Hi, Martin Kos wrote: > Hi > > i have different office branches connecting to a "master" OpenVPN node. > then i have client machines that connect to that master too. > -> this is the "first/outer" VPN, running with TUN and via UDP > > after setting up the first connection. the clients should create a > second/inner tunnel to the office branches, and this connection goes > trought the first VPN. as the clients need to receive the broadcast > traffic from the branches, and also the DHCP leases, i use TAP and UDP. > > and first that setup seemed to work fine. but after more testing it > showed that some applications do not work, e.g. TCP connections inside > the second tunnel cannot be established. it seems like the tunneled > packets don't arrive in the right order at the endpoint. when i changed > the "inner/second" tunnel to TAP and TCP, it seemed to work. before > changing all the devices i would be happy to get some advice. > > which is the preffered way of such an setup? > - TCP vs UDP for the outer/inner tunnel > - compression/no compression for the tunnels > what are the problems that could arise? bottlenecks? > > thanks for help, with this a little bit complicated openvpn setup (and > no, the clients cannot directly reach the branches, so the two tunnels > are needed :-( ). > > interesting setup, and you can find lots of discussion on the internet about tunnelling TCP over TCP vs TCP over UDP vs even UDP over UDP. A general rule of thumb seems to be that you don't want to tunnel TCP over TCP *NOR* UDP over UDP. Personally, I'd use TCP for the outer tunnel, as your client (roadwarriors) will sooner be able to connect via TCP than via UDP; then for the inner tunnel I'd use UDP+tap , but I'd refrain from using bridging as much as possible (horrible performance hit).
cheers, JJK ------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
