Changes between Version 3 and Version 4 of DataChannelOffload


Ignore:
Timestamp:
01/15/22 16:19:36 (2 years ago)
Author:
Antonio Quartulli
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • DataChannelOffload

    v3 v4  
    11= OpenVPN Data Channel Offload (aka OVPN-DCO)
    2 
    32== Intro
    4 
    5 The expression ''Data Channel Offload'' refers to any technique implemented with the goal of moving the processing of data packets from the userspace program to a separate entity.
     3The expression ''Data Channel Offload'' refers to any technique implemented with the goal of moving the processing of data packets from the OpenVPN userspace program to a separate entity.
    64
    75Given that OpenVPN spends a considerable amount of time passing data packets back and forth from kernel-land to user-land, where decryption and re-routing happens, it was decided to offload the data processing directly to the kernel.
    8 As direct consequence, data packets are not required to leave the kernelspace anymore, thus boosting the performance of ongoing VPN connections.
     6As direct consequence, data packets are not required to leave the kernelspace anymore, thus boosting the performance of active VPN connections.
    97
    108=== Before DCO
    11 
    129The picture below depicts how data packets flow on a generic OpenVPN server:
    1310
     
    2421
    2522=== Introducing DCO
     23To overcome the limitations described in the section above we have developed ''ovpn-dco'', a Linux kernel module designed to work back-to-back with the OpenVPN userspace software.
     24When a VPN connection is established, being it on a client, on a server or on a p2p instance, the userspace process will first perform the usual handshake and will then pass the data channel parameters to ovpn-dco, so that it can take over from there. At this point, data packets are all handled in kernelspace and are never sent up to the userspace process.
    2625
     26The picture below helps to visualize the difference with to the basic scenario shown above:
    2727
     28{image here}
     29
     30Context switch is therefore reduced to the minimum and packet processing can take advantage of the kernel concurrency model.
     31The two main OpenVPN functions, crypto and routing, are implemented using the kernel provided API.
     32For what concerns routing, the system routing table is directly used to understand if packets have to re-routed directly to another peer (i.e. client-to-client mode), without the need to ask the userspace process.
     33
     34OpenVPN in userspace is still in charge of handling the control channel, where all the complex and less throughput-critical operations take place. This is considered an advantage as it allowed to keep the complexity of the ovpn-dco kernel module to the minimum and thus reduce the attack surface.
     35
     36=== DCO on Windows
     37A similar kernel module has also been developed for Windows, namely ''ovpn-dco-win''.
     38It is a device driver implemented in kernelspace that substitutes all previous drivers used by OpenVPN (i.e.