How can I speed up a slow VPN connection?
April 11, 2011 12:20 AM Subscribe
I've set up an OpenVPN VPN on an overseas server as a way of getting around the Great Firewall of China. It's working, but is considerably slower than paid services like Witopia. I'm a total n00b when it comes to this sort of thing and am wondering if the speed issues are a result of the configuration, or if it's just the way things are.
So: I set up the VPN using this walkthrough. From looking around online, it appears that there are ways of fine-tuning an OpenVPN setup to make it faster, but I'm not neckbeardy enough to understand them, and am nervous about screwing things up by tinkering around too much with things I don't understand. I tried disabling LZO compression, since a couple of pages mentioned that it could have an impact on speed, but it didn't seem to make much difference -- I got about 0.16 Mbps either way according to various bandwidth test sites.
So this is kind of a two-part question, I guess: what, if anything, can I do to speed up this connection? And: I've read that IPSec is faster than OpenVPN, but at a glance it appears to be considerably tougher to set up. Are any speed gains from switching from IPSec to OpenVPN likely to be worth the hassle?
So: I set up the VPN using this walkthrough. From looking around online, it appears that there are ways of fine-tuning an OpenVPN setup to make it faster, but I'm not neckbeardy enough to understand them, and am nervous about screwing things up by tinkering around too much with things I don't understand. I tried disabling LZO compression, since a couple of pages mentioned that it could have an impact on speed, but it didn't seem to make much difference -- I got about 0.16 Mbps either way according to various bandwidth test sites.
So this is kind of a two-part question, I guess: what, if anything, can I do to speed up this connection? And: I've read that IPSec is faster than OpenVPN, but at a glance it appears to be considerably tougher to set up. Are any speed gains from switching from IPSec to OpenVPN likely to be worth the hassle?
Best answer: By the way, if the speed issue is because you're doing this with a thin residential-grade pipe, you might find it works a lot better on something like an Amazon EC2 virtual machine. Installing the Elasticfox extension into Firefox makes these reasonably easy to work with. Here's an old set of instructions I wrote for getting a SOCKS proxy running via EC2; if you can make that work, moving it to OpenVPN shouldn't be too hard.
posted by flabdablet at 12:43 AM on April 11, 2011
posted by flabdablet at 12:43 AM on April 11, 2011
Response by poster: Thanks flabdablet. I'm running OpenVPN on an actual VPS server with a major hosting company (am sort of leery of naming them, given the recent tendency of the Chinese government to block everything), so bandwidth probably shouldn't be an issue.
I looked at Amazon EC2, but ended up deciding that since I would also be able to use the VPS for web hosting, it might end up just being more cost effective to go with a VPS.
posted by bokane at 1:08 AM on April 11, 2011
I looked at Amazon EC2, but ended up deciding that since I would also be able to use the VPS for web hosting, it might end up just being more cost effective to go with a VPS.
posted by bokane at 1:08 AM on April 11, 2011
Try switching between tcp and udp. (You could also try changing the port number in case you're hitting some traffic management somewhere.)
posted by robtoo at 2:46 AM on April 11, 2011
posted by robtoo at 2:46 AM on April 11, 2011
According to this Economist article the Chinese have - since the Arab revolutions - been going to some lengths to make the operation of VPN tunnelling services out of China work less well than they otherwise might.
posted by rongorongo at 3:21 AM on April 11, 2011
posted by rongorongo at 3:21 AM on April 11, 2011
Yeah, since then WiTopia has been affected. Net speeds are sluggish enough as it is in China, but currently it's like being back in the 90s.
posted by arcticseal at 6:19 AM on April 11, 2011
posted by arcticseal at 6:19 AM on April 11, 2011
Response by poster: Thanks, robtoo - will try the TCP/UDP thing. (It's currently UDP, on the default port.)
The Chinese government has definitely been messing with VPN services, which is why I wanted to roll my own in the first place. (I'd been on Witopia, which is now more or less unusable, and even other, smaller VPN providers have been hit-or-miss.)
posted by bokane at 7:38 AM on April 11, 2011
The Chinese government has definitely been messing with VPN services, which is why I wanted to roll my own in the first place. (I'd been on Witopia, which is now more or less unusable, and even other, smaller VPN providers have been hit-or-miss.)
posted by bokane at 7:38 AM on April 11, 2011
Best answer: If they're messing with VPN services, they'll be doing that using traffic analysis and packet inspection. It might pay you to make your traffic look as similar to ordinary SSL-secured web traffic as possible: that means using a TCP connection with encrypted stream contents to port 443 at the far end. A full-blown VPN might not work well over TCP, and if what you're mainly interested in doing is web browsing, you may get better performance from ssh-tunneled SOCKS proxy. It would be interesting to see whether you do in fact see a performance difference between ssh on port 22 and ssh on port 443.
posted by flabdablet at 5:03 PM on April 11, 2011
posted by flabdablet at 5:03 PM on April 11, 2011
Oh, and for traffic analysis purposes it would be better to do as much browsing as you can from inside the Great Firewall, only tunneling through it when you absolutely need to. If most of the traffic that comes from your computer in China ends up being directed to one particular encrypted server in the US, expect that encrypted server to start suffering mysterious outages.
posted by flabdablet at 5:07 PM on April 11, 2011
posted by flabdablet at 5:07 PM on April 11, 2011
Response by poster: Thanks, flabdablet. At the moment I'm less concerned with disguising the VPN than with making the thing fast enough to watch Youtube without having to buffer for ten minutes first. In general, I think The Man here is unlikely to crack down on all VPNs, since many are necessary for business; they're more likely to just go after major paid VPN providers as part of their general campaign to make foreign social media inconvenient to use.
My use case is primarily web browsing, but this includes Hulu, Youtube, Pandora, and other things that are either blocked here or require US IP addresses. My impression had been that SOCKS wouldn't work for that sort of thing (or it may just be that the last time I tried it a few years ago, I didn't have things set up properly) -- no?
posted by bokane at 12:23 AM on April 12, 2011
My use case is primarily web browsing, but this includes Hulu, Youtube, Pandora, and other things that are either blocked here or require US IP addresses. My impression had been that SOCKS wouldn't work for that sort of thing (or it may just be that the last time I tried it a few years ago, I didn't have things set up properly) -- no?
posted by bokane at 12:23 AM on April 12, 2011
This thread is closed to new comments.
Even without that kind of effect, you do need to realize that by forcing all your packets to visit one particular box on their way from origin to you, you're forcing them all to get queued by that box as well as by your local router, and this loses you a fair bit of the timing advantage inherent in packet switching. Commercial proxy services will be doing clever load-balancing tricks to work around this issue that you simply can't do with a single VPN endpoint.
posted by flabdablet at 12:33 AM on April 11, 2011