Why wasn't TCP Chosen for OpenVPN by Default - It seems much better?
-
Forgive this dumb question.
I have problems with some users on remote networks of poor quality who constantly have to go through MFA to re-connect to our VPN.
It is augmented by MFA on Radius and works very well.
Unless you are on a poor network. In which case the need to re-auth.It occurred to me, and also thanks to a suggestion that TCP would be better.
And - it is. I've been able to maintain a connection over a poor network I created to test - and switched back to UDP and it drops instantly.I notice an increase in firewall resources and latency but - so far all acceptable.
-
Because TCP over TCP is a recipe for very poor performance. Two lots of error checking and handshakes can result in a massive amount of resends etc.
See: https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/configure-server-endpoint.html#protocol
-
@Jake-Biker In general, UDP will be significantly more efficient due to having lower overhead than TCP. However, on a poor quality connection the overhead from TCP (which includes things like acknowledgement of packets and retransmissions when packets are dropped) may be worthwhile or, in your case, necessary.
-
@stephenw10 Thanks Stephen for your perspective.
Can I for instance say that if there are considerable hardware resources to chuck at this this may negate any overheads - this includes a huge increase in my incoming connection bandwidth too ??
-
Not necessarily. If the connection rate is limited by the WAN rate at either end it doesn't matter how much hardware you throw at it. When you are resending 50% of the packets the actual throughput is always going to be impacted.
-
90% of our users reach us with perfect connections.
Just 1% go out on a limb on dodgy hotel connections.If the connections are pure on most - this will reduce the over head and the impact of going TCP won't be so great?
-
You can just setup both and have some users use TCP. Or choose which.
-
@stephenw10 Thats the plan! :)
-
@Jake-Biker said in Why wasn't TCP Chosen for OpenVPN by Default - It seems much better?:
Just 1% go out on a limb on dodgy hotel connections.
Normally
, you can't do anything to compensate for that.edit : Wait, there is one thing : have them select 'better' hotels
-
@Gertjan said in Why wasn't TCP Chosen for OpenVPN by Default - It seems much better?:
have them select 'better' hotels
Ha, you have one in mind?
-
You'd then have double TCP error correction and flow control, which could really mess things up. The only reason I'd use TCP is to get through a firewall that blocks everything but browsers on standard ports, such as at my local library.
