How To Optimize Your VPN Connection

David

Posted on May 24th, 2010

For folks living and travelling in China having a VPN (Virtual Private Network) has become a necessity if you want to leap over the great firewall and access sites like Facebook, Twitter and YouTube to name but a few. While personal VPN providers like Witopia and 12vpn provide easy to set up packages which you can install on your computer many people will still intermittently experience slow or unstable connections (through no fault of the provider) which can dampen the experience.

I recently had a chat with the people from 12vpn about how users can optimize their computers to get the most out of their VPN connection and I’ve compiled together their advice including my own experiences below – some of this is quite technical but should be straightforward for anyone with moderate computer skills. Please feel free to add your own comments if you have any other recommendations.

N.b. in most cases this advice should be unnecessary but may be helpful for those wanting to squeeze a little extra juice out of their connection, or those experiencing abnormal network conditions.

Choosing The Fastest Gateway

VPN providers usually provide a number of gateways in different geographic connections which you can choose from (often in the US and Europe). Look at what you need: low-latency or high-throughput. While they often go hand-in-hand this is not necessarily always the case…

Interactive applications like web browsing, gaming and voice over IP benefit most from low-latency connections and typically don’t need a lot of bandwidth.
- Latency can be easily measured using the “ping” command, which is available in the Command Prompt in Windows or the Terminal on Mac OS X. Lower numbers are better (see screenshot below). Note that the latency increases along with the physical distance between you and the website. It’s normal for far away websites to have a higher latency that those close by.
Applications with no or little interaction like watching videos, large downloads, etc. benefit more from high-throughput.
- Throughput is more difficult to measure. Really the only way is to simply try the website and see if the video streams smoothly.

Common Mistakes

Measuring the “ping” to the VPN server itself: A VPN server which is closer by will have a lower ping-time, but may not necessarily bring you “closer” to the website your trying to use. E.g. if you’re in Beijing a Hong Kong VPN server may ping at: 80 ms, while the US VPN server may ping at 200 ms. You may conclude the Hong Kong server will be faster for you. However, from the VPN server to the final website in the US Hong Kong may need 180ms, while the US server may only need 10 ms. The total ping time through Hong Kong would be 260 ms, through US only 210 ms. It’s important you measure the actual websites you’re trying to use, not the VPN server itself (or a speed test website for that matter).
When considering throughput this become even more interesting. Throughput is influenced a lot by the load on specific internet connections, contracts between providers and other factors that aren’t always obvious. Sometimes (though not often) the further-away server can give you a higher throughput because it uses under-used or ‘cheaper’ routes to get from A to B.
Speed tests: They really tell you very little about the performance of websites. For illustration purposes you could try the iPlayer performance test on the BBC website. This test tests the through-put for 3 different transmission methods and the difference can sometimes be amazing. A high or low through-put on a speed test does not necessarily mean similar results when streaming video. Keep in mind that the purpose of many speed test websites is to promote their sponsors.

Last but not least: the internet is amazingly dynamic. Internet routes change daily to adapt to the increasing number of users, accommodate new websites, etc. What’s fast today, maybe be slow tomorrow. Fortunately this also means that what was slow today maybe be faster tomorrow. Don’t hesitate to experiment or contact your VPN’s support dept.

Reducing Connection Time

When it comes to OpenVPN/Viscosity/Tunnelblick software clients, selecting a smaller authentication key size will help in establishing up your connection faster. Not all VPN’s may allow you to select the authentication key size though. (12VPN will be transitioning from 4096-bit keys to 1024-bit keys to speed up the login process). Note that the key size is different from the encryption key size which is commonly 128 or 256-bit).

By default, OpenVPN will create a 128-bit encrypted data tunnel and a 256-bit encrypted control channel. On smaller devices (phones) this can slow things down significantly. Fortunately, most VPN providers allow you to override the encryption setting and lower the control channel to 128-bit, though that does require some OpenVPN knowledge (12VPN’s Android servers already do this automatically).
The config files of your VPN are likely to connect to a host name, e.g. server.vpn.com. You could speed things up a little by replacing this with the IP address of the server (which you can find by pinging the host name). A significant draw back however is that your connection will fail if the VPN provider changes the IP address.
Perhaps too obvious to mention, but faster Internet and a faster CPU will lower your connection time. It’s typically a bad idea to run the VPN on your router as it’s CPU will have trouble encrypting at high through-puts, lowering your VPN speeds. Running it on your computer directly is the fastest option.

