by
Etienne Liebetrau
When configuring a Site-to-Site VPN on your Sophos SG or Sopho XG, you are presented with an option to select either TCP or UDP as the transport protocol. The configuration page hints that UDP provides better performance, so I thought it would be interesting to test the SSL VPN performance over both UDP and TCP protocols and find out which one is faster!
Since everyone wants better performance, the choice for UDP seems obvious, but as you will discover, there are more factors to consider than just the protocol itself.
TCP is a connection orientated protocol. This means a three-way handshake needs to occur before packets are sent, and delivery is "guaranteed". That means that the server gets an acknowledgement when the sent packets have been received, and if the acknowledgement does not come through, the packets are re-sent. TCP is therefore preferred for data integrity.
UDP, on the other hand, is a connectionless protocol. This means packets are thrown out with no protocol level reliability. A packet is sent out but there is no acknowledgement of them being received. UDP is theoretically faster since it does not require 3-way handshakes and packet acknowledgement. UDP is useful for applications such as video streaming where dropping a packet here or there is an acceptable trade-off for the overall speed improvement. UDP is therefore preferred for speed if the application can handle error correction.
Unlike direct client-server communications, VPNs work by wrapping and encrypting the client-server packets with VPN headers or metadata. VPN traffic is therefore slightly 'bigger' than native traffic.
The VPN will take the traffic, TCP or UDP and wrap it in its own VPN protocol, which as you see above, has the option of being TCP or UDP. You could, therefore, have a HTTP session that uses TCP being wrapped in UDP packets being sent over the VPN.
In such a case, the VPN is not responsible for error correction. This is left to the web server and client.
If we flip this example around, imagine a protocol like DNS (UDP) being transmitted over a TCP SSL VPN. In this case, the VPN will take care of error correction.
Error correction needs to happen somewhere, the burden either lives with the VPN or with the application server and client.
SSL VPNs over TCP look identical to HTTPS web traffic. Firewalls and proxies therefore typically do not have an issue handling the traffic. Countries or regions that may block VPNs typically block IPSEC tunnels but not TCP SSL VPNs because it would break HTTPS and therefore most of the Internet.
SSL VPN over UDP still attempts to connect to the VPN server on port 443, but unlike HTTPS traffic that uses TCP as a transport protocol, it uses UDP. Some firewalls and proxies may flag this as suspicious and drop the traffic. It can also be seen as peer-to-peer traffic (which it actually is) and again be dropped.
So by now, it may seem that TCP is the preferred transport protocol as the VPN takes care of error correction, taking the load off the clients and TCP ensures a higher level of compatibility for more diverse environments. BUT – Sophos says UDP is faster and everyone likes faster, So let’s answer the last concern.
I am going to start off the section by saying that everyone's environment is different. This is purely a simple, indicative test along with the results.
If we place the two Windows boxes on the same subnet with no firewalls in between we get a throughput of 71,741,160 B/s so this is the absolute maximum.
If we place one of the servers behind a firewall and do the same test (without a VPN) we get an average throughput of **9,581,763 B/s ** This is a significant drop in performance. This is because firewall and IPS functions are being applied to the traffic, as well as an extra hop.
Placing both Windows servers behind their own firewall and establishing the VPN we get the following:
Protocol | Bytes Per Second | Average Time Taken |
---|---|---|
TCP | 8,257,675 B/s | 22.5 seconds |
UDP | 8,255,688 B/s | 22.5 seconds |
So in a fairly anti-climactic way, there is no noticeable difference. If anything, UDP proved very slightly slower on average. Having said that, the single fastest transfer of 8,390,679 B/s was achieved with UDP. The graph below indicates just how close it is over the course of the three runs per configuration.
During testing, I had a massive drop in performance when first connecting the VPN. This is because the traffic was now going through two IPS scans (one on each firewall). Since it is the IPS same engine on both sides, there is absolutely no benefit from doing this. Dropping the IPS on one side of the VPN got performance back up to where it is expected. I want to say HOG because Sophos uses Snort for the IPS functionality and its logo/mascot is a hog or pig :)
If you're concerned about your VPN or network performance, I recommend tweaking your IPS settings to improve performance, over worrying about TCP or UDP for your VPN protocol.
At this point in time, my recommendation is to stick with TCP as your SSL VPN transport. Bank the reliability and compatibility and pay more attention to your IPS configuration. Lastly, check your applications, and focus on optimising any internal web applications with technologies such as HTTP2 and dynamic gZip compression.
We would love to hear your feedback regarding Sophos VPN performance in the comments below.
Download our FREE 30-day trial, or schedule a demo and we'll show you how it works.
How to Configure Multiple Site-to-Site SSL VPNs with Sophos UTM
Setup a Sophos UTM SSL VPN In 7 Simple Steps!