Mayrand on How to Avoid VPN Hairpinning

VPN Hairpinning and Streaming Video

In today’s blog, we’re talking about VPN, streaming video and how to avoid VPN hairpinning. Today’s streaming solutions—which mostly sit in the cloud—used over VPN can put a massive strain on your network. Add the fact that demand for enterprise streaming video is at an all-time high, and you have a recipe for network congestion.


VPN + Streaming Video = Network Congestion

With the mad dash to accommodate employees working from home, your virtual private network (VPN) solution may be in overdrive. And if VPN is an important part of your overall security strategy, your network might be struggling to keep up.

Although working from home offers health and safety benefits, it’s raised many questions around the safety of corporate data. Whenever you make corporate resources available to people not working on the corporate network, you put your company at risk.

One option to minimize risk is to deploy a VPN. Virtual private networks have long been the go-to for remote security—and it’s on the rise. According to an Open VPN study, 68% of employees say their company expanded VPN usage as a direct result of COVID-19, and 29% say their organization started using a VPN for the first time.

But the increasing number of cloud-based solutions make using VPN a little more complex. Add streaming video to the mix, and you have a recipe for disaster. All of a sudden, your network slows, and so does every other business application. So, what’s happening?

We sat down with Ramp’s Director of Partner Enablement and Solutions Architect Gil Mayrand to learn more.

Q. What happens to your network when you stream video over VPN?

With so many people working from home, using VPN has become a way of life for many. Before we go too deep into streaming video over VPN, let’s first talk about a few basics.  

As the name implies, a VPN creates a private network for employees using the public internet to access corporate resources when they’re not in the office. With VPN, users securely access tools, applications and other resources housed behind the corporate firewall. It does this by creating an encrypted tunnel to transfer data between users and your local network.  

There are many benefits to VPN. First and foremost is security. The encryption and anonymity that a VPN provides protects the users’ online activities as well as the information and data they’re accessing. In addition, VPN keeps browsing history, IP address, location info, and data you send/receive hidden from potential hackers.

But with so many people working from home, a lot of information is being pushed through the VPN. This can create a bottleneck at the VPN and slow things down. You might be asking why.

Well, a lot is going on when you use cloud-based applications with VPN. First, the user request—or traffic—comes through the VPN and back out to the public internet to the cloud-based resource. Then it comes back through the firewall and out to the user through VPN. Essentially, the traffic is doubled. This is called VPN hairpinning.

VPN Hairpinning

Now imagine if you’re streaming video using VPN. Many of the leading streaming solutions are delivered in the cloud. Take Microsoft Stream for example. When a user presses play to watch a Microsoft live event, the request is sent through the VPN, across the corporate network out to the internet, then back through the corporate network and VPN to the viewer. So, what was once approximately 3.5 mbps is now taking up 7 mbps of bandwidth. Multiply that by hundreds or thousands of users, and now your network, corporate internet connections and VPN become congested.

Q. How can you avoid VPN hairpinning when it comes to enterprise streaming video?

You have three options. You can buy more bandwidth, split tunnel the streams, or deploy a caching eCDN.

Buy more bandwidth

First, let’s immediately disqualify buying more bandwidth as a solution for VPN hairpinning. Since working from home is temporary for most workers, it’ll be hard to prove ROI (return on investment) for buying more bandwidth. Although you can probably quantify you need more bandwidth today, it might be hard to justify needing the same amount when employees return to the office.

Split tunneling

Split tunneling is another way to avoid VPN hairpinning, but it introduces risk. If you’re not familiar with split tunneling, it allows you to route certain traffic through the VPN while routing other traffic, your streaming video for example, through a separate tunnel on the open network.

Chances are, most of your video content is proprietary in some way. So, if your viewers are going directly to the streaming platform in the cloud versus through VPN, your streams—and your content—are at risk.

The biggest risk is the accidental disclosure of information that you intended to be secure, because now, it is accessible via the internet. You lose layers of security and privacy because the streams themselves bypass your corporate controls on internet security. Without VPN, the bad guys can intercept your company meetings, employee trainings, and the like.   

Video caching

Although split tunneling is an option, it’s not the best option. I’d like to offer up a creative solution to avoid dreaded VPN hairpinning. Instead, deploy a video caching solution. Caching is an effective way to store data—like video—so requests for that same data can be distributed faster and with minimal delay.

You can liken it to video we watch every day over the internet, like Netflix or Disney+, which is delivered using a traditional content delivery network or CDN. You’re probably already be familiar with the Akamai, AWS and Azures of the world. These CDNs deliver video to viewers closest to them.

You can use the same concept to build a similar environment using caches inside of your network to deliver video from points inside of the firewall. Here’s how it works.

When the first viewer requests a video, the cache retrieves it from the source and stores a local copy. So, only the caches would request videos directly from your streaming platform in the cloud (i.e. Microsoft Stream). Then, when another viewer wants to watch a video, they get it from the cache, which resides behind your firewall.  

As a result, video streams are not passing in and out of your network twice. You’re no longer doubling the bandwidth to stream one video. No more VPN hairpinning.  And here’s the best part. You will not only realize ROI now, but also later when employees return to the office and access your videos while on the corporate network.

Q. What is Ramp OmniCache and how does it optimize streaming video?

Let’s flip the switch and focus on the benefits of Ramp OmniCache when employees are working in your offices. OmniCache is Ramp’s intelligent video caching eCDN (enterprise content delivery network). We developed it to specifically store and distribute live and recorded video from any streaming platform.

You start by installing OmniCache software on virtual or physical servers in key locations around your network. You basically create a mesh network with your caches, set up redundancy and a few other variables like bitrates for different subnets. With a little extra work, you can fine tune it to get an optimal experience—whether employees are working from home or from the office.

Then when the first viewer requests a video, the cache retrieves it from your video source and stores a local copy. When another viewer in the same location requests the video, they receive it from the local cache—saving the distance and number of times the video needs to travel across your network. We estimate this saves 95% or more of the bandwidth needed to stream video.

Q. How can OmniCache optimize video for employees who are not working in the office?

You’d take a similar approach to optimize video delivery for employees who are working from home. You’ll deploy Ramp OmniCache, and the VPN will use it to deliver video to viewers. When an employee requests a video, the OmniCache will retrieve a copy from the streaming source, store it, and serve it to everyone making the same request. As a result, you avoid the duplicate traffic that comes with VPN hairpinning.

VPN Hairpinning

Unlike other caching solutions, OmniCache works with both HTTP and HTTPS delivery. Normally HTTPS isn’t cacheable, but the patented technology powering OmniCache enables the delivery of a video payload inside an encrypted packet that is then wrapped in plain HTTP, meaning the payload remains secure, while making the content cacheable.

It’s also vendor neutral, so it works with virtually any streaming platform, including Microsoft Stream and Teams, Brightcove, Intrado and Kaltura.

Ramp OmniCache has a ton of other features, including self-healing properties to provide stability and resiliency. You can also pre-position videos at the caches, which helps you avoid spikes in bandwidth usage.

Our centralized management system, Ramp Altimeter, allows you to configure, manage and visually monitor your entire eCDN deployment. And did I mention OmniCache doesn’t require client software or plugins? We’ve made this as easy as possible for you.  

If you want to learn more about the benefits of OmniCache, you can read our solution brief. I am also more than willing to talk about it in detail and explain how an eCDN would benefit your network—regardless if people are working from home or from the office.  

Q. Why would you choose a solution like Ramp OmniCache over a regular caching solution?

Our customers and prospects actually ask us that very question a lot. Many of our potential customers tell us they’re using a WAN accelerator like Riverbed, F5 or Blue Coat, and ask if they are sufficient enough to transport video across the enterprise network.

Well, OmniCache is a lot different than those solutions. It is specifically designed for video. Video data is larger and contains a lot more data than your average text or graphic file. So, if you have a cache that is meant to cache all things internet, such as JPEG files, small text files or HTML files, it won’t be as efficient at storing and distributing large video files.

Because WAN accelerators are meant to cache all types of files, their blocks are usually smaller. This means they need to strike the video data across more blocks, which causes more reads and writes and a longer caching time. You lose a ton of efficiency.

Ramp built OmniCache specifically to distribute streaming video on corporate networks. It caches the content in larger blocks, which means less reads and writes to the memory for each video. The result is your streaming videos—whether live or on demand—load faster and use less bandwidth. In turn, you improve your viewers’ quality of experience with less buffering and jitter.  

Learn About How OmniCache Can Resolve VPN Hairpinning

Request a meeting with our team to learn more about OmniCache. We’ll help you understand how Ramp eCDN can help you optimize streaming video whether employees are working from home or your offices.