Is selective VPN routing worth it?
Solution 1
The overhead implicit in the more complex routing is absolutely negligible. It may amount to an extra percent, no more. There is more overhead involved in the encryption, which is furthermore taking place at both ends of the VPN (en/de-cryption). I cannot estimate the overall cost, timewise, of this routing decision, but it might be noticeable for a streaming service, as opposed to the occasional Web page perusing.
In this light, there are more arguments to consider. First, forcing your router to do the en/de-cryption for a streaming service means slowing down your whole LAN. A better choice would be to set up the same apparatus (i.e., VPN end tunnel), on a PC, and then route all Pandora requests through that pc. This way, both routing and en/de-cryption would slow down only the pc, not the whole LAN.
Also, it is not clear to me why you should wish to use a VPN to access Pandora (unless of course you live outside the US). VPNs are usually needed to maintain privacy, or to guarantee secure access to a remote LAN. Neither is your case. So, unless you live outside the US,my suggestion would be to avoid streaming through the VPN.
Edit:
If you wish to use another pc as your gateway only for Pandora routing, first set up the VPN from that pc. Then, on your router, add a specific route for Pandora through that pc. Most modern routers will have something like Advanced routing, where you can specify routes through a GUI. This is functionally equivalent to:
sudo route add -host 11.22.33.44 gw 192.168.0.5
if 192.168.0.5 is the IP address of the pc acting as the VPN client.
On 192.168.0.5, issue the command:
sudo iptables -t NAT -A POSTROUTING -d PANDORA's_IP_address -j MASQUERADE
and allow IPv4 forwarding:
sudo sysctl -w net.ipv4.ip_forward=1
and you are done. Piece of cake.
Caveat: when you do that, pinging Pandora from another pc (i.e., not the VPN client), will produce an output of this kind:
From 192.168.0.1: icmp_seq=2 Redirect Host(New nexthop: 192.168.0.5)
That's not an error: it is just your router telling you that a faster way of reaching Pandora is via 192.168.0.5 directly,without passing through the router first. Nothing more. It is true you could do this, but doing it on your router means the same shortcut to Pandora is available to all pcs on your LAN. Only nuisance the above warning, little price to pay, I believe.
Solution 2
There is a very slight overhead when using a secure encrypted VPN tunnel and it would be dependent on the specific VPN protocols used and the level of encryption that is set. For example,in L2TP/IPSEC,bandwidth overhead using AES is approximately 7.95% and for low bandwidth interactive traffic (such as a SSH session) this could almost double the amount of data transmitted during the session.
If your only purpose is to accessing to the restricted contents from Outside the USA and as long as the level of security doesn't matter, PPTP connection is recommended as it has relatively low overhead and this making it faster than other VPN methods.
Related videos on Youtube
22 : 33
08 : 01
13 : 18
03 : 05
01 : 01 : 59
Comments
-
Mike McKay over 1 year
I want to setup routing tables on my RT-N66U router to selectively route traffic through a VPN. For instance, only Pandora requests would go via the VPN. I've found a way to do this with iptables:
#!/bin/sh sleep 60 PPTPSERVER=$(/usr/sbin/nvram get pptpd_client_srvip) PPTPGWY=$(/usr/sbin/nvram get wan_gateway) /sbin/route add -host $PPTPSERVER gw $PPTPGWY dev vlan2 /sbin/route del default /sbin/route add default gw $PPTPGWY /sbin/route add default dev ppp0 metric 100 #Pandora /sbin/route add -net 208.85.0.0/16 dev ppp0 /sbin/route add -net 64.95.61.0/24 dev ppp0 /sbin/route add -net 64.94.123.0/24 dev ppp0 /sbin/route add -net 208.85.40.0/24 dev ppp0 /sbin/route add -net 208.85.41.0/24 dev ppp0 /sbin/route add -net 67.225.0.0/24 dev ppp0 #iptables -t nat -A PREROUTING -p tcp -–dport 1935 -j DROP #iptables -t nat -A PREROUTING -p udp -–dport 1935 -j DROP iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADEsource: http://www.pistonheads.com/gassing/topic.asp?t=968046
But my question is, will the extra overhead required to route traffic cause my overall throughput to be lower than it would be by just using the VPN for everything?
Is there a better strategy?
-
K. Pretorius over 7 yearsI would like to follow the above approach, where should I add that "ip tables" text for it to work?
-
-
Mike McKay over 10 yearsThanks that is very helpful. I am outside of the US. I could easily setup an OpenVPN client on another box with spare CPU. How would I then forward Pandora requests from the router to that box? I guess the gateway just becomes the IP address of the VPN'd machine.
-
MariusMatutiae over 10 years@MikeMcKay See my edit for the reply.
