Frequently Asked Questions

Does VpnCloud run under Windows or MacOS? Does it have mobile apps?

Currently not. Right now, VpnCloud runs on Linux only. Windows, MacOS and BSD are planned though.

Working with virtual networks and system services is very OS specific, so supporting other platforms is not trivial.

If you have experience with one of these platforms and want to help, please contact me.

Does VpnCloud support nodes behind NAT gateways?

Yes, VpnCloud has support for NATed peers. In general connecting to nodes behind a NAT gateway is complicated, as the NAT makes it impossible to initiate a connection from the Internet. This makes it especially hard to connect two nodes that are both behind NAT gateways. VpnCloud tries its best to map a port on the NAT gateway to make the node reachable from the Internet (only the VpnCloud port) and behave like a regular node.

VpnCloud can connect nodes behind NAT gateways using hole punching if those nodes know each others addresses. If there is at least one other regular node in the network, it will help those nodes exchange their addresses and connect to each other. VpnCloud also supports publishing and retrieving beacons containing encrypted node addresses that can help in the case where there is no other way to exchange addresses.

In any case, connecting nodes behind NAT gateways is a fragile process and it might take up to a minute for the node to connect. You can help the nodes by using unique ports for nodes that are behind the same NAT.

Does VpnCloud encrypt its traffic?

Yes, VpnCloud encrypts all traffic using AES-128, AES-256 or CHACHA20 (whichever is the fastest for the connection) and uses Curve25519 elliptic keys to authenticate hosts during connection setup.

You can, however, explicitly allow unencrypted connections in the configuration of a node. If unencrypted connections are enabled for two nodes, they will communicate without encryption after the initial encrypted handshake.

Please see the Cryptography in VpnCloud writeup for more information.

How does VpnCloud compare to Tinc?

Tinc is a great VPN software that I used in a project for quite some time. However, I was not happy with some of its properties, so I developed VpnCloud. The main differences between Tinc and VpnCloud are:

• Tinc uses RSA key pairs, which requires you to exchange public keys between all peers. This is complicated if you just want a VPN quickly and it becomes a nightmare if you want to setup 200+ nodes (like in my project).
• The performance of Tinc is pretty ok for a VPN but VpnCloud is much faster.
• Tinc does not scale well. In a network with 200+ nodes, the nodes are very much busy with keeping up the connectivity and only have limited resources for payload.
• In Tinc you have to explicitly specify which nodes should connect to which other nodes while VpnCloud automatically connects to all nodes it can find.
• Tinc supports routing traffic between nodes that are not connected directly through other nodes.
• Tinc works on Linux, BSD, MacOS, and Windows and even has mobile Apps while VpnCloud (currently) only works on Linux.

What happens when I increase the MTU above 1400?

Setting the MTU higher than the physical medium causes IP to fragment each inner packet into several outer packets and reassemble them at the receiving side. This has the advantage that VpnCloud has to process less packets and therefore uses less CPU (most of it will be memcpy) and has less context switches. It will also save some bytes on the wire as less bytes are used for VpnCloud headers and UDP headers and only a small additional IP fragmentation header is added.

The downside is that if one of the outer packets gets lost on the wire, the whole inner packet is lost. If your MTU is 40 times higher than normal, 40 outer packets will be sent for one inner packet. So your packet loss rate will be about 40 times higher than normal (e.g. 4.1% instead of 0.1%). It will also influence your delay distribution negatively.

If the delay distribution and the loss ratio matters to you, this is a bad idea. If your line is pretty good and you just care about throughput, I think it makes sense to increase the MTU.

For 10 Gbps interfaces, the default MTU is already 9000, so VpnCloud should run at a MTU of 8900.

(Full thread in issue #2)

Does VpnCloud support IP multicast?

VpnCloud has no special support for multicast and I did not test any multicast scenarios. So this is all theoretical:

• If you use a TAP device, IP multicast should be mapped to ethernet broadcast and just work (although being a little bit inefficient)
• If you use a TUN device with the default router mode IP multicast packets should be dropped as no node claims the IP multicast region.
• If you use a TUN device with the learning switch mode, the multicast packets should be broadcast and multicast should just work (although being a little bit inefficient)

Other VPN software either does not implement multicast (like VpnCloud currently) or cheats by broadcasting it. Proper multicast support is somewhat complicated as several control protocols for IPv4 and IPv6 have to be implemented.

(Full thread in issue #12)

What does "non-native forwarding mode" mean?

There are two device types TUN and TAP and the only difference between them is that TUN transports IP packets and TAP transports Ethernet frames which wrap the contained IP packets.

All the rest is about how VpnCloud decides where packets/frames should be sent to. In routed mode, each node claims one or more address regions by prefix and all the nodes match against those prefixes. In switch mode, nodes learn addresses by looking at the source addresses and broadcast for unknown addresses. Routed mode is native to TUN devices and switched mode is native to TAP devices but there is no reason not to use switched mode for TUN devices.

Also see Device types explained: TUN vs. TAP.

(Full thread in issue #12)

How much overhead do VpnCloud headers add?

VpnCloud has an 8-byte header containing the key id and the nonce used for encryption. Additionally, a 16 byte checksum is appended to the message. Inside the encrypted message, there is a single byte to distinguish the message type. As VpnCloud packets are transported over UDP, you have to add the UDP header (8 bytes), an IP header (20 bytes for IPv4 and 40 bytes for IPv6) and an Ethernet header (14 bytes) for TAP devices.

So the total overhead is:

• 73 bytes
• plus 14 bytes for TAP devices

Can I run multiple VPNs on one computer using VpnCloud?

Yes, this is possible. While VpnCloud has no built-in support for running multiple networks in parallel, you can still run multiple instances of VpnCloud in parallel. The instances just need different names and different UDP ports on the host. VpnCloud will automatically choose different network interface names for different instances.