OpenVPN UDP or TCP ?

 

 

OpenVPN is a very versatile protocol designed from the ground up to be as flexible and open as possible.

 

Standard OpenVPN configuration uses UDP protocol over port 1194 assigned by IANA. However, nothing prevents you to configure it to use TCP instead and virtually any port number you like.

 

What are the advantages and inconvenients of each implementation?

 

Classic config (UDP, 1194) is a bit faster due to the fact it uses UDP instead of TCP. On the other hand, UDP doesn not insure data integrity nor error correction. In certain cases and difficult conditions it can lead to multiple resends effectively slowing down the connection apparent speed.

 

So why not use TCP instead? Exactly for the same reasons ... the other way around!

 

TCP natively handles error correction and data integrity but has a bigger overhead. Moreover, TCP within TCP encapsulation results sometimes in strange behavior and sometimes more CPU demand.

 

So, why offer a TCP mode?

 

You have basically two main advantages:

 

- More safety margin in case of difficult connections

- Capability of masking the VPN traffic under a well known and innocent protocol, like HTTPS for example.

 

In theis case, using TCp along with port 443 (which is the standard HTTPS port) makes the VPN session virtually undetectable, even through proxies.

 

In a nutshell, alwyas use the standard UDP configuration anytime it's possible and revert to more hidden protocols when the need arises.

 

Never forget network security is a job in itself, not a hobby and can seldom be improvised.

 

© 2009 - 2011 NeXTGenVPN