[Leaplist] Openvpn over satellite

Bryan J. Smith b.j.smith at ieee.org
Wed Sep 24 01:47:11 EDT 2008 

On Wed, 9/24/08, tony_l_turner wrote:
> I'm looking for a good full featured *.nix firewall
> distribution like IPCop, M0n0wall, Pfsense, Smoothwall,
> Untangle etc that does a good job of managing TCP window
> sizes/buffers for high latency connections like satellite
> connectivity. Configuration might be sat2sat or sat2land. I
> need a package that works well with OpenVPN as I need to do
> a point2point SSL VPN to better utilize PEP (IPSEC sucks in
> this regard) 
> While it might be obvious that I have a list of solutions
> already, I either want to find something running on kernel
> 2.6 or newer to take advantage of new TCP congestion control
> features not found in 2.4 and older or find a way to load
> the appropriate module I need to manage high latency
> connections. I do not currently have a budget for this
> project but have a couple of spare Dell P4 boxes I can use
> and a box of network cards. 

I'm kinda curious where you find "IPSec sucks in this regard."

One of the advantages of IPSec is that it is integrated at
the network layer (IP) itself.  Ideally, an implementation,
such as the Linux 2.6, should allow it to be tuned much better
via various commands (ip et al.).  In reality, far too many
IPSec-based VPN implementations do tend to have all the issues
of that layer of interaction, and none of the advantages.

I have no idea how good the IPSec implementations are out
there, how much it integrates with the native Linux 2.6
options and control, etc...  I don't like to deal with
IPSec myself, but I'm not doing what you do.  I do know
that Red Hat spent some money getting OpenSWAN through
the full IPv6 certification process (the only daemon that
is right now?) and have people working on it full time.

When you start looking at OpenVPN, which makes it far more
transparent of an option because it works largely at a
higher layer, you're now talking about a tun device.  So
with most everything else at the higher layer, and little
more than the tun devices, I don't see it being as remotely
tunable for what you want -- at least what is in the Linux
2.6 kernel.  But I just use OpenVPN "as-is" and don't get
into all those details.

Or do you believe you can configure all you need at the tun
device in the 2.6 kernel?  

And yeah, most of the simple, default SOHO/SMB security
"make me an appliance" Linux distro installs still favor
kernel 2.4 for countless reasons.  So you typically have
to start with your own base for 2.6.

I'm really interested in your needs, because it sounds like
an interesting network consideration for high latency
connections**, and what 2.6 gives you.

> Does anyone have experience with this or have any
> resources you could recommend so I could research
> this myself?

Other than analyzing some throughput, latency and
efficiency of real-time TCP-based communication software,
not really.  I haven't tuned much, and all of that was
back on kernel 2.4 anyway -- RHEL 3 with OpenVPN, and that
was non-sanctioned and hacked last second, as needed
immediately, etc... with just some lessons learned later.

> I've been through the previous products FAQs and
> countless Google searches and found good theoretical
> info but very little practical guidance. Thanks in
> advance

In general, when you are concerned about latency in a
real-time app, you compensate in the app itself.  I.e.,
re-write it for a protocol like ... say ... RTP.  If
you need security, you write it to handle it on its own.
This can include using IPSec as it was intended, not as
it often is as a VPN/tunnel.

But it's been a couple of years since I look at all this.
None of it on kernel 2.6, all 2.4, and -- gasp -- Embedded
XP (NT) and CE.

-- Bryan

**P.S.  You're not working for F4W by chance, are you?  ;)
Satellite is the emergency responders' last, but common,
resort to connectivity and I remember hacking an OpenVPN
option for them over an evening.  At least they re-wrote
Tactica to use RTP instead of TCP.

-- 
Bryan J Smith        Professional, Technical Annoyance
b.j.smith at ieee.org  http://www.linkedin.com/in/bjsmith
------------------------------------------------------
I'm a PC, but Linux -- Windows: Life Without Firewalls



-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the Leaplist mailing list