Dual-Session VPN Performance Monitoring

A very common monitoring scenario is VPN performance monitoring. The objective of this monitoring scenario is to verify if the network performance is impacted by the VPN or not. In this article, you will learn how to configure VPN monitoring in the Obkio App to monitor VPN performance. The article refers to two Monitoring Agents called HQ, located at the company headquarters, and Remote, located either at a remote office or on a remote user's laptop.

The Remote agent has its own Internet connection and a VPN tunnel is established to connect to the headquarters network. The VPN can be configured on the remote office's firewall or as a VPN client on the remote user's laptop, it doesn't matter.

Two Network Monitoring Sessions are required to be able to pinpoint if the VPN is affecting the network performance. One session will be configured inside the VPN and one session outside the VPN. Both sessions should use the same network path on the Internet. The only difference is that one session will go through the VPN (which will include encryption and decryption) and the other one will only go through the headquarters' firewall NAT.

With this dual-session monitoring, if both sessions are impacted by a Network Issue, this means that the degradation is common to both sessions so it's not related to the VPN itself. It can be the Internet connection at either locations (or in between) or it might come from the network devices at either locations. The Network Device Monitoring feature can help pinpoint if the issue is related to the network devices or not. The Traceroutes features can help pinpoint network path issues.

Before we configure the network monitoring sessions, let's go through the Agent Modes and Agent Network configurations for both agents.

The HQ agent mode must be configured as Private Internet Server because one of the sessions will go through the public Internet. On the firewall (or router) facing the HQ agent, port forwarding is required to forward the monitoring traffic from the Internet to the agent. Default network monitoring ports to forward are 23999/TCP and 23999/UDP. Learn more on the Firewall Configurations.

The Remote agent mode should be configured as Client Only because it's that agent that will initiate the connection to the HQ agent. If for some reason the Remote agent mode is different, make sure to adjust the Client Selection Preference to make sure the Remote agent is the client. Learn more on the Network Monitoring Role Selection.

Finally, to be able to configure a network monitoring session inside the VPN, both agents must be in the same Agent Network. By being in the same network, both agents will communicate with private IP addresses by default.

To create the two network monitoring sessions, two Network Monitoring Templates must be configured. The first one will go inside the VPN and is probably the one that is already in place if you have a working setup. There is no specific configuration to use the VPN because both agents are in the same network which will cause them to use their private IP addresses. When configuring the template, one agent must go in one list and the second agent in the second list.

The second template will create a monitoring session that will go outside the VPN. It is identical to the first template with one exception, the IP Selection advanced parameter. Instead of the default setting, the IP Selection must be set to Public IPv4. This setting will override the Agent Network and the Remote agent will initiate the connection to the public IP of the HQ agent so the VPN should not be used.

If the VPN installs a default route that causes all the network traffic of the Remote agent to go through the VPN, this dual-session configuration might not work. You must make sure that the Remote agent uses the Internet to communicate with the public IP of the Remote agent and not the VPN tunnel.