Maintaining a Stable Connection

Pick the VPN server with the least amount of packet loss. Preferably 0%. This can be done using the MTR tool which combines the functionality of the “traceroute” and “ping” programs in a single network diagnostic tool (available for Windows and Mac OS X).
Remove obstacles: software firewalls or cheap WiFi routers may prevent the VPN from going full-speed.
- Even if your firewall is not blocking the VPN, it may still be spending CPU power on inspecting every single network packet. This does not necessarily increase the CPU load a lot, but will slow down the network flow. Make sure your firewall is properly configured to allow the VPN to flow unhindered.
- A similar situation can occur on WiFi routers. Many WiFi routers will allow you to turn on/off stateful packet inspection (SPI). Unfortunately this function goes by many different names, sometimes “open” vs “secure”, or simply “firewall on” vs “firewall off”, etc. Some WiFi routers will grind the VPN to a halt after a few minutes of use, simply because they can’t keep up with SPI turned on. When in doubt, use a network cable to connect directly to the ADSL modem and see if that makes a difference.
Pick a good Internet provider:
- In China it’s important to get yourself on China Telecom, China Unicom or China Mobile. Pretty much all other Chinese ISP’s don’t have their own International gateways and cheap out on buying International bandwidth from China Telecom or Unicom.
- Also some ISP’s (e.g. Shekou Cable) are known to intercept traffic and filter them through their own caching proxies which causes all sorts of problems.
Sit in the right spot: WiFi connections may not be as stable as you perceive them to be. Unfortunately (or fortunately) WiFi instabilities are rarely noticed because they may only occur for 1 or 2 seconds. It becomes problematic when these interruptions occur exactly when the VPN performs its connection test and fails. This will cause the VPN to reset its connection which takes much more than 2 seconds and could even fail if another interruption occurs when it’s trying to re-connect. Again, try changing your position or using a cable temporarily to see if that improves things.

Tweaking Your Settings

With regards to DNS, don’t touch or change it: Things like OpenDNS or Google Public DNS break more than they fix. (This is why Google is proposing changes to the DNS system – so they can compensate for the things they’re breaking while continuing to use their service from which they gather data).
- Content Distribution Networks like Akamai (which powers CNN, Hulu and tons of huge websites) as well as some of Google’s own services depend on the DNS system to determine your location and use it to connect you to the nearest/fastest servers. Using a 3rd-party DNS breaks this functionality.
- For privacy reasons you may not want to send all your DNS requests to a 3rd party. Not only because you don’t want Google or OpenDNS to know what you’re up to, but also because DNS requests are sent unencrypted (at least as long as the VPN is turned off). Between your location in China and the OpenDNS server in US or elsewhere there will be a number of parties snooping on your DNS traffic. Using your local ISP’s DNS will limit exposure.
People in China sometimes suffer from DNS cache poisoning which causes traffic to be misdirected (i.e. blocked). Some important things to realize:
- Using OpenDNS or Google Public DNS is no guarantee for avoiding DNS poisoning. It’s trivial to intercept and forge DNS packets.
- If you start the VPN before you open your browser or IM programs, poisoning is unlikely to occur and easy to prevent.
- Should it occur, then it’s not that hard to resolve – most VPN providers will have ready instructions.
- Your VPN provider may have things in place to minimize DNS poisoning. Follow their instructions – not all VPN providers implement things in the same way.
Aside from changing the OpenVPN encryption as mentioned above there is not a lot you can tweak yourself. Most settings need to match the ones on the server to avoid problems. There are some memory buffers you can increase, but more is not always better.

One tweak that 12vpn offer is to split VPN traffic and other traffic, reducing the use of your VPN connection. This means you can get away with using a cheaper (Lite) account as well as have local Chinese sites at their original speeds without going through US.

If you’d like to try 12vpn they have kindly offered to give Randomwire readers a 10% discount – enter the promotional code RANDOMWIRE when you sign-up to qualify.

Related posts you might like:

Categories: HowTo, Tech

Tags: block, config, gfw, internet, offer, vpn

11 Comments

Shanghai Halfpat says:

June 1, 2010 at 6:21 pm

Hey David,

Thanks for the lengthy post! Kinda too long and tech-y for me to read in detail, but it must have been quite an effort for you to compile this post! So, commending you for it, and also to make you feel better, I hope, after receiving comments from a naysayer.

