[sclug] VPN

Roland Turner SCLUG raz.fpyht.bet.hx at raz.cx
Mon Jan 9 10:25:17 UTC 2006 

On Mon, 2006-01-09 at 09:33 +0000, James Wyper wrote:
> --- Hamlesh Motah <admin at hamlesh.com> wrote:
> 
> > I have tried and tried and tried in the past to setup a VPN server at
> > home, openvpn is far too complicated for my limited knowledge.  
> 
> 
> I have dabbled with openvpn (linux <-> linux, no Windows clients as
> yet); my knowledge is also pretty limited but I don't recall having
> major problems with it (or nothing that googling couldn't fix).  The
> Howto on the openvpn website is pretty good.  Were you using version
> 2.0?

I've certainly found it to be very straightforward in Linux<->Linux
configurations (config files run 6-7 lines total), but one of my
colleagues attempted to add a Win32 client and had enormnous
difficulties.

> If you're having specific problems I can try and help out, or I can
> post you my config files if you think they would be useful.
> 
> I think I read somewhere that the new version of OpenSSH is going to
> have vpn functionality out of the box so it may be worth investigating
> that..

Umm, yes, but beware TCP on TCP. One of the reasons for using OpenVPN in
the first place (rather than pppd over ssh, which is fairly
straightforward already), is that OpenVPN uses UDP (by default, anyway),
whereas SSH connections are strictly TCP. SSH port forwarding works
fine, because three seperate, concatenated TCP connections are involved
(so the error recovery, congestion avoidance, etc. algorithms don't get
it each other's way), but when you present actual L2/L3 network
interfaces where raw frames or datagrams are transported over an SSH
tunnel, you end up in a situation where the end-to-end TCP is running
across a transport that is, itself, implemented in TCP. If the
underlying network drops a datagram, both the TCP implementation that is
carrying the SSH connection _and_ the end-to-end TCP implementation will
attempt to recover gracefully. The nett result is a sudden (temporary)
increase in latency, large enough to lead to web-browser timeouts, etc.
OpenVPN (and PPTP and GRE and ...) avoids this problem by not using TCP.

- Raz

More information about the Sclug mailing list