OVH - Hetzner tunneling

FlorinMarian

Hello!

I'm opening an old topic but which is still of interest both to me and to some of my clients who want to use IP addresses from one provider to another.

In today's example, we are talking about an OVH Game server that has 1Gbps Up/Down and at the other end a Hetzner server that also has 1GBps guaranteed.

I tried different tunneling technologies (GRE, GRETAP, IPIP) but during the benchmarks I am not at all satisfied with the results, the bandwidth being reduced by 25-30 times compared to the same tests run directly on the servers.

Knowing that in the past there were some problems caused by the OVH Game protection, I made the tunnels including IPv6 and I used IPv4 over them, but the result was the same.

• MTU was set to 1462 on the VM hosted at Hetzner using OVH IP addresses
• The latency between servers is only 3-4ms

Any ideas what I may have missed?

Thank you!

yoursunny

@FlorinMarian said:
Any ideas what I may have missed?

Push-ups to please OVH gods.
Boatload of money to please Hetzner gods.
Dark fiber to please RIPE gods.

Neoon

UDP is limited anyway on Game, to like 50Mbit.

TCP, my guess OVH doesn't want to be used as cheap DDoS scrubbing service.
So they limit the speed of these tunnels.

I mean the point of a gameserver is to game, you don't need high throughput for that.
Except you downloading stuff, which is likely over TCP anyway and OVH can tell its legit HTTP I guess, so they don't throttle it.

You likely have to pull a China and trick OVH into thinking its HTTP traffic.

darkimmortal

Have you tried WireGuard? At least on 250mbit SYS it has no problem running at full speed

jmgcaguicla

@Neoon said:
UDP is limited anyway on Game, to like 50Mbit.

TCP, my guess OVH doesn't want to be used as cheap DDoS scrubbing service.
So they limit the speed of these tunnels.

I mean the point of a gameserver is to game, you don't need high throughput for that.
Except you downloading stuff, which is likely over TCP anyway and OVH can tell its legit HTTP I guess, so they don't throttle it.

You likely have to pull a China and trick OVH into thinking its HTTP traffic.

It's GRE/IPIP though so they can't immediately tell outright using the proto num, you think they peek through encapsulation and shape traffic based on that as well?

Granted it just literally wraps the underlying IP packet it shouldn't take that much muscle to inspect, still seems wasteful if that's the case.

Neoon

@jmgcaguicla said:

@Neoon said:
UDP is limited anyway on Game, to like 50Mbit.

TCP, my guess OVH doesn't want to be used as cheap DDoS scrubbing service.
So they limit the speed of these tunnels.

I mean the point of a gameserver is to game, you don't need high throughput for that.
Except you downloading stuff, which is likely over TCP anyway and OVH can tell its legit HTTP I guess, so they don't throttle it.

You likely have to pull a China and trick OVH into thinking its HTTP traffic.

It's GRE/IPIP though, you think they peek through and shape traffic based on that as well?

Granted it just literally wraps the underlying IP packet it shouldn't take that much muscle to inspect, still seems wasteful though.

They do DPI anyway, since OVH added DDoS filtering in 2013, so why not also classify the protocol and cut people off that try to do that.

According to OVH, Game is even filtered at Rack level additional to DC filtering, so you shit is essential filtered twice.

jmgcaguicla

@Neoon said:
They do DPI anyway, since OVH added DDoS filtering in 2013, so why not also classify the protocol and cut people off that try to do that.

That's what I was missing; yeah that makes sense, should only be little extra work on top of "actual" DPI if they're doing DPI anyway.