- David says:
  
  June 1, 2010 at 7:14 pm
  
  Thanks for that – always a little disappointing to get unhelpful feedback when you spend considerable time putting something together but hopefully will still be helpful to some
  
Chengdooer says:

June 9, 2010 at 4:35 pm

Hey David,

First of all, thank you for telling us about 12vpn! I’ve been using it for almost a year now and I’m very pleased with it. I’m currently using 12vpn with Tunnelblick as my connection to the server. For now I have the “lite” version, but I’m wondering if I upgrade to “personal” if I’d be able to upload and update my website again. Since the tightening of the firewall around January, I can’t publish my website that has a domain name and is hosted outside of China (I registered the domain name through godaddy.com in the U.S.). I’m trying to figure out if 12vpn would have the capacity to upload websites if I upgraded the bandwidth, or if it is just impossible to update websites like mine from inside China now?

Do you have any suggestions?

Thank you!

- David says:
  
  June 9, 2010 at 8:29 pm
  
  Hi Chengdooer,
  
  Your best bet would be to contact 12vpn support about your problem, I’m sure they’d be more than happy to help you work it out – https://12vpn.com/contact/
  
  In my personal experience I have no problems updating my websites via FTP/SSH connections while using 12vpn.
  
Beijinger says:

June 16, 2010 at 4:03 pm

Thanks for the nice summary, regardless of what “Expert” might say. BTW there are actually 4 ISPs with international gateways left in China. (Unicom, China Telecom, China Mobile and CERNET.)

I’ve tried a few of the VPN providers. You can add Swissvpn to your list of viable options. They all seem to provide enough bandwidth and data cap to do something like maintain a website.

In addition to these, if you are happy to go a bit deeper into the technicalities, you can get a cloud server somewhere like VPS.net, install your own Ubuntu server and put your own proxy, VPN server or whatever on it. Not for the fainthearted, but is a more economical option if you want to have more than one tunnel open at a time.

- Jason says:
  
  July 17, 2010 at 1:50 am
  
  Beijinger,
  
  Is swissvpn fast?
  
  I’ve tried quite a few over the years:
  1. http://www.pdog-vpn.com
  2. http://www.flashvpn.com
  3. http://www.12vpn.com
  4. http://www.orientalvpn.com
  
  Don’t use flashvpn… their speed is ordinary, and they keep sending me auto invoices even though I’ve told them 5 times I have stopped my subscription (and never gotten any reply).
  
  Both pdog and 12vpn are fine. Saw articles that says 12vpn’s technology (OpenVPN) is better, but as a normal computer user I don’t really care. I just want something simple and fast. China’s internet connection to overseas is pretty bad in general. In fact I prefer pdog a little bit more since you don’t have to install anything.
  
  Oriental VPN is the same as pdog in terms of setup. It is noticeably faster, possibly because their server is located in Hong Kong rather than US (pdog) and US/EUR (12vpn).
  
Denise Zacaropoulos says:

August 4, 2010 at 6:18 pm

Hi, I got to Beijing beginning of May. I joined the Express VPN so I could use Facebook and was using the internet through the building. I didn’t have any problems until about a month ago. About every 30 or so minutes the internet quits. So I just restart it and go on but now it’s driving me crazy. I was in Hong Kong last week and had to call the internet service from the hotel and he said my setting were wrong and he talked me through them and I changed them. It didn’t solve the problem in Hong Kong either although I was able to connect to the interest. I have a MAC latest version. I’m not that computer savvy to try to figure out the settings myself. I’ve emptied the cache and cookies which I read someplace to do, but it still doesn’t work! Can you help at all? Thanks, Denise

- Sandor Weiss says:
  
  August 9, 2010 at 1:53 pm
  
  Hi Denise,
  
  I had the same issue from my office internet connection. I have 15 employees and only my machine was affected and only when on the VPN. It was just as you describe; the connection just cut out every 30 minutes or so and it was driving me crazy. I followed David’s advice in the post above and dug into the settings of our router and disabled stateful packet inspection. That seems to have done the trick!
  
  Sandy
  
deji says:

September 19, 2010 at 11:03 am

Hey,
Great blog.
I’m using Witopia but having terrible trouble uploading anything unto Vimeo or Youtube.
Any knowledge of what can kill upload speeds.

Deji

- David says:
  
  September 19, 2010 at 4:37 pm
  
  Hi Deji,
  
  It sounds like your internet connection may have very limited upload bandwidth – have you tried it on a different connection?
  
  I also sometimes experience very slow upload speeds and have to leave things like videos overnight to complete.
  
Nick says:

December 20, 2010 at 11:14 pm

we had similar issue, but we finally managed to optimize our vpn tunnels via open-source free traffic squeezer (http://www.trafficsqueezer.org) solution. we managed to create vpns via openvpn, but we got struck with some serious performance issues, finally with traffic squeezer we can add 70-60% more better performance on top of these vpn tunnels.