From patchwork Thu Aug 4 23:37:03 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Quartulli X-Patchwork-Id: 2632 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director15.mail.ord1d.rsapps.net ([172.27.255.52]) by backend30.mail.ord1d.rsapps.net with LMTP id sDkmBOXk7GI0WQAAIUCqbw (envelope-from ) for ; Fri, 05 Aug 2022 05:37:41 -0400 Received: from proxy2.mail.iad3a.rsapps.net ([172.27.255.52]) by director15.mail.ord1d.rsapps.net with LMTP id 8CkZBOXk7GLbJgAAIcMcQg (envelope-from ) for ; Fri, 05 Aug 2022 05:37:41 -0400 Received: from smtp7.gate.iad3a ([172.27.255.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy2.mail.iad3a.rsapps.net with LMTPS id sPCLN+Tk7GIoMgAABcWvHw (envelope-from ) for ; Fri, 05 Aug 2022 05:37:40 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp7.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=unstable.cc X-Suspicious-Flag: YES X-Classification-ID: 3f6c258e-14a2-11ed-aac7-525400bbebb8-1-1 Received: from [216.105.38.7] ([216.105.38.7:42662] helo=lists.sourceforge.net) by smtp7.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 7B/F0-07933-4E4ECE26; Fri, 05 Aug 2022 05:37:40 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1oJtl0-0006Ke-69; Fri, 05 Aug 2022 09:36:37 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1oJtky-0006KY-Bs for openvpn-devel@lists.sourceforge.net; Fri, 05 Aug 2022 09:36:35 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=VVoYDSQK80V2JxqmVuqOOdcIKm1PWiMlsdhXiMz4YEw=; b=lBHwrufY+9AqGISmah4AWxiUr8 +d9E8xWxzuPrVdw6xml3jH01Gd43Z0NBfQ+fYmk1aBiPhDor8SViIEASXA96gKQtstPhvUTOz0ys5 aOJ+8vTNlA2b92uR2OIRQPfN/fFWEjBf+Eu8vxbkFhvoyInsbN3pGCssYj/H6ojJ8p6c=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=VVoYDSQK80V2JxqmVuqOOdcIKm1PWiMlsdhXiMz4YEw=; b=MPsGXAfQEpHMEsgtaPG1INcyfc l19Xr42VgQ/MuMpbhYtZvP1QkhVMxTOmbYnOVvf5MHuH6gN36XsGW/YsAbm5GXPVhlJKiaANlNs+g sBQCfoFSgTqtivVmILbONd/SM3iypa5fzukwgSHSWMtef+gwKQfsuG/zejrk5crL//10=; Received: from s2.neomailbox.net ([5.148.176.60]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1oJtkv-00046T-KM for openvpn-devel@lists.sourceforge.net; Fri, 05 Aug 2022 09:36:34 +0000 From: Antonio Quartulli To: openvpn-devel@lists.sourceforge.net Date: Fri, 5 Aug 2022 11:37:03 +0200 Message-Id: <20220805093703.27940-1-a@unstable.cc> In-Reply-To: <20220805065844.15471-1-a@unstable.cc> References: MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Signed-off-by: Antonio Quartulli --- Changes from v2: * more adjustments Changes from v1: * removed text about TCP drop (cannot reproduce at the moment) * clarified version requirements for p2p and client mode --- Changes.rst | 9 ++ README.dco.md | 122 ++++++++++++++++++++ [...] Content analysis details: (-0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1oJtkv-00046T-KM Subject: [Openvpn-devel] [PATCH v3 15/25] dco: add documentation for ovpn-dco-linux X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Antonio Quartulli Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Signed-off-by: Antonio Quartulli Acked-By: Frank Lichtenheld --- Changes from v2: * more adjustments Changes from v1: * removed text about TCP drop (cannot reproduce at the moment) * clarified version requirements for p2p and client mode --- Changes.rst | 9 ++ README.dco.md | 122 ++++++++++++++++++++++++++ doc/man-sections/advanced-options.rst | 13 +++ doc/man-sections/server-options.rst | 6 ++ 4 files changed, 150 insertions(+) create mode 100644 README.dco.md diff --git a/Changes.rst b/Changes.rst index 67a23c79..275f8d64 100644 --- a/Changes.rst +++ b/Changes.rst @@ -79,6 +79,15 @@ Cookie based handshake for UDP server shake. The tls-crypt-v2 option allows controlling if older clients are accepted. +Data channel offloading with ovpn-dco + 2.6.0+ implements support for data-channel offloading where the data packets + are directly processed and forwarded in kernel space thanks to the ovpn-dco + kernel module. The userspace openvpn program acts purely as a control plane + application. Note that DCO will use DATA_V2 packets in P2P mode, therefore, + this implies that peers must be running 2.6.0+ in order to have P2P-NCP + which brings DATA_V2 packet support. + + Deprecated features ------------------- ``inetd`` has been removed diff --git a/README.dco.md b/README.dco.md new file mode 100644 index 00000000..702c5cf3 --- /dev/null +++ b/README.dco.md @@ -0,0 +1,122 @@ +OpenVPN data channel offload +============================ +2.6.0+ implements support for data-channel offloading where the data packets +are directly processed and forwarded in kernel space thanks to the ovpn-dco +kernel module. The userspace openvpn program acts purely as a control plane +application. + + +Overview of current release +--------------------------- +- See the "Limitations by design" and "Current limitations" sections for + features that are not and/or will not be supported by OpenVPN + ovpn-dco. + + +Getting started (Linux) +----------------------- +- Use a recent Linux kernel. Linux 5.4.0 and newer are known to work with + ovpn-dco. + +Get the ovpn-dco module from one these urls and build it: + +* https://gitlab.com/openvpn/ovpn-dco +* https://github.com/OpenVPN/ovpn-dco + +e.g. + + git clone https://github.com/OpenVPN/ovpn-dco + cd ovpn-dco + make + sudo make install + +If you want to report bugs please ensure to compile ovpn-dco with +`make DEBUG=1` and include any debug message being printed by the +kernel (you can view those messages