Network & Systems Architect

Welcome to my little blog. I am mostly techie over here, blogging about networking and system administration topics, but there will also be some Travel Reports from time to time…

OpenVPN over TCP is BAD

March 17, 2011Christian Kildau3 Comments

I use OpenVPN in a road-warrior setup over often slow and unreliable wireless connections. That on it’s own makes using interactive applications pretty hard.

But if you’re now additionally running OpenVPN in TCP mode over these links things get worse. The reason is, that TCP uses some kind of a three-way handshake to make sure all packets arrive in time and re-transmits those packets that don’t. With OpenVPN over TCP you now have your application’s TCP session encapsulated in your VPN”s TCP session, doubling your ACKs and re-transmissions (if needed).

Now I switched to UDP on the VPN’s session and if the link starts to loose packets, the VPN will too, but the application’s TCP session will make sure those packets are being re-transmitted. All in all everything feels much faster – at least for a crappy 3G connection.

See this link for a more detailed explanation.

This article has 3 comments
  1. Kristopher Morris

    We run a small vpn provider free ads been playing with openvpn for awhile now and I have some numbers. With proper HTB class based shaping UDP is over 3x faster on a generic You basicly nailed it; you can improve TCP to some extent by forcing MTU’s and few other directives. Let us know if you need servers to test! also lzo seems to be bad on lossy links. Running TCP_Westwood on the clusters helps with that alot.

    tcp-queue-limit 128
    tun-mtu 1500
    mssfix 1300
    tun-mtu-extra 32
    txqueuelen 15000

  2. crisnil

    I have a problem. were having a server on our office, and pfsense hosting openvpn, i can connect to openvpn as roadwarrior in different isp(dsl) but the problem is when i used 3G connection i cant connect to it. I think 3G network has a proxy since when i look into my recieve ip of the modem is different from ip i see when i browse what_is, Is there any work through to this?

    • Christian Kildau

      Try using another Port, if you assume there is a proxy in between.

      What mode are you running OpenVPN in?

Leave a Reply

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.