Hello,
I need to build several site-to-site vpns with mikrotik routers.
Since Mikrotik have no models with adsl inside I have to use external adsl routers and so my vpns must run UNDER NAT.
The vpn should also work under two adsl load balanced.
Which vpn type do you suggest me? I am used to openvpn but the Mikrotik implementation has no udp support.
Thanks,
Mario
-
-
mgiammarco
newbie
- Posts: 47
- Joined:
Best vpn under NAT
Last edited by mgiammarco on Tue Nov 12, 2013 9:06 pm, edited 1 time in total.
Re: Best vpn under nas
I generally run OpenVPN on the MetaROUTER openWRT image so that I have full openVPN functionality. Just because I am familiar with it and I prefer OpenVPN with UDP of course.
Re: Odp: Best vpn under NAT
CTain, can I contact you for a working copy of the owrt image with OpenVpn or metarouter, or can you post a link for download? Many thanks.
Re: Best vpn under NAT
After importing please logon to the console and change the password with
OpenVPN cert wont work unless an accurate time is present
finally upload your configuration files to /etc/openvpn with ssh or wget.
to start the OpenVPN example, add to rc.local to boot start
Their is no easy-rsa tools for certificate creation or example server/client config files, You should have a linux VM built to create those files and copy them on.
Download Link for The OpenWRT image v8.09.2 with OpenVPN and NTPD
https://www.dropbox.com/s/sbin4fimthzpf ... 8.09.2.tgz
I have a later version built as well but I can't seem to find it at the moment.
bash code
passwdThen ensure the date time is being accuratly set via NTP
bash code
vi /etc/NTP.conf vi /etc/rc.local
OpenVPN cert wont work unless an accurate time is present
finally upload your configuration files to /etc/openvpn with ssh or wget.
to start the OpenVPN example, add to rc.local to boot start
bash code
openvpn --config /etc/openvpn/client.confremember to set your network static IP/DNS servers for the LAN connection (eth1)
bash code
vi /etc/resolve.conf vi /etc/config/networkOPKG is the package manager like apt-get or yum for linux computer, so packages are installed/updated/removed with those commands.
Their is no easy-rsa tools for certificate creation or example server/client config files, You should have a linux VM built to create those files and copy them on.
Download Link for The OpenWRT image v8.09.2 with OpenVPN and NTPD
https://www.dropbox.com/s/sbin4fimthzpf ... 8.09.2.tgz
I have a later version built as well but I can't seem to find it at the moment.
Re: Odp: Best vpn under NAT
CTrain, thanks for sharing. I will give it a try as soon as time permits. However can you please provide a short explanation of the benefits of udp mode in openvpn over tcp mode? Thanks.
Re: Best vpn under NAT
UDP Traffic is just sent their is no checking between the sender and receiver acknowledging order or receipt, it has a lower overhead on traffic due to that runs slightly faster(Bandwidth utilisation) because of no resending or waiting for acknowledgments, also has fast 'ping' times due to no error checking.
TCP traffic like http, ftp, smb, nfs, iscsi acknlwedge the receipt of packets and ensure that the first sent packet arrives first. TCP traffic also calculates hashes like md5 to ensure that the packet is completely uncorrupted from its trip. The result of this checking receipting and calculating is that the traffic is highly resilient to packet loss and out of order arrival from traversing a Wide area network, with individual packets taking different paths to the destination. This makes TCP the prime transport protocol for information accuracy after a network transmission.
OpenVPN Encapsulates a packets in an encrypted container to be sent to the receiving server decrypted and sent to the specified receiver on the other end. In TCP mode openvpn encrypts the original packet making it unreadable to all but the receiving server, and transmits the encrypted packet with all the tcp headers to the recipient server. That server will then work out if any packets are missing or out of order or corrupted using the TCP techniques. Once it is satisfied that the packet is correct it will decrypt and transmit that packet to the receiving client. That client will then the overwhelming majority of the time check that received packet with TCP techniques, because most protocols in networking are TCP. The client will attempt to authenticate by sending acknowledgment packets and by this stage we will have worked out that the packets is correct twice with by acknowledging twice (Doubling the acknowledgment bandwidth more if acknowledgment packets are lost). ensured that the order is correct twice and ensured that no packets are corrupted twice. You will also have ensured accuracy in packets that are not meant to be assured of accuracy due to need of faster receiving times (UDP), thus removing the original advantage of UDP.
OpenVPN UDP encapsulates a packet in an encrypted container with UDP header and protocols. The packet is received by the server, its is decrypted and forwarded to the intended recipient. That recipient processes it like any other normal packet if it is TCP it will ensure accuracy, if UDP just read the packet, it will also process ICMP (Ping) with more accurate times due to less time lost in ensuring accuracy.
As I believe I explained UDP openVPN still ensures packet accuracy on the protocols that require it because they do it themselves. However, I also demonstrated that TCP openVPN wastes bandwidth and resources checking already checked packets for accuracy, whilst checking packets that are not required to be checked also wasting bandwidth.
I prefer the OpenWRT Implementation better due to UDP support, and My Ability to use detailed commands such as client config directories, etc.
Let me know if this is not clear.
Edit: In my opinion the only reason that you would use tcp openVPN is so that it can be operated behind a http proxy server.
TCP traffic like http, ftp, smb, nfs, iscsi acknlwedge the receipt of packets and ensure that the first sent packet arrives first. TCP traffic also calculates hashes like md5 to ensure that the packet is completely uncorrupted from its trip. The result of this checking receipting and calculating is that the traffic is highly resilient to packet loss and out of order arrival from traversing a Wide area network, with individual packets taking different paths to the destination. This makes TCP the prime transport protocol for information accuracy after a network transmission.
OpenVPN Encapsulates a packets in an encrypted container to be sent to the receiving server decrypted and sent to the specified receiver on the other end. In TCP mode openvpn encrypts the original packet making it unreadable to all but the receiving server, and transmits the encrypted packet with all the tcp headers to the recipient server. That server will then work out if any packets are missing or out of order or corrupted using the TCP techniques. Once it is satisfied that the packet is correct it will decrypt and transmit that packet to the receiving client. That client will then the overwhelming majority of the time check that received packet with TCP techniques, because most protocols in networking are TCP. The client will attempt to authenticate by sending acknowledgment packets and by this stage we will have worked out that the packets is correct twice with by acknowledging twice (Doubling the acknowledgment bandwidth more if acknowledgment packets are lost). ensured that the order is correct twice and ensured that no packets are corrupted twice. You will also have ensured accuracy in packets that are not meant to be assured of accuracy due to need of faster receiving times (UDP), thus removing the original advantage of UDP.
OpenVPN UDP encapsulates a packet in an encrypted container with UDP header and protocols. The packet is received by the server, its is decrypted and forwarded to the intended recipient. That recipient processes it like any other normal packet if it is TCP it will ensure accuracy, if UDP just read the packet, it will also process ICMP (Ping) with more accurate times due to less time lost in ensuring accuracy.
As I believe I explained UDP openVPN still ensures packet accuracy on the protocols that require it because they do it themselves. However, I also demonstrated that TCP openVPN wastes bandwidth and resources checking already checked packets for accuracy, whilst checking packets that are not required to be checked also wasting bandwidth.
I prefer the OpenWRT Implementation better due to UDP support, and My Ability to use detailed commands such as client config directories, etc.
Let me know if this is not clear.
Edit: In my opinion the only reason that you would use tcp openVPN is so that it can be operated behind a http proxy server.
Re: Best vpn under NAT
ohara did it suit your purpose?