Home VPN – Consideration on bandwidth and IPSec overhead
I was considering to implement a VPN solution for accessing my home network, more for the NAS (Network Attached Storage) I’ve recently buyed, nowadays I reach it directly (via NAT) from my public IP (obviously I had to build some kind of filtering).
I’ve an ADSL connection with 5000 Kbit/s in download and 300 Kbit/s in upload… I’m going to focus on the upload part because is my bottleneck.
Installing a VPN solution isn’t that difficult, but with a limited bandwidth which drawback will it brings?
Now considering an IPSec VPN solution, using ESP in Tunnel mode (full IP packet is protected), the IPSec will add a new IP header, an ESP header, an ESP Trailer and an ESP ICV.
The overhead generated by IPSec is about of 50-60 bytes per packet (depending on the authentication/encryption /hash used). For my calculation I’ll take 60 bytes overhead as reference.
Normally I can reach a packet upload rate of about 25 packets per second:
37.5 Kbytes (=300kbits) / 1.5 Kbyte (max IP packet size) = 25 packets/second
If IPSec is used, my packet rate will fall down to:
37.5 Kbytes / 1.560 Kbyte (IP Packet + ESP overhead) = ~ 24 packets/second
Maybe its easier to see it with a percent notation. Estimating a packet size of 1500 bytes this correspond to a loss of 60 bytes who is equal to 4 % of bandwidth lost. What's also to be considered is that the percent varies with the variation of IP packet size, as said before 1500 bytes is the maximal size but, if for example the packets sent are just 1’000 bytes, the overhead is more marked with a decrease of bandwidth to 6% lesser then without VPN.
So, in conclusion, this will cost me a loss of about 1500 bytes per second, considering the protection that IPSec brings I think is a price worth to pay (In fact I had about 10k bruteforce attack on the NAS in less than a month!).
So, in conclusion, this will cost me a loss of about 1500 bytes per second, considering the protection that IPSec brings I think is a price worth to pay (In fact I had about 10k bruteforce attack on the NAS in less than a month!).