Improving SSL VPN performance with DTLS

Networks are increasingly faster, mainly, because the method of access to the medium is faster than ever with up to 100 Gigabit Ethernet today. However, protocols are improving too as we saw with Multipath TCP or Moving the Web from TCP to UDP but, today, I would like to highlight how to improve VPN (Virtual Private Networks) because I've already written about VPN Security, Overlay Technologies like PBB, SPB or VxLAN, and Metro Ethernet Services as well like E-Line VPWS and E-LAN VPLS, but I've never written about performance and improvements in Dial-up VPN for remote users.

Using TCP for making SSL VPN isn’t already a good idea because TCP was design for running over unreliable or slow base connection where it is useful with segment retransmission and flow control through windowing. However, if we configure a SSL VPN over TCP and we send TCP traffic to the remote side, we could get a poor performance due to the fact that we are encapsulating TCP over TCP and, as a result, there will be mismatching timers between the upper and the lower layer TCP connection, which will increase retransmission and losing packets.

SSL VPN over TCP with TLS - Stack

How can we improve SSL VPN performance? As TCP over TCP is a bad idea, we can use UDP for VPN tunneling with the DTLS protocol for security. In this way, traffic is protected like the traditional SSL VPN with TLS but, this time, we’ll use DTLS for communications security and UDP for improving networking performance. As a result, the lower layer doesn’t worry about segment retransmission and flow control, because this task is carried out by the upper layer, thus the throughput and performance of the SSL VPN will be much better.

SSL VPN over UDP with DTLS - stack

FortiOS 5.4 and the new FortiOS 5.6 already support SSL VPN over UDP with DTLS to improve SSL VPN performance. If we want to configure it, we need to run the next commands by CLI.

Using DTLS to improve SSL VPN performance

 

Once we’ve enabled dtls-tunnel, the FortiGate opens the UDP port, as well as the TCP port, for SSL VPN.

Local In Policy of FortiGate

 

However, we’ll have to configure the FortiClient as well for using DTLS becuause it only uses TCP by default. If we want to use DTLS tunnels from FortiClient, we’ll have to download a backup configuration from FortiClient and change the parameter preferred_dtls_tunnel to 1. After changing this parameter, we’ll have to upload the configuration to FortiClient. Once this configuration is done, FortiClient will connect to SSL VPN using UDP with DTLS first and if it fails, FortiClient will connect to SSL VPN using TCP with TLS.

FortiClient Configuration

 

Next, we can see a traffic capture using TCP with TLS for SSL VPN.

SSL VPN over TCP with TLS

We can also see a traffic capture using UDP with DTLS for SSL VPN, which offers better performance for remote users.

SSL VPN over UDP with DTLS

 

Regards my friends. I hope you’ve enjoyed with this how-to and you’re planning to migrate to DTLS your SSL VPN.