DEV Community: daniel💻

Comparing VPN Performance: State-of-the-Art Solutions in Stable vs. Unreliable Networks

daniel💻 — Wed, 15 Jan 2025 00:07:11 +0000

Introduction

VPNs, like many tools in technology, offer both advantages and drawbacks. A significant downside is the latency and reduced network performance they can sometimes cause. Over the years, various VPN implementations have been developed to tackle these challenges and improve overall efficiency.

This article explores several state-of-the-art VPN implementations to assess the extent of performance degradation they experience. It is based on a 2019 study conducted by Thomas Fischer at the University of Skövde. The research question is as follows:

How does the performance differ between state-of-the-art VPN solutions under stable versus unreliable network conditions?

What are Virtual Private Networks (VPNs)

A Virtual Private Network (VPN) is a technology used to extend a private network over the internet, allowing authorized users (typically authenticated with a shared secret such as a password) to access it as if they were directly connected. This makes these 'authorized users' appear to be connected to the private network, even though they may be thousands of miles and numerous router hops away.

VPN Tunnel

VPN connection is achieved using secure, encrypted 'tunnels' called VPN tunnels. They are referred to as tunnels because they are established between two endpoints. When two routers are configured for tunneling, it becomes possible to send encrypted packets that might not be supported over the general internet between them.
When set up correctly, these tunnels provide:

Privacy: By not exposing the private network to the public internet.
Security: By encrypting the packets shared through the tunnels. Anyone who gains access to the encrypted packets will not be able to read them. Only authorized users can decrypt and access the data.
Data integrity: Through mechanisms that detect if the data has been tampered with during transport. Any network running such tunnel is running a Virtual Private Network or VPN.

Types of VPN Tunneling

Host-to-network (Remote access) tunneling: Allows individual users to securely connect to a private network. This is commonly used by remote workers who need access to private company files.
Site-to-site tunneling: Connects entire networks, often used by companies with offices in different locations.
Split tunneling: Routes only specific traffic through the VPN, while other traffic is sent directly to the internet. This is useful for balancing security and speed.
Full tunneling: Routes all traffic through the VPN, providing maximum privacy and security.

Side Note: VPNs provide security between two endpoints, but they do not secure the endpoints themselves. This poses a significant security risk because every endpoint with access to your VPN also has access to your private network. Additional security measures are necessary to ensure endpoint security and protect the network from potential vulnerabilities.

Different VPN Solutions

There are numerous VPN solutions available, but three stand out as the most popular and were used for this study:

IPSec (IP Security Protocol)
OpenVPN
WireGuard

IPsec (IP Security Protocol)

IPsec was standardized by the Internet Engineering Task Force (IETF) in 1995. Originally developed for IPv6, it has also been widely implemented for IPv4. IPsec is an IETF-approved end-to-end authentication and encryption system. Almost all major VPN vendors include at least an IPsec compatibility mode in their products. Additionally, operating systems like Linux, Solaris, HP-UX, and AIX provide native kernel support for IPsec.

In tunnel mode, IPsec encrypts the transport layer header, which includes source and destination port numbers. However, this approach often conflicts with how most firewalls operate. To address this issue, most modern implementations default to transport mode, where only the payloads of packets (the data being transported) are encrypted.

OpenVPN

OpenVPN has become the de facto standard for VPNs today, with over 50 million downloads since its release in 2001 (OpenVPN, 2019). It uses SSL/TLS for key exchange and encryption. OpenVPN is open-source, which contributes to its security through the extensive scrutiny it undergoes, as anyone can review the code. In 2017, an independent review of OpenVPN was conducted by Cryptography Engineering (Hopkins and Green, 2019), and the results found no major vulnerabilities.

OpenVPN supports both TCP and UDP, with UDP as the default. While UDP is faster, it does not perform error correction like TCP does. OpenVPN is fully functional on Windows, macOS, and Linux, and offers a wide range of ciphers and encryption methods to choose from.

WireGuard

WireGuard is a new VPN solution designed to replace two of the most widely used VPN technologies: OpenVPN and IPSec (Donenfeld, 2018). It claims to offer better performance than OpenVPN while avoiding the complexity of IPSec. Originally written for Linux systems, WireGuard is now available on multiple platforms. Like OpenVPN and IPSec, it is open-source, allowing anyone with the knowledge to audit the code. One of its design goals is to offer a straightforward configuration, similar to SSH, using asymmetric key cryptography. Currently, WireGuard supports only UDP (Donenfeld, 2018).

