Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place! |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
01-16-2010, 08:32 AM
|
#1
|
Senior Member
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013
Rep:
|
VPN vs proxy bandwidth
I have had a squid proxy service setup on ym server for a while, which works fine with streamed video.
However, I recently also setup a VPN service to run on the server.
When I connect to the same video site but instead using the VPN connection, I get a lot of streaming rebuffering.
Any ideas on what the problem could be?
I use a tun/tap interface, which is rerouted on the server using iptables.
|
|
|
01-18-2010, 10:57 AM
|
#2
|
Member
Registered: Feb 2008
Distribution: Slackware
Posts: 595
Rep: 
|
VPN requires encryption and decryption of packets at either end of the point to point connection. Squid proxying does not separately encrypt the traffic it simply forwards it. The reduction in bandwidth you are experiencing over VPN is almost certainly due to a processing bottleneck at one side (or both sides) of the VPN connection.
Further to that, network routing devices that use QoS to prioritise certain types of traffic often prioritise streaming video to ensure as low a latency as possible. This is not always the case with VPNs and often VPN connections have a lower priority than normal web traffic.
|
|
|
01-18-2010, 11:01 AM
|
#3
|
Senior Member
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013
Original Poster
Rep:
|
Quote:
Originally Posted by zordrak
VPN requires encryption and decryption of packets at either end of the point to point connection. Squid proxying does not separately encrypt the traffic it simply forwards it. The reduction in bandwidth you are experiencing over VPN is almost certainly due to a processing bottleneck at one side (or both sides) of the VPN connection.
Further to that, network routing devices that use QoS to prioritise certain types of traffic often prioritise streaming video to ensure as low a latency as possible. This is not always the case with VPNs and often VPN connections have a lower priority than normal web traffic.
|
I heard MTU might also be an issue.
My current VPN works over TCP.
Is UDP any better?
|
|
|
01-18-2010, 11:08 AM
|
#4
|
Member
Registered: Feb 2008
Distribution: Slackware
Posts: 595
Rep: 
|
Quote:
Originally Posted by qwertyjjj
I heard MTU might also be an issue.
My current VPN works over TCP.
Is UDP any better?
|
MTUs are not your problem. Understanding how VPN works and how it differs from a proxied connection is.
WRT TCP vs. UDP, the question is too complex to have a silver-bullet answer, this is a question you need research to answer along with knowledge of your particular setup and needs.
For a simple OpenVPN configuration, UDP is the default and it is what I use.
|
|
|
01-18-2010, 11:11 AM
|
#5
|
Senior Member
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013
Original Poster
Rep:
|
Quote:
Originally Posted by zordrak
MTUs are not your problem. Understanding how VPN works and how it differs from a proxied connection is.
WRT TCP vs. UDP, the question is too complex to have a silver-bullet answer, this is a question you need research to answer along with knowledge of your particular setup and needs.
For a simple OpenVPN configuration, UDP is the default and it is what I use.
|
Then the encryption must be the issue? How can I troubleshoot this?
I know VPN works as a number of sites do a similar thing that I do using VPN instead of proxy connections and they work fine for streamed video. My server should have enough power, it just seems to be video encryption causing an issue.
|
|
|
01-18-2010, 11:18 AM
|
#6
|
Member
Registered: Feb 2008
Distribution: Slackware
Posts: 595
Rep: 
|
You were talking about the difference between proxy and VPN, in which case the issue is obvious.
If you are right in suggesting that others do exactly as you do with similar hardware without problems then you need to do deeper investigation into where latency is being introduced. Perhaps this might be a good start for you:
http://www.nanog.org/meetings/nanog4...te_N47_Sun.pdf
|
|
|
01-18-2010, 03:50 PM
|
#7
|
Senior Member
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013
Original Poster
Rep:
|
One of the user lists thinks that tcp has connection issues over udp - is that correct?
At present under TCP, I am getting a lot of these server messages on the VPN: Mon Jan 18 20:37:31 2010 adminuser/70.xx.x.xx:2001 MULTI: bad source address from client [192.168.1.101], packet dropped
|
|
|
01-25-2010, 02:34 PM
|
#8
|
Senior Member
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013
Original Poster
Rep:
|
I've tried to change MTU settings and stuff but no luck yet. It seems all the traffic over 1 port and encryption means VPN cannot be used for streaming, which seems crazy given today's bandwidth availability.
|
|
|
02-11-2010, 03:06 PM
|
#9
|
Senior Member
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013
Original Poster
Rep:
|
I received this from the openvpn users list but am not 100% sure how to implement it:
Quote:
The way things are intertwined make them slightly complicated. The
issue has nothing to do with TCP/IP itself, it is the packet size limit
on an ethernet. The IP layer normally constructs packets that are as
large as the physical media can support - then if these are routed to
vpn that has to add tunnel encapsulation headers the packets, they won't
fit as single ethernet packets and must be fragmented. There are ways
for IP stacks to discover that some intermediate part of the route has a
smaller size limit, but they are slow and foiled by private addressing
and firewalls (i.e. you have to get ICMP messages from the intermediate
routing interfaces where you didn't expect them). So, the quick fix is
to just force the MTU lower at the end points that you know will
communicate over a VPN - and then they don't need to know anything about
the intermediate handling. So, it's not really specifically related to
your routing and there's not really an ideal MTU for some purpose. It
is just that openvpn is going to add 40 bytes to every packet and you
want to send those packets out an ethernet with a 1500 byte limit. If
your server is unix-like, the ifconfig command should be able to change
the MTU, although there will be config file changes needed to make it
permanent and those will depend on the specific distribution.
|
How can I work out what my ethernet limit is?
If OpenVPN adds 40bytes on to every packet then surely I only need to turn the VPN down to 1400?
|
|
|
All times are GMT -5. The time now is 03:51 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|