The article "Why TCP Over TCP Is A Bad Idea" is very useful for explaining
why VPNs perform better when using UDP-based transport (DTLS or ESP) rather
than TCP-based transport (TLS), but unfortunately the original site is no
longer available.
Replace it with a link to the Internet Archive's Waback Machine, specifically
https://web.archive.org/web/
20230228035749/http://sites.inka.de/~W1011/devel/tcp-tcp.html
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
but is preferred when correctly supported by the server and network
for performance reasons. (TCP performs poorly and unreliably over
TCP-based tunnels; see
-.IR http://sites.inka.de/~W1011/devel/tcp-tcp.html .)
+.IR https://web.archive.org/web/20230228035749/https://sites.inka.de/~W1011/devel/tcp-tcp.html .)
.SH OPTIONS
.TAG opt-config
information are passed back and forth in the headers of that
<tt>CONNECT</tt> request.</p>
-<p>Since <a href="http://sites.inka.de/~W1011/devel/tcp-tcp.html">TCP
+<p>Since <a href="https://web.archive.org/web/20230228035749/https://sites.inka.de/~W1011/devel/tcp-tcp.html">TCP
over TCP is very suboptimal</a>, the VPN also attempts to use UDP
datagrams, and will only <em>actually</em> pass traffic over the HTTPS
connection if that fails. The UDP connectivity is done using Datagram
openconnect --protocol=f5 big-ip.example.com
</pre></p>
-<p>Since <a href="http://sites.inka.de/~W1011/devel/tcp-tcp.html">TCP over
+<p>Since <a href="https://web.archive.org/web/20230228035749/https://sites.inka.de/~W1011/devel/tcp-tcp.html">TCP over
TCP is very suboptimal</a>, OpenConnect tries to always use PPP-over-DTLS,
and will only fall over to the PPP-over-TLS tunnel if that fails, or if
disabled via the <tt>--no-dtls</tt> argument.</p>
openconnect --protocol=fortinet fortigate.example.com
</pre></p>
-<p>Since <a href="http://sites.inka.de/~W1011/devel/tcp-tcp.html">TCP over
+<p>Since <a href="https://web.archive.org/web/20230228035749/https://sites.inka.de/~W1011/devel/tcp-tcp.html">TCP over
TCP is very suboptimal</a>, OpenConnect tries to always use PPP-over-DTLS,
and will only fall over to the PPP-over-TLS tunnel if that fails, or if
disabled via the <tt>--no-dtls</tt> argument.</p>
ESP</a> tunnel.</li>
</ol>
-<p>Since <a href="http://sites.inka.de/~W1011/devel/tcp-tcp.html">TCP over
+<p>Since <a href="https://web.archive.org/web/20230228035749/https://sites.inka.de/~W1011/devel/tcp-tcp.html">TCP over
TCP is very suboptimal</a>, OpenConnect tries to always use ESP-over-UDP,
and will only fall over to the HTTPS tunnel if that fails, or if disabled
via the <tt>--no-dtls</tt> argument.</p>
<p>Modern VPN protocols almost always support a UDP-based transport
for tunneled packets, e.g. DTLS for the Cisco AnyConnect protocol, or
ESP for the GlobalProtect protocol. This is because <a
-href="http://sites.inka.de/~W1011/devel/tcp-tcp.html">TCP over TCP is
+href="https://web.archive.org/web/20230228035749/https://sites.inka.de/~W1011/devel/tcp-tcp.html">TCP over TCP is
very suboptimal</a> in terms of performance. However, most VPN
protocols also support TLS/SSL for connection initiation and as a
fallback, due to its universal availability even in highly filtered or
projects / users / dwmw2 / openconnect.git / commitdiff