with `dmesg`). + +Clone and build OpenVPN (or use OpenVPN 2.6+). For example: + + git clone https://github.com/openvpn/openvpn.git + cd openvpn + autoreconf -vi + ./configure --enable-dco + make + sudo make install # Or just run src/openvpn/openvpn + +When starting openvpn it will automatically detect DCO support and use the +kernel module. Add the option `--disable-dco` to disable data channel offload +support. If the configuration contains an option that is incompatible with +data channel offloading, OpenVPN will automatically disable DCO support and +warn the user. + +Should OpenVPN be configured to use a feature that is not supported by ovpn-dco +or should the ovpn-dco kernel module not be available on the system, you will +see a message like + + Note: Kernel support for ovpn-dco missing, disabling data channel offload. + +in your log. + + +DCO and P2P mode +---------------- +DCO is also available when running OpenVPN in P2P mode without `--pull` / +`--client` option. P2P mode is useful for scenarios when the OpenVPN tunnel +should not interfere with overall routing and behave more like a "dumb" tunnel, +like GRE. + +However, DCO requires DATA_V2 to be enabled, which is available for P2P mode +only in OpenVPN 2.6 and later. + +OpenVPN prints a diagnostic message for the P2P NCP result when running in P2P +mode: + + P2P mode NCP negotiation result: TLS_export=1, DATA_v2=1, peer-id 9484735, cipher=AES-256-GCM + +Double check that you have `DATA_v2=1` in your output and a supported AEAD +cipher (AES-XXX-GCM or CHACHA20POLY1305). + + +Routing with ovpn-dco +--------------------- +The ovpn-dco kernel module implements a more transparent approach to +configuring routes to clients (aka "iroutes") and consults the main kernel +routing tables for forwarding decisions. + +- Each client has a VPN IPv4 and/or a VPN IPv6 assigned to it; +- additional IP ranges can be routed to a client by adding a route with + a client VPN IP as the gateway/nexthop (i.e. ip route add a.b.c.d/24 via + $VPNIP); +- due to the point above, there is no real need to add a companion `--route` for + each `--iroute` directive, unless you want to blackhole traffic when the + specific client is not connected; +- no internal routing is available. If you need truly internal routes, this can + be achieved either with filtering using `iptables` or using `ip rule`; +- client-to-client behaviour, as implemented in userspace, does not exist: + packets always reach the tunnel interface and are then re-routed to the + destination peer based on the system routing table. + + +Limitations by design +---------------------- +- Layer 3 (dev tun) only; +- only the following AEAD ciphers are currently supported: Chacha20-Poly1305 + and AES-GCM-128/192/256; +- no support for compression or compression framing: + - see also the `--compress migrate` option to move to a setup without + compression; +- various features not implemented since they have better replacements: + - `--shaper`, use tc instead; + - packet manipulation, use nftables/iptables instead; +- OpenVPN 2.4.0 is the minimum version required for peers to connect: + - older versions are missing support for the AEAD ciphers; +- topology subnet is the only supported `--topology` for servers; +- iroute directives install routes on the host operating system, see also + Routing with ovpn-dco. + + +Current implementation limitations +------------------- +- `--persist-tun` not tested; +- IPv6 mapped IPv4 addresses need Linux 5.4.189+/5.10.110+/5.12+ to work; +- some incompatible options may not properly fallback to non-dco; +- no per client statistics. Only total statistics available on the interface. diff --git a/doc/man-sections/advanced-options.rst b/doc/man-sections/advanced-options.rst index 5157c561..d5a6b4f2 100644 --- a/doc/man-sections/advanced-options.rst +++ b/doc/man-sections/advanced-options.rst @@ -91,3 +91,16 @@ used when debugging or testing out special usage scenarios. *(Linux only)* Set the TX queue length on the TUN/TAP interface. Currently defaults to operating system default. +--disable-dco + Disables the opportunistic use of data channel offloading if available. + Without this option, OpenVPN will opportunistically use DCO mode if + the config options and the running kernel supports using DCO. + + Data channel offload currently requires data-ciphers to only contain + AEAD ciphers (AES-GCM and Chacha20-Poly1305) and Linux with the + ovpn-dco module. + + Note that some options have no effect or cannot be used when DCO mode + is enabled. + + On platforms that do not support DCO ``disable-dco`` has no effect. diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index 04f4b4fb..54ea8b66 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -325,6 +325,12 @@ fast hardware. SSL/TLS authentication must be used in this mode. from the kernel to OpenVPN. Once in OpenVPN, the ``--iroute`` directive routes to the specific client. + However, when using DCO, the ``--iroute`` directive is usually enough + for DCO to fully configure the routing table. The extra ``--route`` + directive is required only if the expected behaviour is to route the + traffic for a specific network to the VPN interface also when the + responsible client is not connected (traffic will then be dropped). + This option must be specified either in a client instance config file using ``--client-config-dir`` or dynamically generated using a ``--client-connect`` script.