vpn interview questions

Top vpn frequently asked interview questions

Linux solution for VPN on-demand for iOS devices

According to Apple’s support article on VPN for iOS, only Cisco IPSec, Juniper Junos Pulse, and Cisco AnyConnect support the VPN on-demand feature. Are there any open-source implementation (‘free’ as in beer is more important here) of these that I could deploy on a Linux-based system with no special hardware?

Update: I already have a PPTP solution. I am specifically interested in the on-demand features of the other two.

Source: (StackOverflow)

OpenVPN low performance. Do I have MTU problems? Dumps inside

I have problems with an OpenVPN tunnel which does not reach line speed. The gateway is a Debian Jessy virtual server hosted at OVH. The client is either my freebsd 10.2 homeserver (Intel I3 Ivy Bridge) or my RaspberryPI2. I deactivated encryption and authentication. I have a 100mbit/s symmetrical FTTH connection but the tunnel only reaches a speed of 20-40mbit/s. Direct connection (without tunnel) always yields the 100mbit/s I expect. I tested the performance with iperf3. I first tried with my freebsd homeserver. I tried all the recommended settings about mssfix, fragment etc. Nothing helped.

Then I thought maybe it is my freebsd machine. So I installed a fresh raspbian Jessy on my RPI2 and did some more in depth testing:

First of all I removed all the MTU settings from the OpenVPN configs and let the path MTU handle things (hopefully). Since I have no firewall active on both machines it should work. These are my vpn configs:

port 1194
proto udp
dev tun
sndbuf 0
rcvbuf 0

user nobody
group nogroup
ifconfig-pool-persist ipp.txt
keepalive 10 120
push "redirect-gateway def1"
status openvpn-status.log
verb 3

ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/vpn.theissen.io.crt
key /etc/openvpn/easy-rsa/keys/vpn.theissen.io.key
dh /etc/openvpn/easy-rsa/keys/dh4096.pem
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher none
auth none
comp-lzo no

proto udp
dev tun12
remote xxx.io 1194
resolv-retry infinite
sndbuf 0
rcvbuf 0

user nobody
group nogroup
verb 3

pkcs12 /etc/openvpn/vpn.theissen.io/alex.p12
tls-auth /etc/openvpn/vpn.theissen.io/ta.key 1
ns-cert-type server
cipher none
auth none
comp-lzo no

First of all the test without the tunnel to show that the connection to the server is indeed almost 100mbit/s:

iperf3 -c vpn.theissen.io
Connecting to host vpn.theissen.io, port 5201
[  4] local port 34512 connected to port 5201
[ ID] Interval           Transfer     Bandwidth       Retr  Cwnd
[  4]   0.00-1.00   sec  10.8 MBytes  90.5 Mbits/sec    0    335 KBytes       
[  4]   1.00-2.00   sec  11.4 MBytes  95.7 Mbits/sec    0    335 KBytes       
[  4]   2.00-3.00   sec  11.1 MBytes  93.0 Mbits/sec    0    352 KBytes       
[  4]   3.00-4.00   sec  11.2 MBytes  94.0 Mbits/sec    0    369 KBytes       
[  4]   4.00-5.00   sec  11.5 MBytes  95.9 Mbits/sec    0    390 KBytes       
[  4]   5.00-6.00   sec  11.0 MBytes  92.5 Mbits/sec    0    390 KBytes       
[  4]   6.00-7.00   sec  11.4 MBytes  95.2 Mbits/sec    0    390 KBytes       
[  4]   7.00-8.00   sec  11.2 MBytes  94.3 Mbits/sec    0    390 KBytes       
[  4]   8.00-9.00   sec  11.1 MBytes  93.3 Mbits/sec    0    390 KBytes       
[  4]   9.00-10.00  sec  11.3 MBytes  95.1 Mbits/sec    0    390 KBytes       
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth       Retr
[  4]   0.00-10.00  sec   112 MBytes  93.9 Mbits/sec    0             sender
[  4]   0.00-10.00  sec   112 MBytes  93.5 Mbits/sec                  receiver

iperf Done.

