Link to home
Get AccessLog in
Avatar of Ted Penner
Ted PennerFlag for United States of America

asked on

What would be a good choice of VPN for development engineers?

I have someone in Nigeria with extremely limited bandwidth and my objective is to connect him safely and permanently to a MariaDB database that we are hosting on an Amazon AWS server configuration. 

His bandwidth, though very poor, has been enough to Zoom. 

Also, his IP address seems to change way more frequently than mine, so we have to find a way around that also.

At this stage, we are guessing that the best method for me to allocate a U.S.-based IP address to him and assign that IP to his account on the database might be to go through a VPN service.

Determining whether this is the most affordable option and selecting which one to use is still unknown. 

Assistance in determining what choice to make here would be greatly appreciated. 

One such possibility according to him might be one called Proton VPN at but I am unclear as to whether this is the best choice. 

Assistance in making this choice as a potential solution to this problem would be greatly appreciated.

Avatar of David Johnson, CD
David Johnson, CD
Flag of Canada image

use the AWS Client VPN There may be things you have to setup on the AWS end.

ProtonVPN and other 3rd party vpn's are not the solution they will just add more latency. 

Providers like this will only hide his activity from his ISP and not give a consistent connection (IP address) to AWS.. it will be like coming from the general internet at large. 

Avatar of noci

Wireguard has quick setup, is easy in use can be configured to fit most use cases.  (complete internet over tunnel, point - point connection).

On mobile phones the over head is low..  and can help cross the CGNAT boundary.  (even for SIP etc,).

Avatar of Ted Penner


What is it that makes the AWS Client VPN and Wireguard different than "a 3rd party VPN that would just add more latency"?

What about BitDefender VPN that is available as an add-on to this free version of BitDefender? Would that also "just add more latency"?

The AWS Client VPN connects directly from the client computer to the AWS Client Server via an encrypted connection.

a vpn like PIA and others connect to the VPN server (i.e. PIA Servers) and goes over their internal network to the endpoint which then connects via the internet and unencrypted to AWS (in this situation)

What you are not looking for is a VPN that translates your exist address to one from a VPN supplier (NordVPN e.a.) Those provide a Wireguard, OpenVPN, SSL, IPSEC tunnel to some datacenter so the address you use on the Internet is NOT your home address  (aka IP address hiding networks).

These are not anonymizing networks as those companies need to provide wiretaps and address rental info when subpoena'd for it. 

You are looking for a Point to Point Private link. 

In such a link there are two parties: 1) You, 2) your connecting partner.  With a tunnel either between your two systems involved (very hard to do in case where is NAT involved).  Next best connect two networks on the router level  (intermediate, connect a system to a network).

options are: IPSEC (best integrated in IP, overhead in negotiation =IKE), Wireguard (is by definition point to point and at least uses UDP and doesn't reveal there is a tunnel endpoint), OpenVPN (UDP usable, has quite some overhead on negotiation), OpenVPN (TCP, usable in networks with very low loss), SSL based VPN (TCP, usable in a network with low loss).

TCP Tunnels are worse in case there is regular packet loss as that causes retransmits INSIDE the tunnel, where the outer tunnels needs to transfer MORE data including it's own retransmit). TCP based tunnels are worse off across DSL or mobile links.  They also require setup of TCP (3 packets) + SSL (4-8 packets) + tunnel setup (often DHCP like, 3-5 packets). OpenVPN UDP is slightly better  as it requires about 5-11 packets.

Due to its fast setup (3 packet exchange) of a link, Wireguard works very well on "lossy" networks like mobile & DSL.

As TCP & UDP tunnels are still depending on the behaviour of UDP & TCP layers there are arte facts, IPSEC is behaving according to all IP rules. IPSEC requires between 4-8 UDP packets to setup. 

When NAT is involved you NEED to keep alive a tunnel with artificial traffic say every 30-60 seconds to prevent firewalls from forgetting about an exiting session. Otherwise a new tunnel will need to be established after decay of a session.  (UDP timers are between 3 and 10 minutes, TCP timers mostly between 10-20 minutes, unless there is a reset  or final packet in the transfer, then about 0-30 seconds are left). 

In your case you have a connections with low bandwidth latency and poor loss characteristics the best choice is a network with quick setup requiring the least packets i would suggest Wireguard... available for all mobile equiment from stores like F-Droid, App store, Playstore, several modems support it as it doesn't require a lot of infrastructure (programs, libraries,...) to manage. Also available for Linux, BSD's, iOS, MacOS,  Windows.

I would consider OpenVPN or Wireguard; ultimately, the choice between OpenVPN and WireGuard depends on the specific needs and requirements of the developer's project. OpenVPN may be a better choice for projects that require a high degree of configuration ability and a wide range of platform support. WireGuard may be a better choice for projects prioritizing performance and security on resource-constrained devices.

Wireguard, in my opinion, has many misconceptions about it. It may be great for specific use cases, but it lacks significant functionality compared to OpenVPN (which is certainly by design but is often considered a complete replacement).

OpenVPN is an open-source protocol that has been around for over a decade and is supported by many platforms. It is highly configurable, making it a good choice for developers who need to fine-tune their VPN connection.

WireGuard is a newer protocol that is designed to be lightweight and fast. It is intended for resource-constrained devices, making it a good choice for developers working on embedded systems or mobile devices.

OpenVPN and WireGuard are both popular VPN protocols. Still, they have some key differences: OpenVPN uses a combination of SSL/TLS and OpenSSL libraries to encrypt data and establish a secure connection. It also has more features than WireGuard, like the possibility to use multiple tunnels and a more complex authentication process.

WireGuard uses the Noise Protocol Framework to encrypt data and establish a secure connection, considered more modern and safe than OpenVPN's method. WireGuard's codebase is also significantly smaller than OpenVPN's, making it easier to audit and maintain.

User generated imageSource:
My developer says that to use Wireguard means that he would have to connect to my computer to make things work

If I choose to use the AWS VPN client, then what would be the cost and what are the configuration changes I need to make at the AWS end?

Does the AWS VPN client assign me a public static IP address or does it just allow access to AWS servers irrespective of the IP involved?

Does the AWS VPN client assign me a public static IP address or does it just allow access to AWS servers irrespective of the IP involved? 

it just connects your pc to aws servers securely 

There is no cost for using aws vpn offerings.

Based on the details of the discussion thus far, we have selected to use the AWS VPN client from here

What do we do next specifically to get it working?
Avatar of David Johnson, CD
David Johnson, CD
Flag of Canada image

Link to home
This content is only available to members.
To access this content, you must be a member of Experts Exchange.
Get Access