TCP over TCP is a bad idea (2000)

I&#x27;ve just spent the last month learning exactly why I definitely do want a TCP over TCP VPN. The short answer is almost every cloud vendor assumes you&#x27;re doing TCP, and they&#x27;ve taken the &quot;unreliable&quot; part of UDP to heart. It is practically impossible run any modern VPN on most cloud providers anymore.<p>Over the last month, I&#x27;ve been attempting to set up a fast Wireguard VPN tunnel between AWS and OVH. AWS killed all internet access on the instance with zero warning and sent us an email indicating that they suspected the instance was compromised and being used as part of a DDOS attack. OVH randomly performs &quot;DDOS mitigation&quot; anytime the tunnel is under any load. In both cases we were able to talk to someone and have the issue addressed, but I wanna stress: this is one stream between two IPs -- there&#x27;s <i>nothing</i> that makes this anything close to looking like a DDOS. Even after getting everything properly blessed, OVH drops all UDP traffic over 1 Gbps. It took them a month of back-and-forth troubleshooting to tell us this.<p>The really terrible part is &quot;TCP over TCP is bad&quot; is now so prevalent there&#x27;s basically no good VPN options for it if you need it. Wireguard won&#x27;t do it directly, but there&#x27;s hacks involving udp2raw. I tried it, and wasn&#x27;t able to achieve more than 100 Mbps. OpenVPN can do it, but is single-threaded and won&#x27;t reasonably do more than 1 Gbps without hardware acceleration, which didn&#x27;t appear to work on EC2 instances. strongSwan cannot be configured to do unencapsulated ESP anymore -- they removed the option -- so it&#x27;s UDP encapsulated only. Their reasoning is UDP is necessary for NAT traversal, and of course everybody needs that. It&#x27;s also thread-per-SA so also not fast. The only solution I&#x27;ve found than can do something not UDP is Libreswan, which can still do unencapsulated ESP (IP Protocol 50) if you ask nicely. It&#x27;s also thread-per-SA, but I&#x27;ve managed to wring 2 - 3 Gbps out of a single core after tinkering with the configuration.<p>For the love of all that&#x27;s good in the world, just add performant TCP support to Wireguard. I do not care about what happens in non-optimal conditions.<p>&#x2F;rant

Related:<p><i>Why TCP over TCP is a bad idea (2001)</i> - <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=25080693">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=25080693</a> - Nov 2020 (68 comments)<p><i>Why TCP Over TCP Is a Bad Idea (2001)</i> - <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=9281954">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=9281954</a> - March 2015 (43 comments)<p><i>Why TCP Over TCP Is A Bad Idea</i> - <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=2409090">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=2409090</a> - April 2011 (26 comments)

If you are in a situation where you have to anyway, you can use multiple TCP sockets and round robin them (with Nagle off) such that you are always sending just one packet over each. You&#x27;ll get overhead and some unneeded acks, but no front of line blocking of the second layer of TCP mechanics going on.

Yes, but what about IPv6 over Amazon S3?<p><a href="https:&#x2F;&#x2F;xeiaso.net&#x2F;blog&#x2F;anything-message-queue&#x2F;" rel="nofollow">https:&#x2F;&#x2F;xeiaso.net&#x2F;blog&#x2F;anything-message-queue&#x2F;</a>

I notice that the earliest version of this post[0] is dated 1999, whilst the latest version is modified in 2001 (see the main link). Which year would be appropriate to mark it on HN? 1999? 2001?<p>[0] <a href="https:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20000310230940&#x2F;http:&#x2F;&#x2F;sites.inka.de&#x2F;~W1011&#x2F;devel&#x2F;tcp-tcp.html" rel="nofollow">https:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20000310230940&#x2F;http:&#x2F;&#x2F;sites.inka...</a>

Port forwarding doesn&#x27;t count, right?