round-trip time climb was surreal |
| 84 |
until I figured out what was happening. |
| 85 |
|
| 86 |
Switching the VPN transport to UDP allowed the tunneled connections' |
| 87 |
TCP stacks to properly gauge and react to available throughput. Even |
| 88 |
SIP started working over that VPN link. |
| 89 |
|
| 90 |
-- |
| 91 |
:wq |
Archives