[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] OpenVPN on FreeBSD server and Windows client

  • Subject: Re: [Openvpn-users] OpenVPN on FreeBSD server and Windows client
  • From: Stefan Bethke <stb@xxxxxxxxxx>
  • Date: Thu, 22 Nov 2007 07:19:11 +0100

Am 21.11.2007 um 20:23 schrieb Rob MacGregor:

> [ Keep it on the list ]
> On Nov 21, 2007 4:09 PM, Kate Kretz <kate.kretz@xxxxxxxxx> wrote:
>> FreeBSD's IP stack doesn't support "source udp routing" as OpenVPN  
>> does.

FreeBSD currently does not support source routing, except for tricks  
played with one of the packet filters (ipfw, pf).  OpenVPN can request  
the use of source routing on UDP sockets, if the OS supports that.

>> So, on multihomed FreeBSD servers tcp is preferrable than udp.

TCP does not imply source routing, nor would the FreeBSD networking  
stack care in it's routing decisions which protocol a socket is  
using.  So this recommendation is useless.  I've been running OpenVPN  
on various FreeBSD machines, most multihomed, with both UDP and TCP,  
without any issues.

> That's something that should probably be added to the documentation
> then, rather than it simply advising the use of UDP.

The documentation is correct.  While source routing can be useful in  
many circumstances, it's use and configuration is mostly a question of  
how you configure your OS, and not so much an OpenVPN-specific question.

UDP is preferrable because it does not add an additional flow-control  
and congestion-avoidance mechanism to the end-to-end connection.  With  
TCP, you end up running TCP (native) over TCP (VPN connection)  
connections, which tend to have bad performance or even timeout- 
related connectivity issues in the face of a congested internet link.   
TCP however is often the only choice if you need to get out through a  
corporate firewall/proxy scenario.  And a performance-constrained VPN  
connection is ofter preferable to no connection at all.

> Of course, the OP said nothing about being multi-homed ;)

One could argue that any machine running OpenVPN becomes multi-homed  
by definition :-)


Stefan Bethke <stb@xxxxxxxxxx>   Fon +49 170 346 0140

Openvpn-users mailing list