SSL VPN over TCP and UDP Tunnels: Performance evaluation with different server-side congestion control

Abstract

One of the key features of SSL VPN software is that they are inherently designed to transport payload data over either TCP or UDP tunnels. However, it is a common refrain to not use a TCP tunnel due to the overhead associated with the protocol and the well-known performance problem caused by the stacking of one layer of TCP on top of another. Even so, in some restrictive network environments where UDP tunnelling may not work, TCP is the only option. With the increasing availability of reliable, high-speed networks and the introduction of new TCP congestion control algorithms, there is an opportunity now to revisit this problem. One such new congestion control algorithm is Google's Bottleneck Bandwidth and Round-trip Propagation Time (BBR). The algorithm has been reported to be superior to older congestion control schemes in performance. In this study, we investigate the use of BBR for the application in SSL VPN and evaluate its' performance in comparison to the default Linux congestion control algorithm Cubic. Our findings showed that the use of BBR led to gains in VPN throughput for both TCP over UDP and TCP over TCP tunnelling. In the latter case, our study did not uncover the undesirable effects commonly associated with the stacking of TCP on top of TCP.