From kanarip at kanarip.com  Thu Jun  3 14:04:12 2010
From: kanarip at kanarip.com (Jeroen van Meeuwen)
Date: Thu, 3 Jun 2010 14:04:12 +0200
Subject: [Commits] Branch 'development' - files/iptables-functions
In-Reply-To: <20100603084014.GC19237@koan.hexago.nl>
References: <201006022142.o52LgZOY019103@master.puppetmanaged.org>
	<20100603084014.GC19237@koan.hexago.nl>
Message-ID: <201006031404.13232.kanarip@kanarip.com>

Yaakov M. Nemoy wrote:
> On Wed, Jun 02, 2010 at 11:42:35PM +0200, Jeroen van Meeuwen wrote:
> >  files/iptables-functions |   11 +++++++++--
> >  1 file changed, 9 insertions(+), 2 deletions(-)
> > 
> > +    if [ -f "/etc/openvpn/server.conf" ]; then
> > +        port=`grep ^port /etc/openvpn/server.conf | awk '{print $2}'`
> > +        proto=`grep ^proto /etc/openvpn/server.conf | awk '{print $2}'`
> > +    else
> > +        # Make assumptions
> > +        port="1194"
> > +        proto="tcp"
> 
> Shouldn't this be UDP? It's a sin to run a TCP VPN over TCP.
> 

How's that?

-- Jeroen

From kanarip at kanarip.com  Tue Jun  8 16:41:10 2010
From: kanarip at kanarip.com (Jeroen van Meeuwen)
Date: Tue, 8 Jun 2010 16:41:10 +0200
Subject: [Commits] Branch 'development' - files/iptables-functions
In-Reply-To: <20100603133905.GB21120@koan.hexago.nl>
References: <201006022142.o52LgZOY019103@master.puppetmanaged.org>
	<201006031404.13232.kanarip@kanarip.com>
	<20100603133905.GB21120@koan.hexago.nl>
Message-ID: <201006081641.10712.kanarip@kanarip.com>

Yaakov M. Nemoy wrote:
> On Thu, Jun 03, 2010 at 02:04:12PM +0200, Jeroen van Meeuwen wrote:
> > Yaakov M. Nemoy wrote:
> > > Shouldn't this be UDP? It's a sin to run a TCP VPN over TCP.
> > 
> > How's that?
> 
> You're encapsulating TCP packets and all their overhead inside TCP
> packets with all that overhead too. I think xzibit might have
> something to say about that.
> 
> TCP has extra overhead to order the packets and guarantee that they
> are received, and i really don't need to tell you this. If the traffic
> inside the VPN is already TCP, it's already making said guarantees. If
> the traffic in the VPN is UDP instead, you don't want that overhead
> anyways, because it defeats the purpose of UDP. So you have the
> overhead and accounting being done twice when it's not necessary, and
> you hurt applications that don't expect this overhead. WTF?
> 
> Your VPN should be UDP by default unless firewalled somehow, so that
> you run a TCP vpn on port 443 or something to fool stupid firewalls.
> 

I understand your point but for reliable connections the tunnel should be 
persistent and continuous (keepalive) and not as volatile as a connectionless 
protocol such as UDP (no matter what is the contents of the encapsulated 
data).

The overhead of VPN over TCP ratio is actually very low, below the legal 
driving limit if you will.

-- Jeroen