LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 01-16-2010, 08:32 AM   #1
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Rep: Reputation: 30
VPN vs proxy bandwidth


I have had a squid proxy service setup on ym server for a while, which works fine with streamed video.
However, I recently also setup a VPN service to run on the server.
When I connect to the same video site but instead using the VPN connection, I get a lot of streaming rebuffering.
Any ideas on what the problem could be?

I use a tun/tap interface, which is rerouted on the server using iptables.
 
Old 01-18-2010, 10:57 AM   #2
zordrak
Member
 
Registered: Feb 2008
Distribution: Slackware
Posts: 595

Rep: Reputation: 116Reputation: 116
VPN requires encryption and decryption of packets at either end of the point to point connection. Squid proxying does not separately encrypt the traffic it simply forwards it. The reduction in bandwidth you are experiencing over VPN is almost certainly due to a processing bottleneck at one side (or both sides) of the VPN connection.

Further to that, network routing devices that use QoS to prioritise certain types of traffic often prioritise streaming video to ensure as low a latency as possible. This is not always the case with VPNs and often VPN connections have a lower priority than normal web traffic.
 
Old 01-18-2010, 11:01 AM   #3
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by zordrak View Post
VPN requires encryption and decryption of packets at either end of the point to point connection. Squid proxying does not separately encrypt the traffic it simply forwards it. The reduction in bandwidth you are experiencing over VPN is almost certainly due to a processing bottleneck at one side (or both sides) of the VPN connection.

Further to that, network routing devices that use QoS to prioritise certain types of traffic often prioritise streaming video to ensure as low a latency as possible. This is not always the case with VPNs and often VPN connections have a lower priority than normal web traffic.
I heard MTU might also be an issue.
My current VPN works over TCP.
Is UDP any better?
 
Old 01-18-2010, 11:08 AM   #4
zordrak
Member
 
Registered: Feb 2008
Distribution: Slackware
Posts: 595

Rep: Reputation: 116Reputation: 116
Quote:
Originally Posted by qwertyjjj View Post
I heard MTU might also be an issue.
My current VPN works over TCP.
Is UDP any better?
MTUs are not your problem. Understanding how VPN works and how it differs from a proxied connection is.

WRT TCP vs. UDP, the question is too complex to have a silver-bullet answer, this is a question you need research to answer along with knowledge of your particular setup and needs.

For a simple OpenVPN configuration, UDP is the default and it is what I use.
 
Old 01-18-2010, 11:11 AM   #5
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by zordrak View Post
MTUs are not your problem. Understanding how VPN works and how it differs from a proxied connection is.

WRT TCP vs. UDP, the question is too complex to have a silver-bullet answer, this is a question you need research to answer along with knowledge of your particular setup and needs.

For a simple OpenVPN configuration, UDP is the default and it is what I use.
Then the encryption must be the issue? How can I troubleshoot this?
I know VPN works as a number of sites do a similar thing that I do using VPN instead of proxy connections and they work fine for streamed video. My server should have enough power, it just seems to be video encryption causing an issue.
 
Old 01-18-2010, 11:18 AM   #6
zordrak
Member
 
Registered: Feb 2008
Distribution: Slackware
Posts: 595

Rep: Reputation: 116Reputation: 116
You were talking about the difference between proxy and VPN, in which case the issue is obvious.

If you are right in suggesting that others do exactly as you do with similar hardware without problems then you need to do deeper investigation into where latency is being introduced. Perhaps this might be a good start for you:
http://www.nanog.org/meetings/nanog4...te_N47_Sun.pdf
 
Old 01-18-2010, 03:50 PM   #7
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Original Poster
Rep: Reputation: 30
One of the user lists thinks that tcp has connection issues over udp - is that correct?
At present under TCP, I am getting a lot of these server messages on the VPN: Mon Jan 18 20:37:31 2010 adminuser/70.xx.x.xx:2001 MULTI: bad source address from client [192.168.1.101], packet dropped
 
Old 01-25-2010, 02:34 PM   #8
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Original Poster
Rep: Reputation: 30
I've tried to change MTU settings and stuff but no luck yet. It seems all the traffic over 1 port and encryption means VPN cannot be used for streaming, which seems crazy given today's bandwidth availability.
 
Old 02-11-2010, 03:06 PM   #9
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Original Poster
Rep: Reputation: 30
I received this from the openvpn users list but am not 100% sure how to implement it:
Quote:
The way things are intertwined make them slightly complicated. The
issue has nothing to do with TCP/IP itself, it is the packet size limit
on an ethernet. The IP layer normally constructs packets that are as
large as the physical media can support - then if these are routed to
vpn that has to add tunnel encapsulation headers the packets, they won't
fit as single ethernet packets and must be fragmented. There are ways
for IP stacks to discover that some intermediate part of the route has a
smaller size limit, but they are slow and foiled by private addressing
and firewalls (i.e. you have to get ICMP messages from the intermediate
routing interfaces where you didn't expect them). So, the quick fix is
to just force the MTU lower at the end points that you know will
communicate over a VPN - and then they don't need to know anything about
the intermediate handling. So, it's not really specifically related to
your routing and there's not really an ideal MTU for some purpose. It
is just that openvpn is going to add 40 bytes to every packet and you
want to send those packets out an ethernet with a 1500 byte limit. If
your server is unix-like, the ifconfig command should be able to change
the MTU, although there will be config file changes needed to make it
permanent and those will depend on the specific distribution.
How can I work out what my ethernet limit is?
If OpenVPN adds 40bytes on to every packet then surely I only need to turn the VPN down to 1400?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Setting bandwidth with proxy server linuxjamil Linux - Server 3 04-28-2008 08:00 AM
trace IP sing Proxy server regarding bandwidth shipon_97 Linux - Networking 2 01-20-2008 08:37 AM
How to measure bandwidth usage on an IP-VPN setup using MRTG? depam Linux - Hardware 2 02-20-2007 10:38 AM
Restricting bandwidth using proxy mercunium Linux - Networking 0 03-03-2004 04:11 PM
http proxy & bandwidth limiting marcinbu Linux - Networking 0 09-23-2003 10:54 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 03:51 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration