Hi again, Thanks for all responses.
Selva: > In case it helps: I recall seeing long latency with TCP tunnels under load. > But don't have any TCP tunnels in real use, so never looked more into it. Thanks, at least it shows it's not something related to my setup... Jan: > you're using bridging + tap + proto tcp + port sharing on a VPS and are > expecting good latency? hmmm.... there are many reasons why that combination > will NOT give you any performance. Bridge is used only to link TCP and UDP clients. All client machines are mine and used by me alone, and 99% of the time don't generate any traffic, they're only there so I can log into them. During my tests I used only these two machines I did the test on. Why tap might be a worse idea than tun? As to port sharing, I can disable it, but isn't it used only during initial handshake? As to the bridge, TAP and VPS, it performs very well with UDP-connected clients, so I suspect TCP alone... > However, I see an increase in ping time in my setup as well: > - udp > - tun This increase (from 0.6ms to 4ms) is normal and perfectly acceptable... but not to 3000ms, it definitely isn't only encryption/decryption latency... Gert: > With TCP, I expect queueing effects to add up as well - with UDP, > OpenVPN just throws out the packet, but with TCP, there are kernel > buffers involved, and if there's a packet getting lost, retransmits > (= delay!!). Aren't there any options to set that might help? Packets most probably don't get lost, the Internet link quality is good and other TCP connections over Internet (outside of the VPN) work well (and with low latency) during load on VPN too. > In other words: TCP is there because in some cases it's unavoidable > because stupid people block UDP access, but as long as UDP works, > people really should not use TCP. Yeah, it's my case. Brain-dead corporate policies resulting in only 443/tcp being available (even 80/tcp is blocked by a transparent proxy). I thought of using 53/udp but it's blocked too. I talked to admins and unblocking anything else is not an option. > UDP has even more advantages, like "roaming to new networks and not > losing VPN access" (like --float, automatic in recent 2.3.x servers), > "surviving loss of NAT state in routers / carrier-grade NAT boxes", etc. I believe that UDP is a better transport and I'm using it on most of my client machines, but with two hosts I'm stuck with TCP... ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
