Topic: Fastest VPN: OpenVPN vs PPTP

[Tino]

Hi to all the contributors who I have never seen or heard of.... you will always remain an asset to the Linux community!!!

Okay, back to my question: Which is the "fastest" VPN solution for SME 7.x - OpenVPN vs PPTP?

I have tried to use PPTP which works perfectly but it has limitations of which speed is one of them. In my humble opinion PPTP is not the best option to use in a database environment.

This leaves me to wonder if OpenVPN could be a possible solution when speed is very important. This said I would assume that one also have to keep the protocol (TCP vs UDP) in mind when you wish to achieve optimum data transmission  speed, apart from line speed of course... 

I have read about 50 - 70 OpenVPN posts, followed the the OpenVPN contrib and have OpenVPN running perfectly. I would like to make sure that I have everything I need before going into demo mode or is there perhaps a few "fine tuning" options that I need to verify to achieve optimum VPN speed (ignore line speed for now).

1. Should I use UDP (for speed) in a "client - Server" database environment?
2. Should I add in the Kerberos registry settings on XP systems to increase the packer size (if UDP is not to be used or if TCP could reach the speed of UDP)?
3. For optimized speed should I use Bridged or Routed configuration? (not really important how the clients connect)
4. If I could increase the packet size, should I do it and what should the size be?
5. What should the minimum ADSL line speed be - 384 / 512 / 1024 / 4086 etc?

Thanks in advance

[Stefano]

hi

please explain your problem, not your solution

Ciao and welcome
Stefano

[Tino]

Stefano,

We have been approached by a medical firm to provide their clients with a VPN solution whereby they are able to connect remote clients (sites) to their Java database.

The client application + index files (flat file) + database are all server-side. The client will execute the application (300k) from the server, from where the index files (+- 7 m/byte) are loaded. Once that is done the client application will attempt to logon to the database.

PPTP, on a 4 m/byte line, takes around 20 - 30 minutes to have the client application and index files loaded before attempting to logon to the database but fails to connect. I would assume because of a time error.

My honest opinion is a bad application design but it is not my place to inform the client of such. I would however like to try and compensate for bad application design with a possible VPN solution that would somehow overlook the design flaw and push more data through than what PPTP is allowing at this stage.

Would OpenVPN be a possible candidate for this trail?

[Daniel B.]

Hi.
I personally think OpenVPN is a better VPN solution (compared to PPTP). That's why I have developed the OpenVPN Bridge contrib.
It will usually gives you more bandwidth than the underlying connection because of the compression. For un-compressible data, you may loose some performances (I'd say about 5% because of the overhead). In most situations, OpenVPN will give you better performance with UDP as the transport protocol. The only exceptions are:
- If you mainly send UDP over the VPN
- If the underlying connection is not very reliable (like poor satellite connections)

For the bridge/routed mode, it seems that routed mode will give you better performances, but I don't think the difference will be noticeable.

If you use my bridge contrib, I think you can let the default configuration, it should give you the best performance, you don't have to touch the the MTU as it'll be set to the best value according to your connection.

In any case, the best is to try all the solutions and see what's the best in your situation.

Cheers, Daniel

[dmcguire]

In my limited experience, OpenVPN is faster. I have not measured the transfer speeds for comparison, it just "feels" faster in day to day use. I also found PPTP would occasionally be problematic, whereas I never have any difficulties with OpenVPN.

[Tino]

Daniel, thank you for the detailed reply. At this stage I am more motivated to work with OpenVPN as it is very new to me.

I agree with you on the "Bridge" mode configuration purely because of the fact that the Java DB engine is located on a WinXP system on the LAN side of the SME Server. The clients will come in from the WAN side and need to be part of the local LAN to be able to access the system running the DB engine.

