logo for satelliteinsight.com
LEFT for satelliteinsight.com spacer

VPN via Satellite

How It Works and Options For Greater Efficiency

Find the information you need quickly with this search feature ~

VPNs and Satellite Networks

Can you run a VPN via satellite?

The simple answer is yes, but there is a "catch" you need to be aware of. The use of certain VPNs over satellite links can result in noticeable service slowdowns because of throughput limitations associated with latency.

However, this can often be overcome through the use of acceleration techniques. Here's some information regarding VPNs to help you better understand how they operate and what solutions are available to make them run more efficiently via satellite.

Some VPNs are more compatible for transmission via satellite than others because they can be accelerated without the need of external appliances.

For this reason, it's very important to know what kind of VPN (virtual private network) you intend to use over a satellite link.

The right type of VPN will save money, as well as, make your operation more efficient.

Types of VPNs

Many popular types of VPNs include IPSec (Internet Protocol Security), SSL (Secure Sockets Layer) also known as WebVPN, PPTP (Point-to-Point Tunneling Protocol), CITRIX (a type of SSL VPN), as well as, VPNs that incorporate PC/Laptop based software which runs on the computer itself, rather than using a separate VPN appliance for the whole site.

You need to know ...

that consumer-grade satellite services, such as those offered by WildBlue or HughesNet, for example, are generally not recommended for operating a VPN via satellite simply because they do not provide the technology to support this activity successfully. However...

you can run a VPN over a VSAT network that delivers business-grade satellite service, such as with iDirect satellite systems. This is because these systems employ TCP (transmission control protocol) and QoS (quality of service) technologies built-in to the satellite modem to pre-accelerate data traffic and maintain consistent service speed over the network.

This is precisely why I recommend using an iDirect system, if you intend to run a virtual private network over a satellite link.

Operating a VPN via Satellite

It takes a long time for the TCP ACKnowledgments to come back from the VPN server over a satellite network. This is mainly because of satellite latency which is about 1/2 second round trip, not counting any of the router, switch, gateway, and other devices which add normal latency in an Internet connection.

Because of the delayed ACK, the TCP thinks it is on a very slow or very congested link, and it won't ramp up to full speed, regardless of how much satellite bandwidth may be available. Under normal circumstances, one can expect only about 70-90 Kbps per TCP session while operating a VPN via satellite.

This translates into a very slow transmission. However, broadband satellite vendors incorporate various schemes to "speed-up" operations. Here's a look at four available options for operating a VPN via satellite.

VPN Service Options

Option# 1

Use an SSL-VPN or CITRIX. These VPNs don't encrypt or hide the TCP headers, only the data, so TCP Acceleration still works. This means the TCP Acceleration built into the iDirect modem alone can accelerate the VPN. If your corporate application can be satisfied with an SSL-VPN or CITRIX, this is a simple solution because it requires no external appliances,in addition to an iDirect satellite system.

It should be noted that ...
Many Fortune companies are switching away from IPSec to SSL-VPN as it's much easier to deploy over satellite WANs, and it does not require any external acceleration appliances which are rather expensive.

Option# 2

If you are using a VPN type other than SSL or CITRIX,
one solution to speed-up data transmission is to put a VPN appliance in the teleport, instead of at the remote site, for the VPN link back to headquarters. In this scenario, the NOC (network operations center) simply makes a VLAN (virtual local area network) connection from that site to the VPN appliance, for purpose of headquarters communication.

Traffic is encrypted from the teleport to the data center, but runs "in the clear" (not encrypted) from the remote site to the teleport over the satellite link. It's very difficult to intercept or alter data over this link due to the design of the iDirect solution. For transmission over the least secure portion of the link, which is the connection over the public Internet, data transmission is encrypted.

This arrangement insures faster VPN operation and that all iDirect-enabled satellite links are at least as secure as normal leased lines and Frame Relay circuits. Keep in mind, however, that it involves the added expense of purchasing a VPN appliance and renting rack space at the teleport.

