OpenVPN or IP whitelist with SSL for secure access?
-
Hi,
I was wondering how secure it would be to use the firewall to whitelist a static IP and using SSL vs using OpenVPN to connect to my server.
The reason I'm asking this is because I noticed a lot of performance loss when using OpenVPN to connect to my dedicated server.The server is a dedicated one with exsi and has a 500Mbit/s line. One of the VM's is pfSense and has a public IP assigned to the WAN interface, this is being used as a router for the other VM's.
The location of the server is France and I'm connecting to it from Belgium and Canada. The services being used on the server are file sharing via samba, version control server, webserver…When testing with a simple webserver download I reach +200Mbit/s download speed from Canada. When testing this via OpenVPN however I only get ~50Mbit/s.
The CPU (2 cores) is nowhere near 100% on the pfSense VM so cpu performance doesn't seem to be the issue here.For some reason I also get better speeds using TCP instead of UDP with OpenVPN which is weird since UDP should be better on a high latency connection.
Also samba seems to have very poor performance when used with OpenVPN.So I was thinking about just using IP whitelisting and SSL to connect to the server but I don't know if this would be secure enough (server is only for private use, not public).
Or maybe someone has any tips for finetuning the VPN connection?Thanks
-
smb/cifs over a high latency connection is going to blow no matter how you look at.. Your doing what 1 stream - do the math that is going to suck for performance. Would never use that as method of moving files over long fat pipe.
I have a seedbox in Luxembourg, I use https to grab files from there to my box. I use a web file manager called kloudspearker. Max out my internet pipe here at 80mbps.. Or could just use sftp as another option but its normally not going to scream over high latency either but going to be way better than smb because its not as chatty. Public key auth pretty freaking secure ;) I don't lock down access but you have to auth to it.. There is nothing of personal nature on this box - if someone guessed username and password or used an exploit that would have access to what you normally put on a seedbox ;)
My seedbox ping is 108ms from me here.. So with default window size, 1 stream
a TCP window of 64 KByte and RTT of 108.0 ms <= 4.85 Mbit/sec.Bump that window size up to 256 and your still only talking 20 Mbps.. You need more streams and large window size if you want to move files over a long fat pipe. SMB is not the protocol to do that since its chatty as all get out.. Do a simple sniff of your file copy even local, look how many packets.. Now increase the time for each packet from your local 1ms to 100 plus ms and how long does that file copy take ;)
So depending what is on there - sure https with some sort of login works, sftp or scp very secure method of moving files going to be faster than smb that is for sure. Comes down to what is on this vms that you would be worried about to how secure you need to make it. Any sort of admin I wouldn't open up to just public internet via its gui.. Like the esxi host managment or pfsense web gui. Make sure that is secure. Locked to your IP would be fine - but make sure you have another secure method to get in that doesn't lock to your source IP. What if that source IP changes ;)