I followed the contrib on how to install OpenVPN and it went pretty smooth. However I was unable to ping either the Server IP [192.168.1.149] or the WinXP system [10.0.0.20]. I then tried to follow you Bridge contrib but fell flat on my face when I had to start configuring the Bridge device "db configuration".... Needless to say that I am still stuck after two days and I was hoping that I would be able to figure it out by myself

My Network Configuration:

 Local Area Network                                                                        Wide Area Network         
<WinXP PC>  ----------------   <SME 7.0 Server & Gateway>    ------------------ <ADSL Router>
[10.0.0.20]                    [LAN=10.0.0.254] [WAN=192.168.1.149]                       [192.168.1.250]


** Instead of using the Router which is running DynDNS, I am using another computer system to simulate a WAN client connection.

1. Installed OpenVPN as per contrib,
2. Left the OpenVPN config file routing as is,
3. Opened port 1194 via Server-Manager,
4. Forward port 1194 to localhost, as per contrib,
5. Created Certificates for Server and Client,
6. Copied Server Certificates to Server location,
7. Installed OpenVPN Windows client,
8. Copied Client Certificates to the "config" folder on the Client system,
9. Created client Config file with remote host at 192.168.1.149
10. Installed OpenVPN GUI.

Execute VPN.ovpn and it connects successfully with an IP assignment of 192.168.100.100.
- Ping Server WAN IP [192.168.1.149] - unsuccessful,
- Ping WinXP IP [10.0.0.20]        - unsuccessful,
- Change SME LAN IP to 192.168.100.1 and WinXP IP to 192.168.100.20
- Ping Server LAN IP [192.168.100.1] - unsuccessful,
- Ping WinXP LAN IP [192.168.100.20] - unsuccessful.

Where am I going wrong?

*edit* Corrected Server version from 7.3 to 7.0.

[Daniel B.]

I'm afraid I don't get your topology. You said your openvpn client get the IP address 192.168.100.100, but it should get an IP from the local network of your SME Server (in 10.0.0.0/255.255.255.0).
Further more, I don't understand why you've forwarded port 1194 to localhost.

Cheers

[p-jones]

Tino

I have several sites running open VPN and several using the standard SME pptp. Personally, I see little difference, if any in terms of performance.

IPSEC is the real show stopper. Performance is severely degraded.

PPTP can sometimes be a little fragile to connect / reconnect.
Openvpn has the potential to break with SME updates as it is not part of the standard SME distro. When up and running, it is extremely stable.

Once again, I have a personal preference to keep an SME box a close to standard distro as possible as this significantly aids restoration in the event of a melt down. This is just a part of a personal philosophy of always looking for a way back if the way forward doesnt go to plan. The quickest and most complete recovery option is a must in a business enviroment - IMHO.

I am sure you will have read the pros and cons of bridged vs routed mode for open VPN. Bridge mode has a number of downs particularly in terms of extraneous broadcast traffic but it is the easiest to work with.

Routed mode keeps unnecessary traffic from travelling end to end but it can be rather tricky to set up and preserve the routes unless you are guru at this.
Lots of weird and wackey routes can make troubleshooting other issues very difficult also.

Hope this helps a little...

P

BTW Have you considered running the application on a terminal Server and just using  PPTP and the RDP connector to access it ?

[gerd]

@ Tino

Did you succeed in the meantime to set-up your system?
As also said by VIP-ire - your topology is not understandable:
Once you are connected to the local network, you should get
a message that you are connected to the local network under
the IP number 10.0.0.xxx. -where xxx is within your subnet - but
outside the DHCP range assigned by the SME server. If you don't
use DHCP in your local network but fixed IP's, then it must be an
IP which is not used. This means that your client PC with OVPN
has two IP addresses: the IP address of client network environment
(192.168.1.xxx) and a virtual address in the local network (ans assigned by the SME
server OVPN contrib - 10.0.0.xxx). Also I would recommend the OVPN
GUI interface - it becomes an easy execise then.

If the OVPN connection is successful, you can for sure ping the
SME server under 10.0.0.254 and all other PCs in your local
network, you have access with putty to your server, you can have
remotre access to a local PC if necessary etc etc.)

I guess that your OVPN installation doesn't work at all - pls recheck.

good luck

gerd