mbox series

[RFC,0/1] Introducing OpenVPN Data Channel Offload

Message ID 20220719014704.21346-1-antonio@openvpn.net (mailing list archive)
Headers show
Series Introducing OpenVPN Data Channel Offload | expand

Message

Antonio Quartulli July 19, 2022, 1:47 a.m. UTC
Hi all!

With this RFC I want to introduce OpenVPN Data Channel Offload (DCO), also
known as ovpn-dco.

The OpenVPN community has since long been interested in moving the fast path
to kernel space. Ovpn-dco finally helps achieving this goal.

Ovpn-dco is essentialy a device driver that allows creating a virtual
network interface to handle the OpenVPN data channel. Any traffic
entering the interface is encrypted, encapsulated and sent to the
appropriate destination.

Despite technically possible, ovpn-dco requires OpenVPN in userspace
to run along its side in order to be properly configured and maintained
during its life cycle.

The ovpn-dco interface can be created/destroyed via RTNL and then
configured via Netlink API.

Specifically OpenVPN in userspace will:
* create the ovpn-dco interface
* establish the connection with one or more peers
* perform TLS handshake and negotiate any protocol parameter
* configure the ovpn-dco interface with peer data (ip/port, keys, etc.)
* handle any subsequent control channel communication

I'd like to point out the control channel is fully handles in userspace.
The idea is to keep the ovpn-dco kernel module as simple as possible and
let userspace handle all the non-data (non-fast-path) features.

Please note that the userspace code requires to driver an ovpn-dco
interface is currently under review and is still being merged to the
OpenVPN master branch. This code will be released with OpenVPN 2.6
(later this year).

If you want to test ovpn-dco, for the time being you need to switch to
the "dco" branch of the official repo hosted at
https://github.com/OpenVPN/openvpn (or at our GitLab mirror).

Note that OpenVPN3-Linux (https://github.com/OpenVPN/openvpn3-linux)
already supports ovpn-dco since a while, but this software is client
only.

The ovpn-dco code that can be built as out-of-tree module is available
here https://github.com/OpenVPN/ovpn-dco (we try to keep some
compatibility with older kernels too).

In the past months I also created an OpenWRT feed in order to allow
developers to test ovpn-dco, available at
https://github.com/OpenVPN/openvpn-dev-openwrt

For more technical details please refer to the actual patch commit message.

Please note that the patch touches also a few files outside of the
ovpn-dco folder.
Specifically it adds a new macro named NLA_POLICY_MAX_LEN to net/netlink.h
and also adds a new constant named UDP_ENCAP_OVPNINUDP to linux/udp.h.

With this RFC I would love to get some feedback from the netdev and
kernel community in the attempt of reaching a status where ovpn-dco
could be merged upstream.

Any comment, concern, statement will be appreciated.

Thanks a lot!

Best Regards,

Antonio Quartulli
OpenVPN Inc.

---

Antonio Quartulli (1):
  net: introduce OpenVPN Data Channel Offload (ovpn-dco)

 MAINTAINERS                        |    8 +
 drivers/net/Kconfig                |   19 +
 drivers/net/Makefile               |    1 +
 drivers/net/ovpn-dco/Makefile      |   21 +
 drivers/net/ovpn-dco/addr.h        |   41 +
 drivers/net/ovpn-dco/bind.c        |   62 ++
 drivers/net/ovpn-dco/bind.h        |   67 ++
 drivers/net/ovpn-dco/crypto.c      |  154 ++++
 drivers/net/ovpn-dco/crypto.h      |  144 ++++
 drivers/net/ovpn-dco/crypto_aead.c |  369 +++++++++
 drivers/net/ovpn-dco/crypto_aead.h |   27 +
 drivers/net/ovpn-dco/main.c        |  281 +++++++
 drivers/net/ovpn-dco/main.h        |   39 +
 drivers/net/ovpn-dco/netlink.c     | 1132 ++++++++++++++++++++++++++++
 drivers/net/ovpn-dco/netlink.h     |   22 +
 drivers/net/ovpn-dco/ovpn.c        |  597 +++++++++++++++
 drivers/net/ovpn-dco/ovpn.h        |   43 ++
 drivers/net/ovpn-dco/ovpnstruct.h  |   59 ++
 drivers/net/ovpn-dco/peer.c        |  878 +++++++++++++++++++++
 drivers/net/ovpn-dco/peer.h        |  168 +++++
 drivers/net/ovpn-dco/pktid.c       |  127 ++++
 drivers/net/ovpn-dco/pktid.h       |  116 +++
 drivers/net/ovpn-dco/proto.h       |  101 +++
 drivers/net/ovpn-dco/rcu.h         |   21 +
 drivers/net/ovpn-dco/skb.h         |   54 ++
 drivers/net/ovpn-dco/sock.c        |  134 ++++
 drivers/net/ovpn-dco/sock.h        |   54 ++
 drivers/net/ovpn-dco/stats.c       |   20 +
 drivers/net/ovpn-dco/stats.h       |   67 ++
 drivers/net/ovpn-dco/tcp.c         |  324 ++++++++
 drivers/net/ovpn-dco/tcp.h         |   38 +
 drivers/net/ovpn-dco/udp.c         |  338 +++++++++
 drivers/net/ovpn-dco/udp.h         |   25 +
 include/net/netlink.h              |    1 +
 include/uapi/linux/ovpn_dco.h      |  265 +++++++
 include/uapi/linux/udp.h           |    1 +
 36 files changed, 5818 insertions(+)
 create mode 100644 drivers/net/ovpn-dco/Makefile
 create mode 100644 drivers/net/ovpn-dco/addr.h
 create mode 100644 drivers/net/ovpn-dco/bind.c
 create mode 100644 drivers/net/ovpn-dco/bind.h
 create mode 100644 drivers/net/ovpn-dco/crypto.c
 create mode 100644 drivers/net/ovpn-dco/crypto.h
 create mode 100644 drivers/net/ovpn-dco/crypto_aead.c
 create mode 100644 drivers/net/ovpn-dco/crypto_aead.h
 create mode 100644 drivers/net/ovpn-dco/main.c
 create mode 100644 drivers/net/ovpn-dco/main.h
 create mode 100644 drivers/net/ovpn-dco/netlink.c
 create mode 100644 drivers/net/ovpn-dco/netlink.h
 create mode 100644 drivers/net/ovpn-dco/ovpn.c
 create mode 100644 drivers/net/ovpn-dco/ovpn.h
 create mode 100644 drivers/net/ovpn-dco/ovpnstruct.h
 create mode 100644 drivers/net/ovpn-dco/peer.c
 create mode 100644 drivers/net/ovpn-dco/peer.h
 create mode 100644 drivers/net/ovpn-dco/pktid.c
 create mode 100644 drivers/net/ovpn-dco/pktid.h
 create mode 100644 drivers/net/ovpn-dco/proto.h
 create mode 100644 drivers/net/ovpn-dco/rcu.h
 create mode 100644 drivers/net/ovpn-dco/skb.h
 create mode 100644 drivers/net/ovpn-dco/sock.c
 create mode 100644 drivers/net/ovpn-dco/sock.h
 create mode 100644 drivers/net/ovpn-dco/stats.c
 create mode 100644 drivers/net/ovpn-dco/stats.h
 create mode 100644 drivers/net/ovpn-dco/tcp.c
 create mode 100644 drivers/net/ovpn-dco/tcp.h
 create mode 100644 drivers/net/ovpn-dco/udp.c
 create mode 100644 drivers/net/ovpn-dco/udp.h
 create mode 100644 include/uapi/linux/ovpn_dco.h