Poor Performance with Poptop (pptpd)

Discussion in 'Linux Networking' started by Gabriel Michael, Sep 22, 2003.

  1. Hello,

    I'm running Poptop (hereafter pptpd) on my Red Hat 9 box to serve out
    PPTP VPN connections to multiple Win2000/XP clients. The purpose is so
    that I can run hlds (Half-Life Dedicated Server) as a LAN server, and
    allow others in my dorm to connect to it (we all have public IPs, so
    the VPN is required). The entire setup works correctly now; however, I
    am experiencing very poor performance for the VPN clients (ping > 1000
    ms in Half-Life in some cases). I thought this might be due to the
    PPTP encryption, so I disabled it (this is client-side configuration
    in Windows), but the performance is still poor. We are on a 10 Mbps
    LAN, and my box is a P-III 600, 384 MB RAM, and the external ethernet
    card is a 3Com 10/100. The box is not overloaded, nor are there just
    too many VPN connections; I've tested it with a single connection, and
    had high pings. I'd like to stick with using pptpd, because the
    client-side configuration is very easy. Is the pptpd daemon just not
    able to handle this, or are there other tweaks I can try? Any
    suggestions will be appreciated.

    Thanks,

    Gabe
     
    Gabriel Michael, Sep 22, 2003
    #1
    1. Advertisements

  2. Gabriel Michael

    Paul Catley Guest

    Hello,

    I ran your message through Babelfish (Portuguese to English) in an effort to
    understand it, and it came up with this:

    ===========
    I'm running Poptop (to hereafter pptpd) on my Red Hat 9 box you serves out PPTP
    VPN connections you multiple Win2000/XP clients. The purpose is so that I can
    run hlds (Half-Life Dedicated Server) a LAN server, and allow others in my dorm
    you connect you it (we all have public IPs, so the VPN is required). The entire
    setup works correctly now; to however, I am experiencing very poor performance
    will be the VPN clients (ping > 1000 ms in Half-Life in adds marries). I
    thought this might be due you the PPTP encryption, so I disabled it (this is
    client-side configuration in Windows), but the poor performance is still. We
    ploughs on the 10 Mbps LAN, and my box is P-iii 600, 384 MB RAM, and the
    eXternal ethernet card is 3Com 10/100. The box is not overloaded, nor ploughs
    there just too many VPN connections; I've tested it with single connection, and
    had high pings. I'd like you stick with using pptpd, because the client-side
    configuration is very easy. Is the pptpd daemon just not able you handle this,
    or ploughs there to other tweaks I can try? Any suggestions will be
    appreciated.
    ===========

    Hmm, it seems it was in English after all, except for the ploughs. I'm none the
    wiser I'm afraid (and neither are you, sorry).
     
    Paul Catley, Sep 23, 2003
    #2
    1. Advertisements

  3. *cough...JACKASS...cough*
     
    Steven C \(Doktersteve\), Sep 23, 2003
    #3
  4. [PPTP on RH9 for Windows Clients]
    Whether you need a VPN or not has nothing to do with
    the public IPs. It depends on the networking capabilities
    of the game and your network structure. If all the IPs are
    located in the same LAN network you won't need a VPN.

    Check the IP addresses and netmasks, the IP addresses
    should be from the same network range and the netmasks
    should be equal. Of course you could also check with
    tracert/traceroute. If you are on the same network, only
    the final destination answers, otherwise you get an answer
    from each intermediate router in addition.

    Do you experience also packet loss, ie. got all pings an
    answer back or not)? Use the ping command for this.

    If you have a packet filter running (on either end) disable
    it for a short test.

    Issue ifconfig command, do you see suspicously high error
    counters in the output?

    What response times do you get when you ping the _public_ IP
    addresses, or how is the performance w/o pptp of the network?

    Fire up ethereal on both sides of the VPN and have them
    listen on the ethernet and the pptp interface simultaneously.
    This should enable you to detect where the most time is wasted.
    You should also get an idea how much traffic hits your box.

    See above. If you all connected to the _same_ LAN network
    without any intermediate router, you don't need a VPN.

    CIPE and OpenVPN would be an alternative if your problem
    is indeed caused by Poptop. They are esaier to setup than
    IPSec stuff, also. ;-)


    Ciao, Horst
     
    Horst Knobloch, Sep 23, 2003
    #4
  5. Gabriel Michael

    Neil Jones Guest

    Nope, that was just plain funny.

    Reposting the entire message just to add your three word analysis,
    however, seems to me to be a lot closer to Jackass level than the
    original reply.

    Maybe you're just missing the olden days of posting with your
    friends....

    ___
    Neil
    AKA HighVis
    "Looooooooooooooozzzzzzaaaaaaaaaasssssssssss
    Bye, and Plonk, Plonk, Plonk...."
    - the amazing Chris Jacobs, fleetingly of AGHL
     
    Neil Jones, Sep 23, 2003
    #5
  6. Didn't your mother ever tell you, "If you don't have anything nice to
    say, don't say anything at all?" If you need clarification, ask for
    it; otherwise, don't waste my time. Newsgroups are based around
    individuals posting helpful replies, not insults.

    Gabe
     
    Gabriel Michael, Sep 23, 2003
    #6
  7. So, I have taken it upon myself to further explain my predicament, in
    order to not provide ammunition for those who feel the need to browse
    newgroups and post useless, time-wasting replies from machines with
    poor firewalls.

    My box has two physical ethernet cards, eth0 and eth1. eth0 is the
    external card, with a public IP. eth1 is the internal card, with a
    private IP of 172.16.0.1. When one does `hlds [options] +sv_lan 1
    -nomaster`, hlds binds to this private IP. In order to allow other
    players to join the LAN game, I have installed pptpd to serve out PPTP
    VPN connections (using the GRE protocol, this is a Microsoft thing).
    The reason I chose pptpd is because the client connections are very
    easy to set up. When someone establishes a VPN to my public IP,
    ifconfig shows it as a PPP connection, with client IPs ranging from
    192.168.1.2-254 (the server is always 192.168.1.1). With proper
    forwarding in iptables, these clients simply go to their Half-Life
    console, type `connect 172.16.0.1`, and are able to connect to the
    game; however, they have very high pings, bad enough to discourage
    them from playing. Of course, when I join locally from 172.16.0.175 to
    172.16.0.1, my pings range from 6 - 15 ms.

    Is the poor performance due to pptpd? Are there tweaks or
    configuration to pptpd or the system in general (or for those in
    alt.games.half-life, hlds) that will improve the performace?

    Thanks,

    Gabe
     
    Gabriel Michael, Sep 23, 2003
    #7
  8. I thought Paul's post more of a self deprecating riff on his lack of
    knowledge of things techy, to be honest.
     
    Charles McKey, Sep 23, 2003
    #8
  9. Uh-oh.
    I'm in the wrong room.

    --
    Thad
    "You are so clueless that if you dressed in a clue skin, doused yourself
    in clue musk, and did the clue dance in the middle of a field of horny
    clues at the height of clue mating season, you still would not have a
    clue." -Guy Macon
     
    Spyder Barques, Sep 23, 2003
    #9
  10. Gabriel Michael

    Neil Jones Guest

    You're not from round these parts, are you? Still, the auto sig-catcher
    needed the workout....

    :::auto sig-catcher on:::

    Ker-chingggg!!!

    :::auto sig-catcher off:::

    Cheers

    ___
    Neil
    AKA HighVis
    "Newsgroups are based around individuals posting helpful replies, not
    insults" - Gabriel Michael
     
    Neil Jones, Sep 23, 2003
    #10
  11. Gabriel Michael

    Paul Catley Guest

    Ahh, at least somebody understood my intent :)
     
    Paul Catley, Sep 23, 2003
    #11
  12. Gabriel Michael

    Paul Catley Guest

    No insult intended. I guess I was just overawed that there was barely a word of
    your post that I understood (which is my fault, not yours). I probably didn't
    need to comment on this fact, but I confess, I was just doodling with the
    keyboard for my own amusement and maybe some others who know me. I did
    apologise for not being helpful at the end. To be honest, I couldn't even tell
    if your post was on or off topic (though I did spot the words "Half-Life" in
    there). It's pathetic, I know.
     
    Paul Catley, Sep 23, 2003
    #12
  13. Gabriel Michael

    Paul Catley Guest

    Hmm, I wonder if that's some kind of threat. What's a "firewall"?
     
    Paul Catley, Sep 23, 2003
    #13
  14. Well, to put it shortly
    If you are to build two houses side by side, the wall between those two
    houses needs to be built in such a way the it'll prevent the fire to spread
    from one house to the other - called a firewall

    - Peter
     
    Peter Lykkegaard, Sep 23, 2003
    #14
  15. Gabriel Michael

    Paul Catley Guest


    Ahh, they have those in planes to separate the engine (may catch fire) from the
    passengers (prefer not to). I see where you're going: I obviously need a lot
    more Rockwool in my PC. Thanks!
     
    Paul Catley, Sep 23, 2003
    #15
  16. First of all, apologies to Paul. Sorry, I misread the intent of your
    message. The last few drawn-out technical discussions I've had have
    degenerated into flame wars each time between purported repliers, and
    I wanted to avoid that this time. No harm done.

    And now on to more Portugese ;-)

    The topology of the network is a LAN, in the sense that there are no
    intermediate routers between myself and the other individuals in my
    dorm; however, Half-Life won't allow people to join directly on the
    public IP when a LAN game is being run - it spits out some error about
    requiring a Class C IP address (which isn't exactly truthful, either,
    since it works with Class B, and I assume Class A). But regardless,
    there are people in other dorms who do have intermediate routers, and
    so the VPN is required for them as well.
    No packet loss at all.
    I shutdown iptables on the server, and the pings dropped by about
    15-20 ms.
    There are no errors whatsoever.
    I get pings < 1 ms from a machine that is four hops away.
    Ah, this is interesting. I ran tethereal on ppp0 and eth1, and
    filtered the results to display only the GRE and UDP protocols.
    Examining the "Time delta from previous packet" on GRE packets gives
    an average of about a 40 ms turnaround. The turnaround for UDP is
    mostly less than 1 ms, but sometimes goes up to around 40 ms... which,
    combined, gives 80 ms, plus a few more from the firewall (which isn't
    so bad, but other people have much higher pings), which is about what
    I was getting when I tested this VPN. So I'm guessing it is pptpd
    that's adding those extra 40 ms? I'm no expert at using ethereal, is
    this a valid conclusion?
    Yeah, IPSec is definitely overkill for this type of thing, and
    difficult for clients (and me!) to set up.
     
    Gabriel Michael, Sep 23, 2003
    #16
  17. Gabriel Michael

    Paul Catley Guest

    Apologies unnecessary, I *was* being a jackass :) Welcome to AGHL, btw.

    :D
     
    Paul Catley, Sep 23, 2003
    #17
  18. Gabriel Michael

    Ben Cottrell Guest

    Half-life LAN games only work if the clients are on Class C IP
    addresses... so this may be why he needs VPN

    --
    Ben Cottrell AKA Bench


    "Computer games don't affect kids; I mean if Pac-Man affected us as
    kids, we'd all be running around in darkened rooms, munching magic pills
    and listening to repetitive electronic music." - Kristian Wilson,
    Nintendo, Inc, 1989
     
    Ben Cottrell, Sep 23, 2003
    #18
  19. Ah! Well, in the spirit of being helpful, allow me to introduce you to
    this:

    http://dictionary.reference.com/search?q=humor

    Note that it takes some experience to correctly identify this quality when
    you encounter it. Paul will likely post something later that's not a joke,
    and you can compare the two. ;-)
     
    John Twernbold, Sep 24, 2003
    #19
  20. Yep, but a nice one :)

    - Peter
     
    Peter Lykkegaard, Sep 24, 2003
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.