Some other VPN solutions include: PPTP (Point-to-Point Tunneling Protocol), SSTP (Secure Socket Tunneling Protocol), and OpenSSH (Open Secure Shell).

Network Performance Metrics

Here are the key metrics used in this study when testing networks: throughput, latency, and packet loss:

Throughput: This refers to how much data is sent from one point to another during a specific time frame. Throughput is typically measured in bits per second (bps). It is influenced by the entire infrastructure of the channel, including the physical medium (such as cabling) and computational power, among other factors.
Latency: Latency is the time it takes to transmit a packet in one direction (e.g., from client to server). In VPN testing, latency is expressed as a time value, usually measured in milliseconds (ms).
Packet loss: This metric refers to how many packets are “lost,” meaning they did not arrive from the source to the destination. Packet loss can occur due to network congestion, among other reasons. It is measured as a percentage of packets lost relative to the total packets sent.

Unreliability Handling

Unreliability handling refers to how a network manages disturbances, which can be either artificial or natural, such as high latency or packet loss. These disturbances can be quantified by limiting the aforementioned metrics.

For example, consider a remote worker with an unreliable network connection. The unreliability of a network could stem from fluctuating connections, such as cellular networks on a moving train traveling through areas with poor infrastructure or through mountains. It could also involve a remote worker located far from the office, requiring access to files stored across the globe. This would introduce delays far beyond the typical packet transfer delay expected when working with files stored on a server in the same building.

Therefore, it is crucial to investigate how different VPN solutions perform on unreliable networks.

Tools for Measurement

iPerf

The tool used to measure network performance is iPerf3 (https://iperf.fr), version 3.1.3. The reason for choosing iPerf3 is that it effectively tests throughput and provides data on the number of packets transferred, including those that did not arrive. Since iPerf is available for Windows, Linux, and macOS, it is well-suited for this experiment, which is being conducted across all three operating systems.

Operating systems

The test was performed on 3 different operating systems: Windows 10, Linux Ubuntu, and macOS.

pfSense router

The router used in this experiment is a pfSense software router running FreeBSD 11.2-RELEASE-p10 (pfSense 2.4.4-RELEASE-p3). The reason for choosing this router is its capability to shape traffic directly using a tool called dummynet, which is built into pfSense. With dummynet, it is possible to introduce network unreliability aspects (such as delay and packet loss) directly between the VPN nodes. This approach eliminates the need for using dedicated tools or software on the individual nodes themselves, simplifying the setup and ensuring more accurate control over network conditions for the experiment.

Steps for the Experiment

To accurately answer the research question—How does the performance differ between state-of-the-art VPN solutions under stable versus unreliable network conditions?—the following steps were taken:

Identify the VPN solutions to experiment on, control traffic, determine which metrics to use, choose the tools, and decide what data to collect
Test the Network in the Experimental Setup Without Any VPN Solution to Identify a Baseline Performance
Configure and Test VPN Solutions on Three Different Operating Systems with Network Unreliability Conditions
Analyze and Compare the Results to Identify Performance Differences Between the VPN Solutions

Important aspects of the default configuration for each VPN that could impact the perform

As mentioned earlier, the three VPN solutions selected for this test are OpenVPN, WireGuard, and IPSec. It is important to note that the default configurations of these VPN solutions were used. For all three VPN solutions, default settings were maintained wherever possible, rather than standardizing the settings across network protocols, cryptographic algorithms, or compression choices.

After setting up the three VPN solutions on three different operating systems, below are some important aspects of the default configuration for each VPN that could impact the perform:

Encryption Algorithm: The performance of a VPN is significantly affected by the encryption algorithm used. Different algorithms have varying computational complexities, which can impact both the encryption/decryption speed and overall VPN performance.
Compression: Compression of the payload is another factor. By default, all the tested VPN solutions have payload compression disabled. Enabling compression can reduce the size of the data being transmitted, potentially improving performance, especially in environments with high latency or limited bandwidth.
Multi-threading: Multi-threading specifies whether the encryption and decryption processes can be distributed across multiple CPU cores. This feature allows parallel encryption on multiple cores, which could increase the speed of encryption and decryption, leading to better overall performance for the VPN.

