LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 09-27-2012, 07:53 AM   #1
depam
Member
 
Registered: Sep 2005
Posts: 824

Rep: Reputation: 30
OpenVPN site to site bridge


I have been using DD-WRT for quite some time now. I have previously set up a Road Warrior OpenVPN and it works perfectly. Now, I was thinking of creating a tunnel between two routers. I am just using a normal home internet connection without static IP but is public (one using a cable broadband and fibre access on the other end) and both under unsecured network via net.

I have tried setting up a Open VPN using route based and not bridge. It works well however, it doesn't seem to address what I wanted to do and the fact that my outbound WAN caused slow down on both network. Does anyone have idea how much idle bandwidth does OpenVPN use on a site to site setup?

Another thing that bothers me is whether how to make it work on a bridged site to site VPN setup when two routers have DHCP active? I assume it will clash with each other since both are on the same network. But I can't turn off each of one as I am concerned that no one can get an IP in case the tunnel is down.
 
Old 09-28-2012, 07:53 AM   #2
Joaquim Almeida
LQ Newbie
 
Registered: Sep 2012
Posts: 7

Rep: Reputation: Disabled
Hi,

I presume you want to make something like...:
Code:
+---------+                     +---------+
| Point A |+----+Internet+-----+| Point B |
+---------+                     +---------+
    + +                             + +
    | |                             | |
    | |                             | |
    | +-----------------------------+ |
    +---------------------------------+
                  Tunnel
... yes?

What is the problem with your route version?

Well, in fact, bridged NICs are the ones that slow down. I quoted one exert from one book in one of my posts regarding that question (here):
Quote:
Originally Posted by Joaquim Almeida
5. Why routing (tun) and not bridging (tap) ?

I'll just point the major disadvantage of using bridging with a quotation taken from a good book about this theme - OpenVPN 2 Cookbook - ISBN 978-1-849510-10-3:
Quote:
However, there are also disadvantages to using bridging, especially in terms of performance: the performance of a bridged 100 Mbps Ethernet adapter is about half the performance of a non-bridged adapter.
About DHCP, if you're using OpenVPN then depends of the one you accept as a DHCP server. More information about it here.
 
Old 09-28-2012, 10:52 AM   #3
depam
Member
 
Registered: Sep 2005
Posts: 824

Original Poster
Rep: Reputation: 30
Thanks for this useful info. I truly believe that bridging will cause major degration on the tunnel but didn't realize like what you quoted below will be half of its supposed to be performance. The reason why I wanted to have this method is because there are some devices in between this two network that requires discovery within the network. That entails doing a broadcast and checking which device will respond to it. I am not sure how to attain that from using a routed setup since the two networks are completely clueless that the other LAN is connected thru the tunnel unless you initiate a connection. Another example of this is discovery of samba network share in the network, multicasting video stream, not sure if SIP RTP via routed tunnel, etc.

To add, I am really interested to know on how is the performance of the routed tunnel if it is idle (like if no one is talking to the other network and just doing a keep alive just for keeping the tunnel up). Didn't really have time to investigate further when I did this since, all I felt was slowness on both network and not really sure if there's anything else I can do to tweak it.
 
Old 10-01-2012, 09:20 AM   #4
Joaquim Almeida
LQ Newbie
 
Registered: Sep 2012
Posts: 7

Rep: Reputation: Disabled
I'm sorry, I don't fully understand what you've written. I'll try to answer anyway...

A VPN, as you are aware, is basically an interconnection between two (or more) subnets, in a server-client basis. Of course, the client will always need to initiate the connection...

The fact that you need broadcasting doesn't make it impossible; you have to say which one acts as a server/client, and then push routes. For the broadcast, you'll need a wins server (or similar). Check this how to, maybe it will help.

Regarding the keep alive, I've never monitored the quantity of information nor know how much it reduces the performance. Nevertheless, in OpenVPN, you can define it in time and retries. In the same site I posted here above, there is a study about performance, that I quote to you:
Quote:
Performance

As you might expect, encryption takes its toll on network performance. But, in practice, network throughput will be limited more by the Internet connections of both the OpenVPN server and client, than by OpenVPN itself. For my setup, I get speeds of around 35 kbps, but the client side of my network uses a wireless point-to-point Internet provider that sounds good on paper, but in reality, is horribly unreliable.

To get a better look at OpenVPN's true performance, I set up both the server and client locally connected through a gigabit switch and transfered some files through them over SMB. Direct transfer (without OpenVPN) clocked in at around 38 Mbps. The same transfer over an encrypted tunnel was barely able to top 4 Mbps. But again, unless you have top-tier fiber-based connections on both ends of your encrypted tunnel, you're unlikely to be limited by OpenVPN itself.

So you definitely pay the price on the performance side, but you gain the ability to securely transfer data over insecure connections.

If you don't want to dedicate a computer at each end of an OpenVPN tunnel, there are implementations of OpenVPN that run on the limited hardware of consumer grade routers (like the Linksys WRT54G) through DD-WRT or OpenWrt. So don't worry about old hardware slowing you down!
Translation: If you are willing to sacrifice security in exchange for performance... it will become as fast as your ISP allows it. I don't recommend it at all. If you need a VPN connection that bad (without losing performance) the best would be to rent a VPN service (with dedicated modems for it) or more, a dedicated line. Performance would still be a issue: depends of your budget.

By experience, I can guarantee that in bridge mode it suffers a lot: when i'm in laziness mode I tend to administrate my server with NX. Inside enterprise's network (as the PC in this post), in bridge mode it took sometime to connect; in route mode, it's instantaneous.
 
Old 10-03-2012, 08:29 AM   #5
depam
Member
 
Registered: Sep 2005
Posts: 824

Original Poster
Rep: Reputation: 30
Thanks again for your patience and explanation. I have setup a routed site on my DD-WRT using the below link:

http://www.dd-wrt.com/wiki/index.php...en_two_routers

So far this setup satisfies my requirements. I can leave with th Samba discovery for now. However, what I want to attain now if possible is to set the other router as the gateway for specific client. This can easily be done or transparent using a bridged setup by setting the gateway to the other routers. But since I am the adapter used is tun, do you know possible of attaining this using a routed setup? Thanks in advance.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] OpenVPN Site-to-Site TLS problem unestablish tquang Linux - Server 1 11-15-2010 01:25 AM
Site to Site openVPN Server turiyain Linux - Server 2 09-02-2010 02:31 AM
Enabling full routing site to site with openvpn, not using masquerading. Tried quagga pwn Linux - Networking 3 07-30-2010 06:31 AM
Apache site redirects using what rule? foo.site.com -> www.site.com/foo LaughingBoy Linux - Server 2 04-16-2009 09:51 PM
multiple site-2-site openvpn connections? licht Linux - Networking 2 07-20-2007 10:00 PM


All times are GMT -5. The time now is 06:37 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration