Designing the next generation mobile VPN
Conventional VPNs are ill suited for today’s mobile-centric world. They are power-hungry, rigid, fragile, and inefficient. They do not account for changes in network environments as you roam between Wi-Fi and cellular connections throughout the day, handle gaps in coverage, or even utilize all available internet connections.
We believe you shouldn’t have to compromise on speed when seeking security, or sacrifice performance to save battery life. So, we designed a cross-platform solution to seamlessly traverse networks, intelligently correct errors, and utilize all available connections for the best performance no matter where you are or what device you’re on.
Speedify is a new kind of VPN: built from the ground up with modern protocols designed to provide, faster and more reliable connectivity across today’s heterogeneous wireless networks.
To demonstrate the benefits of our unique approach we compared performance head to head with the latest version of OpenVPN and the results were astounding:
- Encrypted downloads on mobile phones were up to 97% faster
- Downloads over an unreliable network with 1% packet loss were 188% faster
Additionally, only Speedify could utilize both Wi-Fi and Cellular connections to achieve speeds faster than the Wi-Fi connection alone or successfully failover to the other if one of the connections became unavailable.
What’s Wrong with Traditional VPNs?
A Virtual Private Network (VPN) is software that adds security and privacy to your network. VPNs can either be used by companies to give remote employees access to their internal private networks, or to protect users’ connections to the Internet. VPNs protect your privacy by encrypting all of your traffic so it cannot be spied on, and also by changing your IP address to that of the VPN server to make you harder to trace.
Traditional VPNs, like IPSEC or OpenVPN, all work on the same principle: they first create an AES encrypted socket to a VPN server and then take all Internet traffic from the client, and encapsulate the packets to put them inside of that single secure socket. When the packets get to the server, they are decrypted, unencapsulated, and put out on the Internet by the VPN server. Anyone trying to “listen in” on the connection only sees encrypted packets on their way to the VPN server. They cannot see the end destination, or what servers are being visited.
But this single socket design has big downsides. First of all, there’s no failover. If the internet connection that the socket was created on stops working, the client gets disconnected – even if there is another working connection available to the device. There is also no bonding, so even if you are connected to the internet via Wi-Fi and Cellular, the software picks just one and you’re stuck on that connection. There’s no way to harness the speed of both.
Nearly all VPNs use AES encryption to protect their data. This is a tried and true, standards based encryption mechanism. But on *many mobile processors it’s both slow, and a big battery drain.
*Some newer mobile processors are including AES hardware instructions that can help AES perform much better, but the majority of existing mobile devices do not have AES hardware support.
Speedify, a New Kind of VPN
Speedify has been designed from the ground up be the ultimate VPN for wireless users and is built on the new Speedify protocol, which delivers unique connection bonding, fast encryption, and error correction. Speedify can combine any available internet connections such as Wi-Fi, Ethernet, Cable, DSL, 3G, 4G, and tethered smartphones into a single faster and more reliable connection.
For mobile users, Speedify uses both Wi-Fi and cellular connections at the same time, so if one of them disappears or disconnects, Speedify will instantly and seamlessly shift traffic to the other. It’s the definitive solution for smartphone users who grow tired of dropped Skype calls, spotty streaming, tortoise-like download speeds, and the constant worry about going over their data usage caps.
There are several core design features which deliver on this vision:
Many Parallel Sockets:
Speedify creates sockets on every internet connection on your device. This means that it can send some packets over one internet connection, and some over another connection, and they are reassembled on the server.
This lets Speedify do all sorts of things that regular VPNs can’t. If one internet connection goes down, it can smoothly transition to the other connection. Your apps won’t notice, sockets and downloads can be moved from one connection to another without breaking.
Fast (and Strong) Encryption for Mobile Processors:
Speedify offers encryption tailored to your device. On newer devices, Speedify uses AES since these have hardware AES engines. If your processor does not support AES acceleration, Speedify will use the ChaCha encryption algorithm to deliver fast, secure performance, which works even on older phones. Although ChaCha may be a funny name, it’s serious technology backed up by open standards.
Another key piece of our security puzzle is Datagram Transport Layer Security (DTLS), which is TLS (SSL) over UDP. This standards based technology gives us the ability to handle error correction within Speedify (for increased performance in the face of unreliable connections or lost packets) while still providing the same level of security that protects HTTPS websites like Gmail and Facebook.
The encryption in Speedify is provided using DTLS (TLS over UDP) using TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256. This is implemented using Google’s BoringSSL library, which is a fork of OpenSSL.
Speedify automatically optimizes your network traffic for better performance. One important part of this is error correction that automatically detects and recovers lost packets, often before a TCP connection considers the packet lost. This prevents TCP connections from slowing down in the face of lost packets. On a lossy network, TCP connections can perform much better when running over Speedify.
Head to Head Comparison
In our tests, we compared Speedify with an OpenVPN access server (v2.1.2), by installing both servers on the same Linode server in Newark NJ. The OpenVPN server was using AES-128-GCM to take advantage of hardware acceleration on most devices. For performance testing, we used Iperf3.
For this test, each device was connected to a Wi-Fi connection and iPerf3 was used to test the speed of the Wi-Fi network without a VPN, with Speedify, and with OpenVPN.
The processing power of the device has a big impact on the top speed it can reach with encryption. With most of the devices, Speedify was significantly faster than OpenVPN. This is mostly because of the difference between Speedify’s ChaCha encryption vs OpenVPN’s AES cipher. With the iPad Air 2 on a fast 130Mbps Wi-Fi network, Speedify was 97% faster than OpenVPN. In some cases, with the iPhone 5 for example, OpenVPN outperformed Speedify.
Packet Loss Performance
To compare how Speedify compares to OpenVPN with packet loss, we used network emulation to introduce varying amounts of packet loss into the network. The table below shows the results with the iPhone 6.
In short, packet loss is bad. Even 0.1% packet loss costs both OpenVPN and the bare network around 40% of performance. At 1% packet loss, they both lose over 75% of their speed.
Here you can see the benefits of Speedify’s error correcting techniques. Speedify is almost unaffected by 0.1% loss, and although 1% loss slows Speedify by 40%, it’s 188% faster than OpenVPN on the same network conditions.
To compare what happens during a connection failure, we started a 15 second iPerf test on an iPhone 6 and shut off the Wi-Fi around 6 seconds into the test. The table shows the speed of each test over the 30 seconds.
With no VPN running and with OpenVPN running, shutting off the Wi-Fi completely kills the test. Even though the phone has an active cellular connection, the iPerf socket breaks and we would have to restart the test to use the cellular connection. With Speedify running, there is a brief interruption in speed as Speedify detects that the Wi-Fi connection is gone and switches the traffic to the cellular connection. The stream continues over the cellular connection for the remainder of the 15 seconds.
A unique feature of Speedify is that it can bond together multiple Internet connections for higher speeds. A traditional VPN will only use one Internet connection at time, limiting you to the speed of that connection.
Below are results of Speedify combining a 20Mbps Wi-Fi connection with the Cellular connection on different mobile devices. iPerf3 was used to run all tests.
|Device||Wi-Fi Download (Mbps)||Cellular Download (Mbps)||Speedify Download Wi-Fi + Cellular (Mbps)|
Speedify can efficiently bond multiple Internet connections for faster uploads and downloads.
In head to head tests against OpenVPN, Speedify demonstrated:
- Encrypted downloads on mobile phones can be 97% faster with Speedify
- Downloads with 1% packet loss – 188% faster with Speedify
- Failover performance – Only Speedify successfully completed
- Bonding performance – Speedify was able to utilize both the Wi-Fi and Cellular connections to achieve speeds faster than the Wi-Fi connection alone