Default Configuration	IPSec	WireGuard	OpenVPN
Encryption Algorithm	AES-256	ChaCha20	AES-256-GCM
Compression	Yes*	No	No
Multi-threading	Yes	Yes	No

Testing

The image below illustrates the flow of the testing process:

The testing procedure was structured as follows:

Initial Test (No VPN): The first round of testing was conducted without any VPN enabled. This provided a baseline for network performance.
Test with VPN Solutions: After establishing the baseline, each VPN solution (OpenVPN, WireGuard, and IPSec) was enabled and tested sequentially. During these tests, the performance metrics (throughput, latency, and packet loss) were measured with the VPNs active.
Test with Unreliability #1: Traffic shaping was applied to introduce a 400ms delay (Unreliability #1), and the VPN solutions were tested again under these conditions.
Test with Unreliability #2: In the final round, the traffic shaping tool introduced 1% packet loss (Unreliability #2), and the VPNs were tested once more.

This process was repeated for all three VPN solutions (OpenVPN, WireGuard, and IPSec)

Results

The results presented are values from when iPerf sends the packets to the server and server receives and presents the values. All the results presented are the mean values of the 50 tests per case. The tests are on 36 different cases. A table of all 36 individual cases can be seen in table 3.:

Observation

To reiterate, the research question for this paper is: 'How does performance differ between state-of-the-art VPN solutions under stable versus unreliable network conditions?' A definitive conclusion is that each implementation has its own advantages and disadvantages. Some VPN solutions perform better on certain operating systems. The most impactful conclusions drawn from the results are presented below.

The best-performing VPN solution for macOS, if the network is reliable, was IPSec, followed by WireGuard, with OpenVPN performing the worst
We can see that with any of the unreliability variables in effect, all VPNs and operating systems had reduced throughput compared to no unreliability
Linux is fastest with the baseline and no unreliability at 943.5Mbits/sec
All VPNs except OpenVPN perform best in Linux during the delay unreliability when comparing the other OSs under delay
All VPNs perform best in Linux while experiencing packet loss
OpenVPN is not the top performer in any test
Linux performs best in all unreliability tests except one, the unreliability #1 – delay

Conclusion

Based on the results, a few recommendations for OS and VPN combinations emerged when using the default configuration. They can be seen in the Table below. The VPN in bold with a blue background is the overall recommended option for the specific network situation, as it had the best performance. The recommendations are as follows:

Subnetting Demystified: Concepts, Importance, and a Real-World Example

daniel💻 — Thu, 02 Jan 2025 19:50:41 +0000

Prerequisites

The goal of this article is to give you a clear understanding of what subnetting is, its importance, and a real-world example of subnetting in action. To fully grasp the concepts in this article, you need a good understanding of what an IP address is, its structure, subnet masks, and CIDR notation. All of these topics are covered in this article: [Decoding IP Addresses: Mastering Subnet Mask and CIDR Notation].

How Subnetting Works

A network is simply a group of computers that can communicate with each other. In technical terms, it is a group of hosts within the same IP range. As the size of a network grows, communication becomes increasingly difficult due to heavy traffic loads. To address this issue, large networks can be divided into smaller, more manageable subnetworks (subnets) using a process called subnetting. Subnetting helps reduce congestion by limiting broadcast traffic to smaller groups of hosts.

Subnetting is the method used to divide large networks into smaller, more manageable networks called subnetworks or subnets.

Flat Network

A flat network is a network without subdivisions (subnets), where all devices share the same broadcast domain. This can lead to issues like increased broadcast traffic, scalability problems, and security risks, which subnetting aims to address.

Example of Subnetting

Suppose you have a Class C IP address 192.168.1.0/24 that needs to be divided into 4 subnets. The total number of possible IPs is 256, ranging from 192.168.1.0 to 192.168.1.255.

Note: Only 254 IP addresses are available for use because the Network address (192.168.1.0) and the Broadcast address (192.168.1.255) are reserved and cannot be assigned to devices. The Network address is the first IP address in the range, and the Broadcast address is the last.

