[plug] Network Issues, SSH Works, VPN Doesn't

Tim weirdit at gmail.com
Sat Jan 22 08:08:09 WST 2011


I'm currently connecting to the net via a 3G Modem. Optus network, and
I'm on the fringe of the 2100Mhz network requiring me to put the modem
on the roof until I can get the high gain directional antenna. (NextG
works, but I can save $$ and increase quota considerably using the
Optus network).

SSH works great. OpenVPN falls over. At one point, openvpn was timing
out every 2 minutes (ping timeout) causing a reconnect. I have a proxy
on the other end of the VPN/SSH so that I can access the net. (All
this was setup while it was running at GSM speeds, not UMTS/HSDPA).
Due to the flacky nature of being on the fringe of reception, running
over a tunnel to a proxy on a well connected machine gives better
browsing experience than using a proxy on this side of the connection.

If I setup a SSH tunnel to the proxy, everything works great. If I
instead use the VPN to access to proxy, data just doesn't flow. I can
SSH through the VPN and use the server well, fairly good
responsiveness.

A quick look at iperf shows that tcp works great, and udp drops about
96% of packets. (iperf is trying to push things as hard as possible).
I know that openvpn via tcp isn't a good idea because tcp is supposed
to retry dropped packets, so tcp over tcp causes more issues. However,
it appears that tcp over tcp via ssh is working well, should I be
trying tcp over tcp via vpn?

The other thing I have noticed, is that the modem reports the mtu for
ppp0 (GSM/HSDPA modem) is 1400, while ethernet mtu is 1500. Could this
be causing issues, as the computer doesn't know that the packets will
end up with a lower mtu down the stream, and so fragmentation will
occur? I did try a fragmentation test with ping, and found a packet
size of around 500 was needed to prevent fragmentation, maybe setting
mtu down to that kind of size will help?

Any other ideas for how I can make this work better over this link. I
would prefer openvpn as I don't need to manually initiate it each time
I connect, and I can tunnel more than just http stuff without having
to setup more tunnels.

Tim

p.s. I do need to check if the firewall is blocking things, but I'm
fairly sure its not.
-- 
Timothy White - Somewhere in Australia



More information about the plug mailing list