Originally I was going to ask what would be the most efficient tunneling protocol, but I have directly attached public+static IP addresses on both sides and encryption while nice to have, since this considered all WAN-side traffic, it really don’t make that much of a difference[1]
With the small caveat that it is traffic crossing into/out of the US, thus subject for scrutiny. ↩︎
Definitely WireGuard!
Oh man, I didn’t mean to post it, I wasn’t done. I went to draw little something in another app as visual aid:
…and I guess I pushed the wrong button or something (this thing has shortcuts, the forum web app)
But since it’s out there already,
The other method I had in mind was just simply natting it. Out in the open. Still think WireGuard is the fastest/best?
I just switched back to an old provider, it’s gotten significantly more popular since the last time I used it. It’s a more attractive target now.
Both ends are running VyOS, the cloud side was quickly decimated as soon as it was online by the relentless traffic coming at it, the SSH connection to it kept breaking down. I had to use the provider’s built-in firewall feature to limit traffic to just that coming from my own static address and only then SSH stabilized.
It didn’t have, and still doesn’t have, any firewall rules in it or much else in it, but that’s how it’s going to work in the end, just forwarding everything good and bad, back and forth, no questions asked.
In the past, when only one of the addresses was static and was on PPPoE, I didn’t have that many choices, except for WireGuard and OpenVPN (IKEv2 and ZeroTier were buggy.)
Now I have static addresses and the full standard 1500-byte MTU available and I’d like to make the most out of it, more than anything though, I’d like to stay clear of MSS adjustments since I learned the hard way email servers will do what they 
want to do regardless of careful network-wide MSS settings—hence why I’m considering ZeroTier and its alleged MTU of 2800.
Another way, or should I say ways, I thought to go about it were by forcefully routing the traffic with (1) NAT, or (2) a very long static route, with (3) VyOS’ built-in forward proxy outbound, DNAT for inbound. I’m not even sure if I’m done. But I’m a little too excited and I might be forgetting/ignoring some serious aspect or compromise needed to make with each option.
Off the top of my head, the fact that traffic crosses into–, and out of the US.
Advice is very welcome.
Thanks!
Quick note about ZeroTier’s MTU of 2800. It is a bit of a lie. Not that they’re telling a lie with it being 2800, but in the technological sense. They handle fragmentation/reassembly in userspace instead of where it normally is handled, at the kernel level (or NIC with some offloads).
This gives the illusion that you’re avoiding fragmentation, but you’re still actually fragmenting and can lead to performance issues which could be hard to tshoot. It also ignores DF being set in the packets it receives, which could lead to fragmentation attacks. If using ZeroTier, you still want to plan for proper MSS at both the host and network levels.
This is between 2 ZT hosts with an actual MTU of 1500 and should not succeed:
l0crian@R86S:\~$ ping 10.244.100.25 size 2500 do-not-fragment count 1
PING 10.244.100.25 (10.244.100.25) 2500(2528) bytes of data.
2508 bytes from 10.244.100.25: icmp_seq=1 ttl=64 time=78.9 ms
— 10.244.100.25 ping statistics —
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 78.882/78.882/78.882/0.000 ms```Yeah,
I kind of thought that it was just a little too suspicious it was twice an MTU of 1400 which seems more appropriate for a protocol with that much functionality in it, but for my own sake I wanted to to believe, “okay, maybe it plays with timings… sum’n like that, and it makes it work.” If I needed to keep a ouija board and a black dead cat around so be it, but it’s for the better I quit it before getting invested.
Thanks for the tip. I’m writing these down because I forget and recycle the stupid way too often. It’s not a perfect solution because I also forget what I named them 
but at least they’re searchable in one place and I do transcribe ‘em in my own words so something sticks.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.