The subnet can be divided as follow:

Subnet 1: 192.168.1.0/26. This provides a total of 64 IPs from range 192.168.1.0 to 192.168.1.63
Subnet 2: 192.168.1.64/26. This provides a total of 64 IPs from range 192.168.1.64 to 192.168.1.127
Subnet 3: 192.168.1.128/26. This provides a total of 64 IPs from range 192.168.1.128 to 192.168.1.191
Subnet 4: 192.168.1.192/26. This provides a total of 64 IPs from range 192.168.1.192 to 192.168.1.255.

Importance of Subnetting

Some of the importance of dividing a network into subnetworks include:

Efficient Use of IP Addresses: Subnetting allows the administrator to allocate only the necessary number of IPs required for that subnet, preventing waste.
Improved Security: Subnetting reduces security risks by limiting access between subnets. Unlike a flat network, which broadcasts packets and resources to every single host on the network.
Enhanced Performance: Each subnet runs faster because of the reduced broadcasting traffic burden. For example, it is easier to broadcast a packet to 10 hosts in a subnetwork than to 200 hosts in an undivided, flat network.
Simplifies Network Management: By dividing networks into subnetworks, the workflow on a topology becomes clearer, making it easier to manage, detect problems, and reduce downtime. When one network goes down, the others can still function properly.
Privacy: Subnetting limits visibility between subnets by isolating sensitive traffic from the general network. For example, the HR department does not need to see the data that travels within the Admin department.

A Real-World Application of Subnetting

Your company has been assigned the IP network: 192.168.1.0/24. As the Network Admin, you are tasked with dividing this network to serve four different departments in your company:

Admin (50 hosts)
HR (25 hosts)
Staff (30 hosts)
Guest (14 hosts)

Each subnet must accommodate the required number of hosts. The formula for calculating how many hosts are available to a network is:

Hosts Available = 2^h - 2

Where:

h is the number of host bits in the IP address.
2 is subtracted because the network address and the broadcast address are reserved and cannot be used.

Finding the Number of Host Bits (h)

Let's use the Admin subnet as an example. Remember, the Admin subnet needs 50 hosts.

To find h for this subnet, find the smallest power of 2 that can accommodate the required number of hosts (50) in the subnet using this formula:

2^h ≥ Required Hosts + 2

**Number of host bits(h)** => 2h ≥ 50 + 2

After solving, h will equal 6 (approximately 5.7, which rounds up to 6).

We can solve for the total number of hosts that will be available to the subnet:

**Hosts Available** => 26 - 2 = 62

The subnet mask for this subnet will be: 32 - 6, where 32 is the number of bits in an IP address and 6 is the number of host bits (h). This will give us a subnet mask of /26.

Allocating the Admin Subnet

From the example above, we can now set the Admin Subnet as follows:

- Department: Admin
- Number of host bits(h): 6
- Hosts Needed: 50
- Hosts Available: 62
- Subnet mask: `/26` or `255.255.255.192`
- Network Address: `192.168.1.0`
- Broadcast Address: `192.168.1.63`
- Usable IP Range: `192.168.1.1` to `192.168.1.62`

Using this example, allocate the subnet for the HR, Staff, and Guest subnets. If you get stuck anywhere, feel free to reach out to me or leave a comment.

Decoding IP Addresses: Mastering Subnet Mask and CIDR Notation

daniel💻 — Fri, 20 Dec 2024 20:37:32 +0000

What is an IP Address

In networking, IP addresses serve a straightforward purpose: Identification. They are how IoT (Internet of Things) devices locate each other, whether on a private network or the public internet.

In this article, I will break down the structure on an IP address, how to identify the the Network and Host portions of an IP address. I will also show you an easy way to calculate the CIDR (Classless Inter-Domain Routing) notation.

Even though IPv6 is in widespread use today, I will be using IPv4 for the examples in this article. The concepts are still the same, the only difference is that IPv6 has more bits.

IP Address Structure

A typical IPv4 address consists of 32 bits divided into 4 segments using dots (e.g., 11000000.10101000.00000001.00000001). For better human readability each segment is converted to a byte, which represents a decimal value between 0 and 255 (e.g., 192.168.1.1). Each segment cannot exceed 255 because the total number of unique combinations of 8 bits is 256 (including 0).

The 32 bits of an IPv4 address are divided into two parts: the Network portion and the Host portion.

The Network portion defines the specific network or sub-network that the address identifies. It is the same for every host on the network.
The Host portion defines a node on that network, which identifies the device on the network. It is unique for every host on the network.