The packets of this connection I dumped with tcpdump on the server. You can download them here (you have to extract to open them with wireshark): dumpraw.cap.xz

So this is how a "OK" dump looks like. Maximum frame size I spotted is 1514. Dump of iperf3 without tunnel

Now I ran the test over the tunnel:

iperf3 -c
Connecting to host, port 5201
[  4] local port 36388 connected to port 5201
[ ID] Interval           Transfer     Bandwidth       Retr  Cwnd
[  4]   0.00-1.00   sec  5.96 MBytes  50.0 Mbits/sec  127    133 KBytes       
[  4]   1.00-2.00   sec  5.19 MBytes  43.5 Mbits/sec    6    120 KBytes       
[  4]   2.00-3.00   sec  5.80 MBytes  48.7 Mbits/sec    0    151 KBytes       
[  4]   3.00-4.00   sec  4.27 MBytes  35.9 Mbits/sec   23   96.5 KBytes       
[  4]   4.00-5.00   sec  4.89 MBytes  41.0 Mbits/sec    0    129 KBytes       
[  4]   5.00-6.00   sec  6.11 MBytes  51.2 Mbits/sec   26    111 KBytes       
[  4]   6.00-7.00   sec  5.50 MBytes  46.1 Mbits/sec    0    143 KBytes       
[  4]   7.00-8.00   sec  5.25 MBytes  44.1 Mbits/sec   15    126 KBytes       
[  4]   8.00-9.00   sec  5.80 MBytes  48.7 Mbits/sec    0    158 KBytes       
[  4]   9.00-10.00  sec  3.97 MBytes  33.3 Mbits/sec   22    105 KBytes       
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth       Retr
[  4]   0.00-10.00  sec  52.7 MBytes  44.2 Mbits/sec  219             sender
[  4]   0.00-10.00  sec  52.3 MBytes  43.8 Mbits/sec                  receiver

iperf Done.

Whoops. Not so nice anymore. Especially this "Retr" column does not look so good. I assumed this is the tcp retransmit and there should be then something in the dump. We will see that it is not the case :/. CPU is not the bottleneck here because I deactivated enrcyption and authentication. CPU is at 20% at the server and 50% on the PI during the test.

This is how the OpenVPN traffic of the test looks like: OpenVPN traffic on physical interface

To me this looks okay. But I do not know what to look for. Please have a look at the dump with wireshark: dump_physical.cap.xz

The traffic on the tunnel interface looks good to me, too. It seems that he correctly lowered the frame size (to 1444 as it seems): iperf3 traffic on the tunnel interface

Here is the dump: dump_tunnel.cap.xz

To me this looks all fine but I really have no idea what to look for exactly. I really tested everything out with the OpenVPN settings. Maybe someone can tell me if the traffic looks okay.

What I expect as an answer

At least an explanation what is happening here and why it seems to be independent of the VPN software I use. Everything what I found on the internet was about MTU problems but that should be easily fixed by reducing the tunnel MTU or the other parameters of OpenVPN. For me this changes little. When you look at the dump you see that it reduces the tcp segment size and packets are not fragmented. There must be something else. I really like to know what.


I tested this with strongswan and even with softether. It's actually the same problem (comparable speed, no cpu bottleneck). I am really puzzled what is the problem here. I also tried another gateway (RaspberryPi2 on friends 100/100 home connection).

Update 2

I noticed that iperf3 reports tcp retransmits (retr) but there are no retransmits in the dump (Wireshark should highlight them). What is going on?

