Is Microsoft’s New VPN Satellite Friendly?
Oct 22, 2022
Seeking to improve security and privacy, Microsoft recently announced a free built-in VPN (Virtual Private Network) for the popular Edge Browser. Users will be able to turn it on when they want to use it to encrypt their web traffic. This will prevent ISPs from collecting browser information users would prefer to keep private, such as health-related searches.
Another feature may have pros and cons. The new feature will let users hide their location, using a virtual IP address to browse the web. This would enable users, for example to access content blocked in certain countries, such as Hulu or Netflix. Hiding IP addresses however can be a problem with high latency communications networks such as satellite. Is this going to be a problem or limitation for Edge Secure Network?
The service has an interesting catch. Data use is limited to 1 GB per month. Users will have to sign into a Microsoft account, which will, ironically, track their usage! The platform is built on the Cloudflare-powered VPN. Cloudflare will collect support and diagnostic information, with the promise of permanently discarding that data every 25 hours. The product is still being developed and not yet available for early testing, but we hope someone will test it over satellite as soon as possible. Here’s why:
Cloudflare developed the platform. We don’t know for sure, but it seems likely it was built on their WARP platform, designed for mobile use. That would make sense, because the idea of an Edge VPN is to secure your traffic in public locations. Presumably, at the office, corporate VPN appliances are managing security. One of the features that WARP touts is hiding your IP address. Websites and third-party services often infer geolocation from your IP address, so WARP replaces your original IP address with one that consistently and accurately represents your approximate location. They do this to route you to the closest Cloudflare server, and to hide your IP address from applications attempting to gather it. However, this may have implications for performance.
The issue is described in our white paper, Understanding VPNs Over Broadband Satellite. In a nutshell, the problem is associated with how latency impacts the TCP protocol. This is a secure protocol used for browsing, email, file transfers and similar traffic that transports data. TCP ensures that data is delivered accurately or retransmitted until it is. This is not an issue for the UDP protocol typically used for voice and video. There is no sense in stopping voice or video to retransmit a corrupt packet, it keeps going, or “spray and pray” as the saying goes. The problem with satellite is that the latency is about 2/3 second for a round trip. Aside from a longer setup process, data transmission is significantly impacted, because the sending device stops transmitting after sending a small amount of data and waits for the remote to ACK or acknowledge it was received properly, before sending any more packets. Since it takes so long for the ACK to come back, the TCP protocol interprets this as a congested circuit. No matter how much bandwidth you have available, satellite latency may limit TCP traffic to as little as 100 kbps.
As described in the VPN article mentioned above, satellite vendors such as iDirect developed TCP Acceleration techniques that are inserted into the ACK process to speed up transmission, while keeping track of packets to make sure they are delivered properly, and retransmitting those that are corrupted when necessary. This works very well, enabling satellite to leverage any bandwidth available to transmit TCP traffic. However, when you insert the TCP traffic into some VPNs, such as IPSec and PPTP, the TCP Acceleration is disabled because the IP address is hidden, and you are back to having long ACK delays, which will slow the traffic down. SSL-VPNs used by most Remote Access solutions don’t hide the IP address and thus don’t have this issue. They encrypt the data, but the IP headers are left alone so TCP Acceleration can continue to work. Indications are that the new Edge Secure Network VPN, will suffer the same problem as IPSec and PPTP since it hides (and changes) the IP address.
We are reasonably confident that the WARP VPN is built on top of WireGuard another VPN developer. WireGuard securely encapsulates IP packets over UDP, and that means the TCP headers are not available to be accelerated by TCP Acceleration methods. That means the speed of any TCP traffic within the VPN is going to be significantly impacted. One thing that gives us confidence that this is an issue is a post in Reddit, in which an admin asks for performance tips using WireGuard over a satellite link. His user said he was getting about 1/30th of the performance over satellite for traffic over the VPN, versus without the VPN. One Reddit user summed up the situation well: “Either way, this is why the speed test is so slow with WireGuard… the satellite router cannot “see” that there’s a TCP stream inside the UDP one, and of course it can’t spoof anything since it’s encrypted. Thus, by the time the ACK comes back via WireGuard, the TCP inside the sender’s kernel has already decided that the connection is slow.”
If we’ve accurately described the product chain here, and haven’t overlooked or misinterpreted something, then there will likely be latency issues for this new VPN. Microsoft’s Edge Secure Network VPN is powered by Cloudflare and most probably is based on their WARP VPN, which in turn uses a WireGuard platform, if our information is correct. What this means is that the new browser VPN from Microsoft is not going to work well over satellite – at least, not any GEO satellite. It will probably work fine over a LEO satellite service such as Starlink because of the much lower latency.
Unfortunately, it’s unlikely that there are any workarounds. As our white paper about VPNs notes, there are pre-acceleration appliances you can put in front of VPN appliances such as IPSec or PPTP that hides the IP header information. These solutions accelerate or pre-accelerate the traffic before it goes into the VPN appliance, and often provide QoS because you can’t prioritize encrypted packets, so any prioritization must take place before the traffic is encrypted. In the case of this browser-based VPN, the VPN is running as client software on a workstation or device and will in all probability encounter the same issues that users have with IPSec client software VPNs. They can’t be pre-accelerated, and thus are not satellite friendly. They won’t be able to take advantage of all the bandwidth that might be available.
There was a product in the early 2000s called the Mentat SkyX Server that provided pre-acceleration in client software on the workstation, so VPNs like this could be pre-accelerated, but to the best of the author’s knowledge, there are no such solutions on the market today. Packeteer bought Mentat, and they were bought by Blue Coat and somewhere along the way, the SkyX product faded away. It started at $25,000, thus only made sense for corporations with a lot of remote or mobile workers. There are a lot more of these workers today than there were in the early 2000s. Perhaps Microsoft’s new VPN will help create demand for such a solution, or perhaps they will provide a mechanism to disable hiding the IP address?
We are interested in any additional information readers might have to support or debunk the idea that the new browser VPN may not work as expected over satellite. If our projections are correct, be prepared for users complaining about performance when using the new Microsoft Edge Secure browser VPN over satellite.