Your next question might be: which part of the address is the Network, and which part is the Host? Well, computers also need an answer to this question, and that's where subnet mask comes in.

Subnet Mask

Inherent Classes (Classful Addressing)

In the past, IP addresses used inherent classes to determine which bytes of the address represent the network and which parts represent the host'. The class is defined by the first few bits of the leftmost byte. Depending on the class (A, B, C, D, or E), the computer determines how to divide the address into network and host portions.

Today, IP addresses are defined with an explicit subnet mask (e.g., 255.255.255.0) that identifies the network portion. With subnets, the boundary between Network and Host can fall between bits, not just between bytes as seen in classful addressing.

Key Characteristics of Subnet IP Addresses

1s correspond to the network portion, and the 0s correspond to the host portion. When 255 is converted to binary, the result is 8 bits (11111111). This means the entire byte is part of the network portion.
The 1s must be left-most and contiguous. You cannot have a byte that looks like 10101010; only something like 11110000 is valid.
At least eight bits must be allocated to the network portion.
At least two bits must be allocated to the host portion.

Note that if no subnet is defined for an IP address, the computer will use the class method by default.

How to Identify the Host and Network Portion with Subnet Mask

If an IP address has a subnet of 255.255.255.0, it means the first three bytes are part of the network portion, while the last byte is the host portion. 255 represents 1 byte (8 bits), or 11111111 in binary; it identifies the network portion(s) of an IP address.
If the IP address 192.168.1.1 has a subnet of 255.255.0.0, it means 192.168 is part of the network portion, while .1.1 is part of the host portion.

CIDR (Classless Inter-Domain Routing)

As mentioned earlier, the boundary between the network and host can fall between bits. This will result in bytes that are neither 255 nor 0, but in between (the combination of 1s and 0s in binary). CIDR notation is commonly used in this situation. In CIDR notation, the subnet mask is written as /XX, where XX is the number of bits in the network portion.

Example of CIDR (Classless Inter-Domain Routing) notation

192.168.1.0/27

The subnetmask /27 means the first 27 bits are the network portion. I.e The subnet mask in binary will be:
11111111.11111111.11111111.11100000 when converted each byte to decimal, will be 255.255.255.224.
As usual`` the 1s are network while the 0s are host portion.

TCP/IP Networking Model

daniel💻 — Fri, 27 Sep 2024 21:54:28 +0000

Introduction

The TCP/IP network model is referred to as a network suite. It is referred to as a suite because it consists of different networking protocols working together to transmit data packets from host A to host B and ensure a reliable connection between networks. These protocols are arranged in a hierarchy or stack, where the higher-level protocols make use of the protocols beneath them. TCP/IP is the backbone protocol on which the Internet runs and a core protocol for computer networking in general.

Definition of Terms

TCP - Transmission Control Protocol

TCP is a connection-oriented protocol that provides reliable data transfer, error detection and correction, segmentation, and reassembly. It operates at the Transport Layer of the TCP/IP Network Model and is a core protocol in the Internet protocol suite. TCP is often compared to UDP (User Diagram Data), but TCP is generally preferred in networks requiring high reliability due to its robust error-handling mechanisms.

IP - Internet Protocol

You've definitely heard the term "IP address" before. The Internet Protocol is a core protocol for transmitting data packets because it handles the tasks of addressing and routing packets. Every host must have an IP address through which packets can be addressed to it and every device with an IP address is considered a host. There are currently two standard versions of the Internet Protocol: IPv4 and IPv6.

Packets

The term "packets" is used in various places in this article. It simply refers to small units of data. When transmitting data, large data sets are broken down into packets to meet the Maximum Transfer Unit (MTU) of a particular network. Each packet is framed with a header, which consists of its addressing information such as its source IP address and destination IP address.

A Practical Look at the TCP/IP Networking Model

In this section we'll take a shallow look at an instance of a Computer Network in action to better understand the role of the TCP/IP network model.

Assuming you have two laptops and need to transfer some files from Laptop A to Laptop B, you'll be presented with a couple of options (both wired and wireless). Let's assume you choose an Ethernet cable for the transfer. Modern systems have streamlined the data transfer process, making much of it opaque to the user. In this chapter, we'll delve deeper into the process of your files traveling from Laptop A to Laptop B.

