Is the RT-N66U capable of playback (.WAV) over VPN

[jvamos]

Hello,

I am trying to give users access to sounds via VPN. The bitrate and size of these sounds is rather large and the format has to be preserved. I was using SMB at home locally but found that using the RT-N66u as an OpenVPN server (with a SuSE Raid SMB server) was not really getting the performance I need. I am wondering if I should open up to new protocols or need to move to more capable VPN server hardware. I know NFS is pretty good for file transfers. AFP is also an option.

I have a single core machine at 2.3Ghz with dual NICs I could make into a new firewall/VPN server. That is for another thread though.

Is VPN just not a viable solution? Would an SSH tunnel to the shared disk be better?

 

[Ford Prefect]

...what's your uplink bandwidth?....IMHO the RT66U should be good for at least 20mbps via VPN and up to 100mbps without.

An alternative could be to host the SMB Server in the DMZ...maybe use owncloud or similar as frontend and give users access rights...using https will put less strain on the ASUS than using VPN.
However, make sure your uplink is not the limit.

 

[jvamos]

It's not the uplink

Thanks Ford!

The only issue is the server also does some FTP serving via HTTPS. Does the DMZ leave the computer open to attacks? It sounds like it's no-man's land.
The reason for avoiding HTTPS is that I need to actually mount the volume for the software to see it and create a database.

Definitely not seeing the 20mbps though, more like 1mbps. Could it be the overhead of SMB? Possibly my server settings?

I'm on a good synchronous connection though.

 

[netware5]

My ISP line is 50 Mbps download and 33 Mbps upload. Under "ideal" conditions (no other activities) the speed test through the tunnel on my RT-N66U with OpenVPN server shows up to 14-15 Mbps with 256 bit AES encryption. According to Merlin's tests (search the forum) the speed could reach 22-25 Mbps with 128 bit AES encryption.

My opinion is that if the router CPU is not very busy with other heavy tasks you should be able to stream WAV through the VPN tunnel. Try to stop any other "heavy load" services and test again. The other possible reason for slow streaming could be the Samba implementation.

If you post here the CPU load during your experiments it will be a valuable info to diagnose the problem.

You may also overclock your router by 10%. See THIS THREAD

 

[jvamos]

CPU Load

Thanks netware!

The load is only ever reaching 26% on the processor while receiving about 120kb/s of data. I haven't seen any spikes that would warrant the slow speeds. QoS is disabled and really no fancy services are enabled.

I will look at the encryption settings. But something else must be wrong here. I am using a mac to connect.

 

[Ford Prefect]

yes, a DMZ will expose the host to the world..you must configure the host to handle the security issues involved in this.
When running something like owncloud, each user will get a username+passwd and only ports for http/https need to be open.

1 mbit is definitely too low....are your users actually downloading the files or are they playing them from/via the share?
FTP would be much more efficient to use for providing downloadable files.
For playing, I'd suggest to use/offer DLNA/UpnP service but using this over VPN could be a challenge.

 

[netware5]

Thanks netware!

The load is only ever reaching 26% on the processor while receiving about 120kb/s of data. I haven't seen any spikes that would warrant the slow speeds. QoS is disabled and really no fancy services are enabled.

I will look at the encryption settings. But something else must be wrong here. I am using a mac to connect.

It seems to be a problem with SMB. Where is your samba share - on the USB disk attached to the router itself or on some other device in your network? If the share is on some other device how users mount the share - directly or share is network mounted to the router and users then mount it?

Try to search the forum for Samba related issues - there were some issues reported by other users, but I never experienced them.

 

[jvamos]

It is a network attached machine that you have to connect to through VPN. It's a local connection that I am trying to bring to those working abroad. I will look into Samba connections.

 

[netware5]

It is a network attached machine that you have to connect to through VPN. It's a local connection that I am trying to bring to those working abroad. I will look into Samba connections.

So this is almost the same configuration as mine. I have Seagate Blackarmor NAS 220 in my home network and had not experienced any problems to listen music when playing files from its Samba share through VPN using Windows or Linux clients. Unfortunately I have no experience with Mac clients. As you can see in my signature I am using TAP interface, so connecting through VPN is virtually equivalent to the client wired in my home network. I will bet that the suspect is samba implementation.

 

[jvamos]

TAP vs. TUN

Going to test again in TAP mode. I guess I got so excited once I had a connection in TUN mode I forgot to test the other option.

Is TAP the generally agreed upon preferred method?

 

[ColinTaylor]

Is TAP the generally agreed upon preferred method?