I even tried OpenVPN on my local Network (RaspberryPi2 to FreebsdServer). Even there I have a lot of retransmits (on LAN?!):

Connecting to host, port 5201
[  4] local port 46196 connected to port 5201
[ ID] Interval           Transfer     Bandwidth       Retr  Cwnd
[  4]   0.00-1.00   sec  9.19 MBytes  77.0 Mbits/sec    8    141 KBytes       
[  4]   1.00-2.00   sec  8.71 MBytes  73.1 Mbits/sec    3    130 KBytes       
[  4]   2.00-3.00   sec  8.59 MBytes  72.0 Mbits/sec    3    120 KBytes       
[  4]   3.00-4.00   sec  8.65 MBytes  72.5 Mbits/sec    4    108 KBytes       
[  4]   4.00-5.00   sec  8.65 MBytes  72.5 Mbits/sec    4   95.6 KBytes       
[  4]   5.00-6.00   sec  8.52 MBytes  71.5 Mbits/sec    2   80.5 KBytes       
[  4]   6.00-7.00   sec  8.83 MBytes  74.1 Mbits/sec    0    141 KBytes       
[  4]   7.00-8.00   sec  8.59 MBytes  72.0 Mbits/sec    7    106 KBytes       
[  4]   8.00-9.00   sec  8.71 MBytes  73.1 Mbits/sec    3   94.2 KBytes       
[  4]   9.00-10.00  sec  8.59 MBytes  72.0 Mbits/sec    3   79.2 KBytes       
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth       Retr
[  4]   0.00-10.00  sec  87.0 MBytes  73.0 Mbits/sec   37             sender
[  4]   0.00-10.00  sec  86.8 MBytes  72.8 Mbits/sec                  receiver

In reverse mode I have a really weird congestion window (wtf?):

Accepted connection from, port 46197
[  5] local port 5201 connected to port 46198
[ ID] Interval           Transfer     Bandwidth       Retr  Cwnd
[  5]   0.00-1.00   sec  8.90 MBytes  74.7 Mbits/sec    3   1.48 GBytes       
[  5]   1.00-2.00   sec  8.45 MBytes  70.9 Mbits/sec    2   1.59 GBytes       
[  5]   2.00-3.00   sec  8.66 MBytes  72.7 Mbits/sec  518    214 MBytes       
[  5]   3.00-4.00   sec  7.96 MBytes  66.8 Mbits/sec   37    703 MBytes       
[  5]   4.00-5.00   sec  8.09 MBytes  67.9 Mbits/sec    0    719 MBytes       
[  5]   5.00-6.00   sec  8.04 MBytes  67.5 Mbits/sec    0    734 MBytes       
[  5]   6.00-7.00   sec  8.07 MBytes  67.7 Mbits/sec    1    703 MBytes       
[  5]   7.00-8.00   sec  8.07 MBytes  67.7 Mbits/sec    1    703 MBytes       
[  5]   8.00-9.00   sec  7.99 MBytes  67.1 Mbits/sec    2    693 MBytes       
[  5]   9.00-10.00  sec  8.06 MBytes  67.6 Mbits/sec    1    693 MBytes       
[  5]  10.00-10.09  sec   684 KBytes  64.5 Mbits/sec    0    695 MBytes       
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth       Retr
[  5]   0.00-10.09  sec  83.0 MBytes  69.0 Mbits/sec  565             sender
[  5]   0.00-10.09  sec  0.00 Bytes  0.00 bits/sec                  receiver

Update 3

Using iperf with udp results in ovh temporary blocking that port (they send me an email informing me about an attack) and massive packet loss:

Server listening on 1194
Accepted connection from, port 15906
[  5] local port 1194 connected to port 4355
[ ID] Interval           Transfer     Bandwidth       Jitter    Lost/Total Datagrams
[  5]   0.00-1.00   sec  2.89 MBytes  24.2 Mbits/sec  0.727 ms  1017/1387 (73%)  
iperf3: OUT OF ORDER - incoming packet = 1409 and received packet = 1470 AND SP = 5
iperf3: OUT OF ORDER - incoming packet = 1410 and received packet = 1471 AND SP = 5
iperf3: OUT OF ORDER - incoming packet = 1411 and received packet = 1472 AND SP = 5
iperf3: OUT OF ORDER - incoming packet = 1445 and received packet = 1473 AND SP = 5
iperf3: OUT OF ORDER - incoming packet = 1463 and received packet = 1473 AND SP = 5
[  5]   1.00-2.00   sec  3.29 MBytes  27.6 Mbits/sec  0.716 ms  1110/1526 (73%)  
[  5]   2.00-3.00   sec  3.30 MBytes  27.7 Mbits/sec  0.732 ms  1103/1526 (72%)  
[  5]   3.00-4.00   sec  3.27 MBytes  27.4 Mbits/sec  0.717 ms  1108/1526 (73%)  
[  5]   4.00-5.00   sec  1.56 MBytes  13.1 Mbits/sec  0.837 ms  546/746 (73%)  
[  5]   5.00-6.00   sec  0.00 Bytes  0.00 bits/sec  0.837 ms  0/0 (-nan%)  
[  5]   6.00-7.00   sec  0.00 Bytes  0.00 bits/sec  0.837 ms  0/0 (-nan%)  
[  5]   7.00-8.00   sec  0.00 Bytes  0.00 bits/sec  0.837 ms  0/0 (-nan%)  
[  5]   8.00-9.00   sec  0.00 Bytes  0.00 bits/sec  0.837 ms  0/0 (-nan%)  
[  5]   9.00-10.00  sec  0.00 Bytes  0.00 bits/sec  0.837 ms  0/0 (-nan%)  
[  5]  10.00-10.06  sec  0.00 Bytes  0.00 bits/sec  0.837 ms  0/0 (-nan%)  
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth       Jitter    Lost/Total Datagrams
[  5]   0.00-10.06  sec   118 MBytes  98.5 Mbits/sec  0.837 ms  4884/6711 (73%)  
[SUM]  0.0-10.1 sec  4884 datagrams received out-of-order

Source: (StackOverflow)

telnet counterpart for UDP

Is there anything that enables a "telnet-like" functionality for UDP? I know the difference between TCP and UDP, and why telnet itself won't work - but I'm wondering if there is something similar to the telnet client, from the end-user perspective. E.g. udp-telnet [ip] [sending-port] [receiving-port] which then prints out wether a packet made it back or not.

Having a tool like this would proove helpful for testing out firewall settings for OpenVPN which uses UDP connections.

Source: (StackOverflow)

Security of PPTP vs IPSec

Is PPTP or IPSEC VPN more secure than the other for 'dial in' VPN, if so, why?

Source: (StackOverflow)

What's the protocol-level difference between IPSec and "Cisco IPSec"?

Most VPN clients distinguish between IPSec and "Cisco IPSec." For example, (Apple's) iOS treats them as essentially separate things.

But I can't find any explanation of what the protocol-level differences are. They may be minor, but there definitely appear to be differences.

Can someone shed light on this? Even just a pointer to a detailed explanation would help a great deal. Thanks!

Source: (StackOverflow)

Can you recommend a good intro to iptables? [closed]

I have to setup a firewall on a Linux server (all my previous experience is with Windows). My rules are meant to be pretty simple - forbid all, allow some ports with all, allow some ports for specific IP subnets, while the network is small but complex (each host has IPs in at least 2 192.168... nets, everyone can interconnect many different ways). I think using iptables wrappers can overcomplicate the system logically introducing many unnecessary entities and it would be better to keep it simple and use iptables directly.

Can you recommend a good quick intro on how to write iptables rules?

Source: (StackOverflow)

Windows SSH Tunnel Manager

What application do you use on windows to create SSH tunnels

On Linux I use gSTM, and on OSX I have used STM, but I am not able to find any similar free tools on windows.