After plugging each end of the Ethernet cable into both laptops, the next step is to assign each laptop an IP address within the same network range. For example, Laptop A could be assigned 10.10.10.1, while Laptop B would be assigned 10.10.10.2. This creates a private IP address range through which both laptops can transfer data addressed to each other's IP addresses. Each laptop automatically learns the other's IP address via an ARP (Address Resolution Protocol) request, and a connection is then established.

When you transfer files from Laptop A, addressed to Laptop B's IP address, the data passes through a series of TCP network layers to reach its destination. Let's delve into these layers and see their role in data transmission.

The TCP/IP Network Layers

The TCP/IP network model conventionally consists of four (4) distinct layers: Application layer, Transport layer, Network layer, and Link layer. This model is a simplified version of the OSI (Open Systems Interconnection) model, which has seven (7) layers: Application layer, Presentation layer, Session layer, Transport layer, Network layer, Data link layer, and Physical layer. The TCP/IP model combines some layers of the OSI model for simplicity. Let's explore the four layers of the TCP/IP model:

1. Link Layer
This layer is also known as the Network Interface Layer or Network Access Layer. It's responsible for framing and transmitting data bits over a physical medium. This can be transmitted wirelessly via electromagnetic waves or physically via wired signals. Examples of physical components include cables, optical fibers, radio waves, etc. In our practical example from the previous section < Practical Look at the TCP/IP Networking Model >, this would be the Ethernet cable used to connect the two computers.

Framing and Transmission is handle by two separate components of the Link layer:

Link Layer Control - Handles framing the packets
Media Access Control - Handles transmitting the packet to physical components.

2. Network or Internet Layer
This layer consists of protocols responsible for the logical transmission of data over a network. Examples of these protocols include: Internet Protocol (IP), Internet Control Message Protocol (ICMP), and Address Resolution Protocol (ARP). Each of these protocols plays a specific role in transmitting data.

In our practical example from the previous section < Practical Look at the TCP/IP Networking Model >, we assigned different but similar IP addresses to each laptop. The similarity (10.10.10.x) indicates that they belong to the same subnet. As Laptop A transmits a data packet to Laptop B, the packet will be framed in Laptop A's Link Layer Control. The frame will contain Laptop B's IP address as the destination.

If there were more than two laptops connected to the network, communication would be impossible without IP addresses. IP addresses are essential for each laptop to know how to send files to others within the network.

3. Transport Layer
This layer consists of protocols that provide reliable data transfer from one host in a network to the endpoint or receiving host of the network. It is concerned with end-to-end communication. TCP, UDP, and SCTP (Stream Control Transmission Protocol) are examples of Transport layer protocols.

End-to-end communication means sender-to-receiver communication. In our practical example from the previous section < Practical Look at the TCP/IP Networking Model >, we looked at a very simple network topology involving only two devices. In the Internet or a more complex network topology, data does not always travel directly from one host to another. It usually hops through a series of routes before reaching its destination host.

Communication between one route and the next route is referred to as hop-to-hop communication while the overall communication between the source host and destination host is the end-to-end communication.

As packets travel through these complex topologies, they are always aware of their next hop through a Layer 2 header using a MAC (Media Access Control) address and their destination host through a Layer 3 header using an IP address. Every IOT device is assigned a unique MAC address at the time of manufacture.

4. Application Layer
This layer combines the Session and Presentation layers from the OSI layer model. The Application layer consists of protocols that work directly with the end user's applications, providing various network services to these applications. Some Application layer protocols include SSH (Secure Shell), FTP (File Transfer Protocol), HTTP (Hypertext Transfer Protocol), DNS (Domain Name System), SNMP (Simple Network Management Protocol), and many more.

Conclusion

In this exploration of the TCP/IP Network Model, we've delved into the fundamental layers and protocols that underpin modern computer networking.

We've examined how data flows through the network, starting at the Application layer and traversing the Transport, Network, and Link layers. We've also explored the roles of key protocols like TCP, IP, and ARP in ensuring reliable and efficient communication.

By understanding the TCP/IP model, you gain a deeper appreciation for the complex processes involved in modern computer networking. This knowledge can be valuable for troubleshooting network issues, designing network architectures, and staying informed about emerging networking technologies.