VPN stablility problems
Nick Hibma
nick at anywi.com
Tue May 6 09:36:42 CEST 2014
And be aware of the fact that any disturbance on your lower layers is exaggerated / magnified through the use of tunnels, most notable when using TCP.
In our satellite environment plain TCP connections come to a standstill when we 5% packet loss on a 800ms latency link. Imagine what happens when you have the wrong MTU and packets get fragmented (double the chance of packet loss for each original packet) and the added
In practical terms:
- Check that you have no TCP fragmentation by lowering the MTU on the sending interface (to start with, later you can lower the MTU on the router, but before NAT).
- Check whether you are using TCP or UDP in your tunnel. tinc automatically handles this, so check with tcpdump what type of traffic you see on port 655. If you have packet loss on your link (which you do not notice on low latency links, and certainly not in Windows were everything is hidden behind a GUI), using TCP will kill your VPN quite quickly.
- Make sure ClampMSS is set to yes and any host that connects over the VPN gets the ICMP type 4 (can’t fragment) message, or has its MTU set.
I had the same feelings, but OpenVPN was a lot less reliable and harder to configure. Note the quality of support you get from Guus. He is confident that it works and he’s got the (very deep) knowledge to back it up.
Nick Hibma
AnyWi Technologies
On 06 May 2014, at 07:51, Cédric Lemarchand <cedric.lemarchand at ixblue.com> wrote:
> Help Larry,
>
>> Le 5 mai 2014 à 22:01, Larry Smith <lsmith999999 at hotmail.com> a écrit :
>>
>> I may just have to live with this problem but wanted to gauge the experience of others. Thanks again.
>
> I use Tinc since 4 years now, it links 11 sites at office and, in my context (Linux routers over MPLS networks), it works like a charm and is pretty stable.
> Maybe you should try debugging harder the under layers of your network, or try a simplest configuration (LAN <=> LAN) and see if the issue remains.
>
> Cheers
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
More information about the tinc
mailing list