There is no agreed upon method. You should choose the method that provides the service you want.

https://community.openvpn.net/openvpn/wiki/BridgingAndRouting
http://openvpn.net/index.php/open-source/documentation/howto.html#vpntype

Determining whether to use a routed or bridged VPN

See FAQ for an overview of Routing vs. Ethernet Bridging. See also the OpenVPN Ethernet Bridging page for more notes and details on bridging.

Overall, routing is probably a better choice for most people, as it is more efficient and easier to set up (as far as the OpenVPN configuration itself) than bridging. Routing also provides a greater ability to selectively control access rights on a client-specific basis.

I would recommend using routing unless you need a specific feature which requires bridging, such as:
the VPN needs to be able to handle non-IP protocols such as IPX,
you are running applications over the VPN which rely on network broadcasts (such as LAN games), or
you would like to allow browsing of Windows file shares across the VPN without setting up a Samba or WINS server.

In your case it sounds like you want bridging (TAP)

 

[netware5]

Going to test again in TAP mode. I guess I got so excited once I had a connection in TUN mode I forgot to test the other option.

Is TAP the generally agreed upon preferred method?

As ColinTaylor already said above there is no agreed upon method. Personally I prefer TAP because it is much easier to set up. Here I would like to note that I disagree with the following statement taken from Open VPN site and quoted by ColinTaylor.

Overall, routing is probably a better choice for most people, as it is more efficient and easier to set up

Yes, routing is more efficient as it encapsulates less payload (IP packet) while bridging encapsulates more payload (Ethernet frame). But my opinion is that bridging is easier to set up and understand as a philosophy. You should just think for it as a second LAN card attached to your client device which LAN card is directly wired to your home LAN. Bridging also allows you to use any services provided within your home LAN without thinking about network protocols. I am using bridging (TAP) since April 2013 and I am very, very satisfied. The only issue you should think about is the potential conflict between network addresses of your home LAN and your client LAN. For example if both LANs have address range 192.168.1.1-254 you will be in trouble. As I am "road warrior" and use my VPN very often from public networks (hotels, airports, cafes, etc.) I decided to create my home LAN with "unusual" address range like 192.168.88.1-254 as the probability to be in such public LAN is very low. You should avoid using for your home LAN addresses with third byte which is less than 10 (i.e. 192.168.1.x, 192.168.2.x, etc.) The best way is your third byte to be greater than 50 (i.e. 192.168.51.x). This will reduce significantly the probability to have conflict between LAN addresses.

And last advice - do read carefully the links provided by ColinTaylor above.

 

[ColinTaylor]

Hi netware5,

If you have different subnets on either end of the VPN wouldn't that stop broadcast traffic from one network to the other, which is the main reason for using TAP over TUN in this case? (I have never tried this myself so I'd be interested to know)

EDIT: Actually, thinking about it, I don't suppose it would as logically there is no "router" in between to drop the packets. Maybe.

 

[netware5]

Hi netware5,

If you have different subnets on either end of the VPN wouldn't that stop broadcast traffic from one network to the other, which is the main reason for using TAP over TUN in this case? (I have never tried this myself so I'd be interested to know)

EDIT: Actually, thinking about it, I don't suppose it would as logically there is no "router" in between to drop the packets. Maybe.

Let me explain the real situation. My office LAN is 10.x.x.x, my home LAN is 192.168.x.x. When I establish the bridge my office PC obtains a virtual second LAN adapter. The first (original) adapter is connected to 10.x.x.x and second (TAP) adapter is connected to 192.168.x.x. I thing that broadcast traffic is directed by the office PC OS (Windows XP) to both LANs but each traffic to its "own" LAN. So definitely I am able to access both LANs' resources. I had not experienced any problems in accessing both LANs' services simultaneously. More than one year ago when I started this configuration I made some experiments. I tried to "see" my home LAN PC from another (not mine) office PC residing in office LAN. No success. It was very important for me because of security reasons - I didn't like the possibility that my colleagues may "see" my home LAN during my OpenVPN sessions. I never tested the opposite case - to "see" my office LAN from my home LAN during the OpenVPN session created from my office PC to my home router. The explained situation is the same when I am tunneling all traffic through the tunnel. In first case (not redirecting the internet traffic) the home LAN traffic is going through the TAP adapter while the office traffic and internet traffic are going through the original LAN adapter to other office LAN devices and to the office router (which stays as default gateway). In second case (redirecting the internet traffic) the home LAN traffic and internet traffic are going through the TAP adapter (the home router internal LAN interface became default gateway) while the office traffic is going through the original LAN adapter to other office LAN devices. In both cases I never experienced any problems in accessing both LANs' services simultaneously.

P.S. Probably it is possible to "see" my home LAN from any office PC during the OpenVPN session but it should be done by changing the configuration of my office PC to become a "real" bridge. I never tried because I am not interested and have no time for that.