Hacker News new | past | comments | ask | show | jobs | submit login

Time for shameless plug, but I hope someone will find my experience useful.

I tried wide variety of VPN solutions, including Wireguard, IKEv2, OpenVPN, L2TP/IPsec, PPTP. Eventually I came to conclusion: I don't need VPN at all with all it's packet-level machinery, I just need fast encrypted proxy for browser and IM to forward my TCP connections securely.

And in practical terms, even Wireguard is not fastest substitution for proxy because packet loss on last mile (roughly) causes delays comparable to RTT between client and destination server versus proxy where retransmit on last mile packet loss occurs only between proxy server and client (it's also true for OpenVPN in TCP mode, but it has much more serious downsides caused by packet encapsulation inside stream protocol). Despite that fact Wireguard and other packet-level tunnels have higher theoretical throughput (from server point of view), simple TCP-to-TCP connection forwarding often gains higher practical speeds and more durable if such TCP-forwarding do not depend on state of underlying tunnel. So I decided: forward each TCP connection in separate encrypted connection will be just fine.

There already exist software which allows to wrap SOCKS in TLS or SSH (for example stunnel or haproxy for TLS case and OpenSSH for SSH case), but TLS handshake delay for each connection kills speed benefits for typical browsing scenario. Dynamic port forwarding via SOCKS proxy built-in into OpenSSH client has another drawback: all forwarded connections multiplexed into single one and in real networks with packet loss it makes high speeds unapproachable.

For these reasons I decided to re-implement both stunnel and OpenSSH client for connection forwarding purposes.

Here it is: https://github.com/Snawoot/ptw - TCP-to-TLS wrapper, which keeps pool of established TLS connections in order to cancel TLS handshake delay. May serve as transparent proxy on Linux router (sends haproxy PROXY-protocol v1/v2 in connection prologue) or serve as wrapper for plain SOCKS/HTTP/whatever proxy.

And second one: https://github.com/Snawoot/rsp - Rapid SSH Proxy, faster [1] replacement to `ssh -ND`. It also uses connection pooling, and, unlike default OpenSSH client, maps TCP connections one-to-one to SSH connections. You don't need any setup on server side: working SSH server should be already enough.

And this is how I quit hating. Now I don't need to turn proxy on/off, because it doesn't imposes performance penalty. In SpeedTest I achieve almost full connection speed (mine is 100Mbps) with ptw or rsp (versus 50Mbps with wireguard).

[1] - https://github.com/Snawoot/rsp#performance

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact