[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

[Openvpn-users] Re: Re: network/openvpn design suggestions?

  • Subject: [Openvpn-users] Re: Re: network/openvpn design suggestions?
  • From: Charles Duffy <cduffy@xxxxxxxxxxx>
  • Date: Tue, 21 Dec 2004 00:20:08 -0600

On Mon, 20 Dec 2004 22:23:09 -0600, Aaron P. Martinez wrote:

> What exactly do you mean make sure?  It seems fairly simple to just route
> all requests to the vpn machine on the dmz for any request that is headed
> for the network.

Yup, simple enough -- though in that context I was referring more to
making certain your firewall rules are amenable.

> I was wondering if i should be using tcp because the company is worried
> about losing packets (also latency which tcp will probably hurt).  It's
> just a terminal based application that will be running across the link.
> Currently it works fine with a 256k FT1, i'm wondering if i use queuing on
> my linux firewall, and allocate 256k from the T1 to the openvpn
> connection, would they gain a lot of latency?  would i need to dedicate
> more bandwidth and would this really even help since bandwidth isn't
> directily proportional to latency.

The protocol is running on top of TCP itself, right? So:
  App -> TCP -> VPN -> UDP -> IP -> ...
is a lot more efficient than
  App -> TCP -> VPN -> TCP -> IP -> ...
and doesn't have the tcp-over-tcp issue (roughly, the two reliability
layers conflicting with each other and resulting in timeout retransmits
backing up to the point where nothing gets through).

> I do have one other question about this.  Road warriers will also be
> hitting one side of vpn, and they will want to browse smb shares on the
> lan.  Will i have to set up a wins server on the dmz side because unless
> i'm not remembering correctly, routers don't pass browser broadcasts.

Quite right -- if you're using OpenVPN in routed (tun) mode, you'll need a
WINS server.

Openvpn-users mailing list