If you’ve ever had to connect to a corporate network while working remotely, chances are you are familiar with the concept of Virtual Private Networks (VPNs). VPNs establish a secure connection from your device to any other part of the network by wrapping an additional layer of security and privacy to your online activity. VPNs are an indispensable part of enterprise networks but tend to add a layer of complexity to network monitoring and troubleshooting. In today’s blog post we analyse the implications of VPNs on end-user experience and how to monitor VPN-oriented networks.
How VPNs work
VPNs provide an encrypted and authenticated communication channel or tunnel between two endpoints on the Internet. The authentication and encryption of the tunnel is dependent on the underlying VPN technology like Point-to-Point Tunneling Protocol (PPTP) or Layer 2 Tunneling Protocol/IPSec (L2TP/IPSec). VPNs can also use a combination of standalone encryption and authentication techniques. For example, one of the popular VPN services, OpenVPN uses either OpenSSL, TLS, HMAC for encryption and certificate-based or username/password-based techniques for authentication. The choice of VPN technology depends on various factors like, speed, security, operating system compatibility, etc.
VPNs also come in two distinct flavors, depending on how the tunnel is established and the entities at each end of the tunnel. Site-to-site VPNs connect two networks for example, a branch office and datacenter and uses a VPN gateway. The VPN gateway manages the authentication and encryption and requires no instrumentation on end devices. Remote access VPNs connect standalone individual hosts like desktops and laptops to a network. The end hosts need additional VPN client software to connect to the VPN. Most operating systems come with native VPN clients. Figure 1 below shows the difference between site-to-site and remote access VPNs. Today’s blog post will focus only on remote access or client-side VPN connections.
Why do we rely on VPNs?
With more and more users connecting from remote locations and unsecure Wi-Fi hotspots enterprises recommend using VPNs to prevent a data breach. By its very nature, VPNs disguise the IP address of the device on one end of the tunnel by “virtually” connecting it to the network on the other end of the tunnel masking the real location of the end user. For this reason, VPNs are also used to circumvent political or government censorship imposed on the Internet. One of the most famous example involves using VPNs to bypass the Great Firewall of China, which recently resulted in China banning VPN services.
Although VPNs provide an additional layer of security, troubleshooting performance issues can be challenging. VPNs can obfuscate the network path, increase network latency and can directly impact application performance. Monitoring the network path through a VPN tunnel, analyzing the loss and latency at the VPN server and correlating the impact to end-user experience is not the focus of traditional monitoring tools. If you can’t see it, you can’t manage it!
With Endpoint Agent you can understand and visualise the impact of client-based VPN connections on end-user performance. Endpoint Agents are browser plugins deployed on end-user laptops and desktops to record user sessions directly from browser-based activity. If a VPN is identified, Endpoint Agents track the performance of the VPN server or concentrator, correlating it to the application performance and underlying network behavior. You can quickly identify if the performance of the remote user is influenced by VPN behavior or an ISP outage.
How VPNs Impact Performance
VPNs introduce an additional leg to the path taken by data packets and can sometimes have a negative impact on network latency. The increased latency can possibly affect application performance.
When remote employees are unable to access a critical application, it can have serious impact to the business and employee productivity. Performance impact to the end-user can manifest itself in various ways from sluggish page loads to non-persistent connections. In the following section we draw a correlation between end user experience and VPN performance. Let’s take a look at three scenarios.
Increased Network Latency
With VPN-based connections, an increase in page load times can be an indication of increased network latency. Latency is the average round trip time from the user to the application, webpage or VPN server and is a representation of distance between them.
If inserting a VPN service increases the latency in accessing a webpage, you might want to take a look at the path traversed by packets. Consider the following example. While accessing Salesforce from my laptop in San Francisco through a VPN service, I noticed that the network latency (Figure 2) was substantially higher (402ms) than the average baseline of 50ms.
The first step in troubleshooting the high latency led me to the Network View (Figure 3) to visualize the path taken from my laptop in San Francisco to the Salesforce NA38 instance located in Phoenix, Arizona. What becomes immediately obvious is that the VPN server I was connected to was located in Romania, causing packets to travel halfway around the world to reach the destination. No wonder it was taking 402ms to reach Salesforce!
Sometimes, a misconfiguration or connecting to the wrong VPN server can result in packets taking unoptimized routes. Visualizing the network within the VPN tunnel and the Internet helps zero in on issues that are sometimes hard to detect.
Elevated packet loss at the VPN server can have an adverse impact on application availability. The data collected by Endpoint Agent visually represents packet loss in all network segments, including the nodes in the VPN tunnel, along with VPN loss and latency for every session. This data becomes very powerful when correlated with the Page Success Rate metrics at the application level. Reporting regularly on parameters like Page Success Rate and VPN server loss can draw out patterns and correlation. Notice how the spike in VPN loss correlates to a dip in Page Success Metrics in Figure 4.
Loss of Internet Connection
Have you ever run into a situation where connecting to a VPN shuts down access to public domains? This can arise from a simple misconfiguration within the VPN service or from rules configured by enterprises to restrict access while on VPN. Either way, it can be extremely frustrating and challenging for the user and the IT staff troubleshooting this issue.
A few days back this is exactly what I bumped into while connecting to a VPN service in Romania. I lost all connectivity to the external world and was unable to access Salesforce, Okta and Google Drive. Looking through individual user-sessions from Endpoint Agent data (Figure 5), I gathered that this was because of a DNS-related issue.
As all traffic from my laptop was being routed through the VPN tunnel, the DNS name servers configured within the VPN service were tasked with the IP address resolution. However the VPN DNS servers, both primary and secondary (Figure 6), were unable to resolve these domains. It so happens that the DNS servers available with the VPN were having issues which resulted in blocking any online activity.
The DNS issue was also validated from the network level view (Figure 7).
Monitoring Your VPN Services
There is no doubt that VPNs are essential to maintain the security and privacy of data. In a world where Work-From-Home and Bring-Your-Own-Network initiatives are gaining traction, VPNs are bound to become a quintessential part of the Internet-centric enterprise. When adopting and adapting to these new trends keep network visibility top of mind. Curious to see how your current VPN service is performing and affecting application performance? Get started with a free trial.