I don't want to use putty, or plink for these tunnels, because, I am looking for something that will sit in the tray starting stopping tunnels can easily be done by right-clicking. Ideally the configuration will be stored in a text file or something so I can automate the install of the app, keys, and tunnel configuration on a computer using a script.

Free is proffered, but please post information about any good windows SSH tunnel manager.

Source: (StackOverflow)

How to resolve a "driver failure" error in the Cisco VPN client connecting from a Windows 7 client

I have recently upgraded my laptop from Windows Vista SP1 to Windows 7 Professional.

After the upgrade, if I try to use the Cisco VPN client to connect to a network, I get this message:

Secure VPN Connection terminated locally by the Client.
Reason 440: Driver Failure.

Prior to the upgrade, I was able to connect with no problems.

The version of the client I am using is

Source: (StackOverflow)

OpenVPN and DNS. How to?

I'm using OpenVPN to set up a VPN to connect my laptop at home to my workplace LAN. I want to be able to refer my workplace computers by their name and not by their IP but I can't.

This is my situation:

Workplace LAN:

  • Address space:
  • Router address:

Home LAN:

  • Address space:
  • Router address:


  • Address space:
  • OpenVPN server address:

All machines are running Microsoft Windows.

At my workplace, the PC running as the OpenVPN server is (and in the VPN), and its machine name is workplaceserver.

At my workplace the name workplaceserver is resolved to address, but in the vpn client the name workplaceserver can't be resolved, I want it to be resolved to How should I configure OpenVPN in order to achieve that?

Source: (StackOverflow)

What is TLS and how does it compare to SSL?

Is TLS the "new" version of SSL? What features does it add, or security issues does it address?

Can anything that supports SSL support TLS? What would be involved in making the switch? Is the switch worth it?

Why is it that emails are sent over "Opportunistic TLS" and VPN's often called SSL VPN? Is there a difference in the technology, perhaps creating room for a "TLS VPN" product line ?

Source: (StackOverflow)

Is the Windows VPN secure?

I have used a few VPN solutions over the years. Most are hard to set up, slow to connect and/or rather ill-behaved (replacing system drivers, disrupting each other etc).

One solution I have never used earlier is the one built into Windows. This is mostly because the infrastructure guys always refuse to use it because they claim it's 'not secure'.

Now I have finally had the chance to use it (on Windows 7), and wow, it's a breeze! Easy to set up, well-behaved, it connects almost instantly, automatically authenticates with my logged-in credentials, and integrates excellently with the UI. I have to say, unless it really isn't secure, I'll be happy if I never have to use another VPN product ever again.

I gather the Windows VPN used to rely on PPTP, which is not considered secure. But in Windows 7/2008, it supports L2TP/IPSec, SSTP and IKEv2, and authenticates with EAP or CHAP/CHAPv2. That seems pretty up-to-date to me.

But I'm just a lowly developer. Can someone in the know give me the lowdown on this?

Source: (StackOverflow)

Windows Advanced Firewall: What does "Edge Traversal" mean?

this should be a really simple one:

In Advanced Windows Firewall on Windows Server 2008+, Properties > Advanced, what does "Edge Traversal" mean?

I Googled it, of course, and was unable to come up with a concrete answer, and I was especially shocked to see the following on Thomas Schinder's blog:

The Edge traversal option is an interesting one, because it’s not documented very well. Here’s what the Help file says:

“Edge traversal This indicates whether edge traversal is enabled (Yes) or disabled (No). When edge traversal is enabled, the application, service, or port to which the rule applies is globally addressable and accessible from outside a network address translation (NAT) or edge device.”

What do you think this might mean? We can make services available across a NAT device by using port forwarding on the NAT device in front of the server. Could this have something to do with IPsec? Could it have something to do with NAT-T? Could it be that the Help file writer for this feature didn’t know either, and made something up that represented a tautology?

I don’t know what this does, but if I find out, I’ll make sure to include this information in my blog.

I appreciate his honesty, but if this guy doesn't know, who does?!

