[plug] Network Issues, SSH Works, VPN Doesn't

Sat Jan 22 08:39:27 WST 2011

Ive been playing around with a data pack on an "amaysim" on my phone
which uses optus and found similar.  The openvpn (udp) connection gets
tls out of sync errors on connect and replay attack alarms - possibly
due to wildly out of order packets (got to confirm it).  Vodafone is
somewhat more reliable - but very expensive (on my plan)

openvpn uses a window for replay detection which when increased
(quadrupled) saw the replay attack warnings go away, and the tls out of
sync on connect reduce (I think - it still happens, just less often - it
eventually syncs up after a few connect cycles anyway)

I have not had a chance to look further yet but as well as ssh, you
might consider zebedee may provide a port based vpn that in my opinion
works better than ssh over degraded connections - gets fast/reliable
comms over connections ssh fails at when trying to read email on a Perth
server from Thailand as an example.  Looks like you have found TCP might
be a partial solution, but throughput and number of retransmissions need
checking for VoIP in my use case.

With a good 3g connection, a sip call over a double openvpn tunnel with
one leg over 3g works quite well, but in any sort of degraded condition,
forget it.  Was toying with the idea of SIP over a cheap datapack over
3g instead of a mobile call, but its too flaky for serious mobile use.
For a fixed install in a good signal area, it would be attractive (such
as a temp phone connection to a PBX, ultimate quality not a
consideration)

BillK

On Sat, 2011-01-22 at 10:08 +1000, Tim wrote:
> I'm currently connecting to the net via a 3G Modem. Optus network, and
> I'm on the fringe of the 2100Mhz network requiring me to put the modem
> on the roof until I can get the high gain directional antenna. (NextG
> works, but I can save $$ and increase quota considerably using the
> Optus network).
> 
> SSH works great. OpenVPN falls over. At one point, openvpn was timing
> out every 2 minutes (ping timeout) causing a reconnect. I have a proxy
> on the other end of the VPN/SSH so that I can access the net. (All
> this was setup while it was running at GSM speeds, not UMTS/HSDPA).
> Due to the flacky nature of being on the fringe of reception, running
> over a tunnel to a proxy on a well connected machine gives better
> browsing experience than using a proxy on this side of the connection.
> 
> If I setup a SSH tunnel to the proxy, everything works great. If I
> instead use the VPN to access to proxy, data just doesn't flow. I can
> SSH through the VPN and use the server well, fairly good
> responsiveness.
> 
> A quick look at iperf shows that tcp works great, and udp drops about
> 96% of packets. (iperf is trying to push things as hard as possible).
> I know that openvpn via tcp isn't a good idea because tcp is supposed
> to retry dropped packets, so tcp over tcp causes more issues. However,
> it appears that tcp over tcp via ssh is working well, should I be
> trying tcp over tcp via vpn?
> 
> The other thing I have noticed, is that the modem reports the mtu for
> ppp0 (GSM/HSDPA modem) is 1400, while ethernet mtu is 1500. Could this
> be causing issues, as the computer doesn't know that the packets will
> end up with a lower mtu down the stream, and so fragmentation will
> occur? I did try a fragmentation test with ping, and found a packet
> size of around 500 was needed to prevent fragmentation, maybe setting
> mtu down to that kind of size will help?
> 
> Any other ideas for how I can make this work better over this link. I
> would prefer openvpn as I don't need to manually initiate it each time
> I connect, and I can tunnel more than just http stuff without having
> to setup more tunnels.
> 
> Tim
> 
> p.s. I do need to check if the firewall is blocking things, but I'm
> fairly sure its not.

-- 
William Kenworthy <billk at iinet.net.au>
Home in Perth!