Monday, July 3

OpenVPN is Da Bomb

Long story short, last winter our hosting provider (which happens to be the most incompetent company I've dealt with in the last decade; oh the stories I could tell) migrated our fully-managed system to their shiny new and improved facility, and in the process finagled a renegotiation of our contract which omitted a lot of the services that had been "standard" beforehand, like the virtual private network between our office and our servers.

When this oversight was brought to the attention of the paper pushers and check signers, our hosting provider explained to us that they'd be happy to provide the service to us for a mere few thousand dollars a month over our existing service charge. Now, you have to understand that we're a B2B company, and some of our clients are very finicky about security, and commonly audit the way we run our shop to make sure we don't represent a chink in their armor, so having a VPN is critical to our business. But, we're a small company, and that's a pretty large bite out of our bottom line, so we started looking at alternatives.

The first one we checked out was Hamachi. Hamachi is beautifully simplistic, but so simple that it lacked two critical features. First of all, it didn't run as a service, and thus stopped as soon as you logged out of the machine, and Heaven forbid your remote machine rebooted on you and you couldn't get back to it. Secondly, Windows Remote Desktop (a.k.a. Terminal Services) doesn't work over it. That last one is mind boggling.

So we next tried out OpenVPN. Not only did it have the two important features Hamachi lacked, but it also has a neat little trick that lets your connection act as if it's part of the remote network, acquiring an internal LAN IP address from the DHCP server and all. Everything works seamlessly: remote desktop, networked file shares, source control access, etc. I haven't tried, but I bet the printers work as well. On top of that, it handles multiple networks without breaking a sweat. I've got a VPN to my office, one to my production servers, and another to my personal server. Even as I bounce between the network cable to the wifi to dial-up, the service is able to reconnect and reconfigure itself. I've even been surprised by one cool side effect where I closed my laptop (putting it in sleep mode) while leaving a remote terminal open, then opening it back up when I got home and finding the terminal session still alive and kicking.

But -- there's always a but, isn't there? -- we had to pretty quickly remove OpenVPN from our production servers as it was causing a horrible periodic stalling of network traffic. Essentially, every ten minutes or so, the server would just cease to respond to network requests (HTTP requests were the most evident -- we serve about twelve per second). Then, after about one minute of not responding, it would suddenly burst back alive, handling any of the stalled network connections that hadn't timed out. This made our web-site unusable. Note that the HTTP traffic wasn't being served over the OpenVPN connection, nor was OpenVPN even active, it was just installed -- which seems to suggest to me it's a weird Windows driver issue, but I'm not the expert. Unfortunately, the experts can't or won't help as the ticket we opened has gone ignored.


kogent said...

That's kind of a big but. After all that you still think "openvpn is da bomb" even tho it stall your network traffic?

alex smith said...

I send many mails to my colleages and vpn provides nice privacy