linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [RFC 0/1] Introducing OpenVPN Data Channel Offload
@ 2022-07-19  1:47 Antonio Quartulli
  2022-07-19  1:47 ` [RFC 1/1] net: introduce OpenVPN Data Channel Offload (ovpn-dco) Antonio Quartulli
  0 siblings, 1 reply; 27+ messages in thread
From: Antonio Quartulli @ 2022-07-19  1:47 UTC (permalink / raw)
  To: netdev; +Cc: Antonio Quartulli, David Miller, Jakub Kicinski, linux-kernel

Hi all!

With this RFC I want to introduce OpenVPN Data Channel Offload (DCO), also
known as ovpn-dco.

The OpenVPN community has since long been interested in moving the fast path
to kernel space. Ovpn-dco finally helps achieving this goal.

Ovpn-dco is essentialy a device driver that allows creating a virtual
network interface to handle the OpenVPN data channel. Any traffic
entering the interface is encrypted, encapsulated and sent to the
appropriate destination.

Despite technically possible, ovpn-dco requires OpenVPN in userspace
to run along its side in order to be properly configured and maintained
during its life cycle.

The ovpn-dco interface can be created/destroyed via RTNL and then
configured via Netlink API.

Specifically OpenVPN in userspace will:
* create the ovpn-dco interface
* establish the connection with one or more peers
* perform TLS handshake and negotiate any protocol parameter
* configure the ovpn-dco interface with peer data (ip/port, keys, etc.)
* handle any subsequent control channel communication

I'd like to point out the control channel is fully handles in userspace.
The idea is to keep the ovpn-dco kernel module as simple as possible and
let userspace handle all the non-data (non-fast-path) features.

Please note that the userspace code requires to driver an ovpn-dco
interface is currently under review and is still being merged to the
OpenVPN master branch. This code will be released with OpenVPN 2.6
(later this year).

If you want to test ovpn-dco, for the time being you need to switch to
the "dco" branch of the official repo hosted at
https://github.com/OpenVPN/openvpn (or at our GitLab mirror).

Note that OpenVPN3-Linux (https://github.com/OpenVPN/openvpn3-linux)
already supports ovpn-dco since a while, but this software is client
only.

The ovpn-dco code that can be built as out-of-tree module is available
here https://github.com/OpenVPN/ovpn-dco (we try to keep some
compatibility with older kernels too).

In the past months I also created an OpenWRT feed in order to allow
developers to test ovpn-dco, available at
https://github.com/OpenVPN/openvpn-dev-openwrt

For more technical details please refer to the actual patch commit message.

Please note that the patch touches also a few files outside of the
ovpn-dco folder.
Specifically it adds a new macro named NLA_POLICY_MAX_LEN to net/netlink.h
and also adds a new constant named UDP_ENCAP_OVPNINUDP to linux/udp.h.

With this RFC I would love to get some feedback from the netdev and
kernel community in the attempt of reaching a status where ovpn-dco
could be merged upstream.

Any comment, concern, statement will be appreciated.

Thanks a lot!

Best Regards,

Antonio Quartulli
OpenVPN Inc.

---

Antonio Quartulli (1):
  net: introduce OpenVPN Data Channel Offload (ovpn-dco)