We're having difficulty connecting to a VPN as soon the machine is on the other side of a router, and I was wondering if this might help? So I'm pretty keen to hear a proper description of what "Edge Traversal" does!

Source: (StackOverflow)

How to connect to a Juniper VPN from Linux

The Windows users have a new client "Juniper Pulse" to connect to the Juniper VPN server.

On Linux, what VPN client do we have to connect to that Juniper VPN, with maximum compatibility?

Please mention the necessary parameters that have to be provided.

Source: (StackOverflow)

When would you use MPLS?

After having just spent months setting up a fairly complex VPN, I'm beginning to look at alternatives for the future. Some of my network providers use MPLS to connect to us, and I suppose it works fairly well. I know many ATM (automated teller machine) networks use MPLS, which I suppose it a vote of confidence for its security properties.

http://en.wikipedia.org/wiki/MPLS%5FVPN is rather succinct:

"MPLS VPN is a family of methods for harnessing the power of Multiprotocol Label Switching (MPLS) to create Virtual Private Networks (VPNs). MPLS is well suited to the task as it provides traffic isolation and differentiation without substantial overhead.[citation needed]

Layer 3 MPLS VPN

A layer 3 MPLS VPN, also known as L3VPN, combines enhanced BGP signaling, MPLS traffic isolation and router support for VRFs (Virtual Routing/Forwarding) to create an IP based VPN. Compared to other types of VPN such as IPSec VPN or ATM, MPLS L3VPN is more cost efficient and can provide more services to customers."

My question is : how cumbersome / expensive is it to set up an MPLS network? Is it the kind of thing where you can buy the hardware and DIY, or do you really need to go to a service provider? I can get "managed" VPN's for $100/month right now (which I have no idea if this is good or bad), my five partner IPSEC "hairpin" topology thereby costs me 6,000 a year. Would that be better invested in MPLS?

Source: (StackOverflow)

How to start setting up a VPN server for smart phone clients?

I have a Ubuntu Lucid Lynx VM which I've been tinkering with. I want to set up a VPN and I am happy to learn how to do it on my own but the vastness of options makes my head spin, so I'm just looking for pointers.

Factors I want considered for my setup

  • Each user needs personal authentication (not one password for all)
  • I want know what OS the client is using (android / iphone other)
  • I want to track how much bandwidth is being used by each individual
  • Although security is important, it's mainly for bypassing China's great firewall (reach facebook / twitter) so I'm not trying to protect pentagon files. Security is good, as long as it doesn't involve hours of complicated configurations.
  • Prevent the same user from using multiple devices to access vpn at the same time
  • Any sugggestions?

So my questions are:

  • What protocol should i use to be compatible with Android (say 1.6+) and iPhones?
  • What administrative software should I use (free preferably but willing to invest a little)?
  • What guides / tutorials can you recommend that are a little bit less confusing than this?


16 IPSec VPN Tunnels
8 L2TP VPN Tunnels (Dial-in: 4, Dial-out: 4)
8 PPTP VPN Tunnels (Dial-in: 4, Dial-out: 4)

  • Embedded IPSec & PPTP client/server
  • IKE key management
  • DES, 3DES and AES encryption for IPSec
  • Embedded powerful 3DES accelerator
  • MPPE Encryption for PPTP
  • L2TP within IPSec
  • L2TP/PPTP/IPSec pass-through


  • L2TP / IPSec
  • MSChapV2 Password
  • RSA SecurID
  • CRYPTOCard
  • PPTP
  • MSChapV2 Password
  • RSA SecurID
  • CRYPTOCard
  • Cisco IPSec VPN
  • Password
  • RSA SecurID
  • CRYPTOCard
  • Certificate


  • I'll be sure to add a bounty after the 2 day period, hope this question can help other people who would like to create a similar setup.
  • The title of this question is not that great, feel free to edit
  • I don't need all answers answered any pointers would help :)

Source: (StackOverflow)