Hello. I'm living in the country side where the communications are very very poor. My only choice is Satellite connection throw the French company Eurona which uses the network deployed by Skylogicnet. In general the latency is very bad (~800ms) and the network is very unstable. I have been investigating in the ISP routers which are in my path and there are many hops which are done in a private network (10.130.130.0/24). I think one or more of these hops are doing some kind of HTTP proxy cache and also many dirty stuff like blocking some ICMP messages and so on (thing that ends up in a MSS/MTU problem). I don't like to see my end2end connections modified during the path so I decided to set up a tinc network to transfer all the Internet data until one of my servers placed in somewhere of Internet. I'm using the following values for the layer3 tinc network: Compression=11 PMTU=1480 Cipher=none ClampMSS=no ReplayWindow=32 The DNS are not routed using the tinc overlay, here you can check my "tinc-up" script [1]. To test the difference between using tinc and using the raw connection I have made a little script [2] which uses "httping" to calculate the time needed to get a web site. I have taken the list of "most visited web sites" from alexa.com. I made two tests for each kind of connection: - 50 most visited sites - 50 less visited sites Here you can see the results [3]. In the 50 most visited, the clear winer is the raw connection because of these web-cache proxies which are somewhere in the path. However in the 50 less visited, the cache hits are smaller and the results are very similar. RAW: 2536 ms (average) TINC: 2815 ms (average) In addition, the TINC network is able to reach more sites (41 VS 46)!! So probably it is a huge part of the difference between both results (non reachable sites by RAW are usually reached by TINC with big latency). In this point you would ask why am I saying all this stuff? Well, for three points: - It could be useful for someone - I wanted to share it with some more people to see if someone has a comment related to it - I want to know from the tinc experts what more options might I modify to optimize the connectivity [1] http://pastebin.com/23XwwquB [2] http://pastebin.com/h3w3URV1 [3] http://pastebin.com/JMWE2HMd -- ./p4u
> Here you can see the results [3]. In the 50 most visited, the clear > winer is the raw connection because of these web-cache proxies which are > somewhere in the path. However in the 50 less visited, the cache hits > are smaller and the results are very similar. > > RAW: 2536 ms (average) > TINC: 2815 ms (average) > > In addition, the TINC network is able to reach more sites (41 VS 46)!! > So probably it is a huge part of the difference between both results > (non reachable sites by RAW are usually reached by TINC with big latency). > > In this point you would ask why am I saying all this stuff? Well, for > three points: > > - It could be useful for someone > - I wanted to share it with some more people to see if someone has a > comment related to it > - I want to know from the tinc experts what more options might I modify > to optimize the connectivityLatency is latency, and there is nothing you can do about that, except for caching. But that is pretty useless in many cases, certainly for a site with a limited set of users. You are actually having a pretty useless VSat experience IMHO. We use mobile VSat connections and using tinc on them (for moving sessions from one VSat to 3G and back without dropping them) actually drops our throughput to 10KB/s per TCP connection. This can be explained by the Bandwidth*latency product. You will need a PEP, a Performance Enhancing Proxy, to resolve this. And here is the rub: These VSat modems contain a PEP. They do TCP interception to optimise the TCP connection over the VSat. And the modems we use (Newtec) actually do a pretty decent job to optimise a connection. Nick
On Fri, Jun 28, 2013 at 03:18:34PM +0200, Pau wrote:> I'm using the following values for the layer3 tinc network: > > Compression=11 > PMTU=1480 > Cipher=none > ClampMSS=no > ReplayWindow=32I don't think setting Cipher=none will do much on high latency and/or low bandwidth links. But it does shave a few bytes off each packet. Why did you disable ClampMSS? Normally this helps to reduce packet fragmentation.> To test the difference between using tinc and using the raw connection I > have made a little script [2] which uses "httping" to calculate the time > needed to get a web site. I have taken the list of "most visited web > sites" from alexa.com. I made two tests for each kind of connection:[...]> RAW: 2536 ms (average) > TINC: 2815 ms (average) > > In addition, the TINC network is able to reach more sites (41 VS 46)!!Thanks for sharing the results of your tests! They are not very surprising for me though :)> - I want to know from the tinc experts what more options might I modify > to optimize the connectivityI don't think there is much you can do to improve it, except for running your own optimizing proxies inside the VPN. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: Digital signature URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20130628/5d069020/attachment.sig>