Option# 3

You can pre-accelerate the TCP sessions. If you must have end-to-end encryption all the way to the remote site, and you want full performance, then iDirect has an appliance that sits between the LAN (local area network) and the VPN appliance, and it pre-accelerates the VPN and provides QoS (quality of service). Satellite providers can give you cost info and service details for this device which must be located at the remote site and headquarters.

Option# 4

Live with slow VPN operating speed of about 70-90 Kbps per session. Depending on what kind of data this is (such as email or file transfers) it may not matter. But, if it's web-enabled applications, service will be slow.


If the VPN we're discussing here is PC/Laptop based software that runs on the computer itself, rather than using a VPN appliance for the whole site, then there is really nothing that can be done to pre-accelerate the traffic. There's no solution that will do the pre-acceleration internally on the PC itself. The VPN will work, but performance will be limited to approximately 100 Kbps or less per session.

It's possible to use up all of a larger circuit with multiple TCP sessions, each doing about 100 Kbps. However, even if additional bandwidth is momentarily available, an unaccelerated device will not be able to take advantage. The extra bandwidth is essentially wasted at that moment in time if no other non-VPN devices are utilizing it.

VPN Suggestion

If you haven't already decided on a particular type VPN to use via satellite, you may want to consider an SSL-VPN or CITRIX solution - OPTION# 1. Depending upon your budget and service requirements, this option may offer the best solution because it's simple, the data transmitted over this network is encrypted for greater privacy, and the operation is accelerated.

Important VPN Consideration

If some heavy traffic is anticipated over your VPN via satellite, then you would need more CIR (committed information rate) - dedicated bandwidth or more BIR (burstable information rate) - shared bandwidth to support this network. A VPN is basically a tunnel for any traffic. The term VPN itself provides little information on what kind of traffic is going to be in the VPN tunnel.

Sometimes it's just some web-based enterprise applications that can be classified as web browsing, but it could well be a huge database sync. If this is the case, then you should consider faster bandwidth speeds.

If you're not sure how much bandwidth speed you will need, be sure to tell your satellite provider how much traffic you anticipate will be on the VPN, inbound and outbound, each working day. They can help you determine how much bandwidth speed would be appropriate.

Provider Recommendations

Want to know more about available solutions for VPN use over iDirect satellite networks? Get detailed service information from the following providers. Their advice is Free, the service is very dependable, and I highly recommend them!

for VPN via satellite - worldwide, contact BusinessCom

Contact BusinessCom

iDirect Infiniti systems
VPN via satellite worldwide!

for VPN via satellite in the Asia/Pacific Region, contact Oceanic Broadband

(serving Asia, Australia, New Zealand, and islands of the Pacific Ocean) -

Contact Oceanic Broadband

Asia/Pacific VPN Service
iDirect satellite links

Business-grade VSat communications services, including dedicated SCPC and shared bandwidth connectivity solutions via satellite, anywhere in the Western Hemisphere - North, South, Central Americas, the Caribbean or anywhere in the world, contact me for complete details and pricing information.

return to iDirect satellite systems page

#1 Identity Theft Protection

Subscribe to my Satellite Blog,
and learn about some great communications and entertainment products.

You 'll know about the latest services and sales offers
as soon as they are updated on this site!

International broadband satellite services are also available in ~

Africa   •  Asia  •  Australia/ New Zealand/ Pacific Islands

  •  Canada/ North America  •  Caribbean  •  Central America/Mexico

•  Europe  •  Middle East  •  South America  •  USA

Home Page

Page Top



Copyright © 2002-2015 SatelliteInsight.com

All material presented on this site is for informational/educational purposes only. It is not intended as professional advice nor as a substitute for any individual's responsibility to read and understand all provider terms and conditions.

All trademarks, whether or not identified, are acknowledged to be the property of their respective owners.