[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] TCP or UDP - security question

  • Subject: Re: [Openvpn-users] TCP or UDP - security question
  • From: Mathias Sundman <mathias@xxxxxxxxxx>
  • Date: Wed, 11 Aug 2004 16:43:59 +0200 (CEST)

On Sat, 7 Aug 2004, Tom Clark wrote:

I'm trying to understand the pros and cons of using TCP vs. UDP
with OpenVPN.   I can see that UDP would allow me to use only
a single port on the server (and through a firewall).  On the
other hand, when configuring a firewall, security folks tend
to like TCP better than UDP.  I should note that in my case
I know exactly the IPs who will be communicating over the VPN,
which means the firewall can be fairly locked down, and it will
be used by pretty paranoid folks.....

The only reason I can think of why "security folks" would prefer TCP before UDP through a firewall is that the entry in the connection state table can be closed immediatly when a TCP session is closed, while is has to remain open for UDP until it times out (as there is no TCP RESET packet).

In this case the main security risk is the OpenVPN implementation itself and the overall security of the clients, so I don't think you need to chose between TCP or UDP for security reasons.

But, you would probably want to choose what suits you best because of performance and usabillity considerations.

TCP will probably be the best choice to get through as many other firewalls and routers as possible, while UDP might perform better if you tunnel mostly other TCP protocols.

Mathias Sundman                  (^)   ASCII Ribbon Campaign
NILINGS AB                        X    NO HTML/RTF in e-mail
Tel: +46-(0)8-666 32 28          / \   NO Word docs in e-mail

Openvpn-users mailing list