 MAINTAINERS                        |    8 +
 drivers/net/Kconfig                |   19 +
 drivers/net/Makefile               |    1 +
 drivers/net/ovpn-dco/Makefile      |   21 +
 drivers/net/ovpn-dco/addr.h        |   41 +
 drivers/net/ovpn-dco/bind.c        |   62 ++
 drivers/net/ovpn-dco/bind.h        |   67 ++
 drivers/net/ovpn-dco/crypto.c      |  154 ++++
 drivers/net/ovpn-dco/crypto.h      |  144 ++++
 drivers/net/ovpn-dco/crypto_aead.c |  369 +++++++++
 drivers/net/ovpn-dco/crypto_aead.h |   27 +
 drivers/net/ovpn-dco/main.c        |  281 +++++++
 drivers/net/ovpn-dco/main.h        |   39 +
 drivers/net/ovpn-dco/netlink.c     | 1132 ++++++++++++++++++++++++++++
 drivers/net/ovpn-dco/netlink.h     |   22 +
 drivers/net/ovpn-dco/ovpn.c        |  597 +++++++++++++++
 drivers/net/ovpn-dco/ovpn.h        |   43 ++
 drivers/net/ovpn-dco/ovpnstruct.h  |   59 ++
 drivers/net/ovpn-dco/peer.c        |  878 +++++++++++++++++++++
 drivers/net/ovpn-dco/peer.h        |  168 +++++
 drivers/net/ovpn-dco/pktid.c       |  127 ++++
 drivers/net/ovpn-dco/pktid.h       |  116 +++
 drivers/net/ovpn-dco/proto.h       |  101 +++
 drivers/net/ovpn-dco/rcu.h         |   21 +
 drivers/net/ovpn-dco/skb.h         |   54 ++
 drivers/net/ovpn-dco/sock.c        |  134 ++++
 drivers/net/ovpn-dco/sock.h        |   54 ++
 drivers/net/ovpn-dco/stats.c       |   20 +
 drivers/net/ovpn-dco/stats.h       |   67 ++
 drivers/net/ovpn-dco/tcp.c         |  324 ++++++++
 drivers/net/ovpn-dco/tcp.h         |   38 +
 drivers/net/ovpn-dco/udp.c         |  338 +++++++++
 drivers/net/ovpn-dco/udp.h         |   25 +
 include/net/netlink.h              |    1 +
 include/uapi/linux/ovpn_dco.h      |  265 +++++++
 include/uapi/linux/udp.h           |    1 +
 36 files changed, 5818 insertions(+)
 create mode 100644 drivers/net/ovpn-dco/Makefile
 create mode 100644 drivers/net/ovpn-dco/addr.h
 create mode 100644 drivers/net/ovpn-dco/bind.c
 create mode 100644 drivers/net/ovpn-dco/bind.h
 create mode 100644 drivers/net/ovpn-dco/crypto.c
 create mode 100644 drivers/net/ovpn-dco/crypto.h
 create mode 100644 drivers/net/ovpn-dco/crypto_aead.c
 create mode 100644 drivers/net/ovpn-dco/crypto_aead.h
 create mode 100644 drivers/net/ovpn-dco/main.c
 create mode 100644 drivers/net/ovpn-dco/main.h
 create mode 100644 drivers/net/ovpn-dco/netlink.c
 create mode 100644 drivers/net/ovpn-dco/netlink.h
 create mode 100644 drivers/net/ovpn-dco/ovpn.c
 create mode 100644 drivers/net/ovpn-dco/ovpn.h
 create mode 100644 drivers/net/ovpn-dco/ovpnstruct.h
 create mode 100644 drivers/net/ovpn-dco/peer.c
 create mode 100644 drivers/net/ovpn-dco/peer.h
 create mode 100644 drivers/net/ovpn-dco/pktid.c
 create mode 100644 drivers/net/ovpn-dco/pktid.h
 create mode 100644 drivers/net/ovpn-dco/proto.h
 create mode 100644 drivers/net/ovpn-dco/rcu.h
 create mode 100644 drivers/net/ovpn-dco/skb.h
 create mode 100644 drivers/net/ovpn-dco/sock.c
 create mode 100644 drivers/net/ovpn-dco/sock.h
 create mode 100644 drivers/net/ovpn-dco/stats.c
 create mode 100644 drivers/net/ovpn-dco/stats.h
 create mode 100644 drivers/net/ovpn-dco/tcp.c
 create mode 100644 drivers/net/ovpn-dco/tcp.h
 create mode 100644 drivers/net/ovpn-dco/udp.c
 create mode 100644 drivers/net/ovpn-dco/udp.h
 create mode 100644 include/uapi/linux/ovpn_dco.h

-- 
2.35.1


^ permalink raw reply	[flat|nested] 27+ messages in thread
end of thread, other threads:[~2022-09-13  0:50 UTC | newest]

Thread overview: 27+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-07-19  1:47 [RFC 0/1] Introducing OpenVPN Data Channel Offload Antonio Quartulli
2022-07-19  1:47 ` [RFC 1/1] net: introduce OpenVPN Data Channel Offload (ovpn-dco) Antonio Quartulli
2022-07-19 15:19   ` Andrew Lunn
2022-07-19 15:21     ` Antonio Quartulli
2022-07-19 15:25   ` Andrew Lunn
2022-07-28  7:41     ` Antonio Quartulli
2022-07-28 13:07       ` Andrew Lunn
2022-07-28 13:16         ` Antonio Quartulli
2022-08-03 15:42           ` Stephen Hemminger
2022-08-03 15:48             ` Antonio Quartulli
2022-08-03 16:19               ` Stephen Hemminger
2022-08-04  7:34                 ` Antonio Quartulli
2022-07-28 16:28       ` Jakub Kicinski
2022-07-28 19:16         ` Antonio Quartulli
2022-07-19 15:37   ` Andrew Lunn
2022-07-28  7:44     ` Antonio Quartulli
2022-07-28 13:12       ` Andrew Lunn
2022-08-03 15:31   ` [RFC v2] " Antonio Quartulli
2022-08-12 18:34     ` Sergey Ryazanov
2022-08-12 18:44       ` Stephen Hemminger
2022-08-30 22:35         ` Sergey Ryazanov
2022-08-12 21:05       ` Antonio Quartulli
2022-08-31  3:15         ` Sergey Ryazanov
2022-09-09 20:40           ` Antonio Quartulli
2022-09-13  0:49             ` Sergey Ryazanov
2022-08-03 16:04   ` [RFC 1/1] " Joe Perches
2022-08-04  7:35     ` Antonio Quartulli

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).