Changes between Version 6 and Version 7 of DataChannelOffload
- Timestamp:
- 01/16/22 20:57:34 (2 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
DataChannelOffload
v6 v7 30 30 Context switch is therefore reduced to the minimum and packet processing can take advantage of the kernel concurrency model. 31 31 The two main OpenVPN functions, crypto and routing, are implemented using the kernel provided API. 32 For what concerns routing, the system routing table is directly used to understand if packets have to re-routed directly to another peer (i.e. client-to-client mode), without the need to ask the userspace process.32 For what concerns routing, the system routing table is directly used to understand if packets have to be re-routed directly to another peer (i.e. client-to-client mode), without the need to ask the userspace process at all. 33 33 34 OpenVPN in userspace is still in charge of handling the control channel, where all the complex and less throughput-critical operations take place. This is considered an advantage as it allowed to keep the complexity of the ovpn-dco kernel module to the minimum and thus reduce the attack surface. 34 OpenVPN in userspace is still in charge of handling the control channel, where all the complex and less throughput-critical operations take place. This is considered an advantage as it allowed to keep the complexity of the ovpn-dco kernel module to the minimum and thus reduce the attack surface. This means that the TLS handshake, data channel key (re-)negotiations and parameters exchange is still performed in userspace. 35 35 36 36 Please note that **OpenVPN 2.6 or greater** is required in order to use ovpn-dco. … … 40 40 === DCO on Windows 41 41 A kernel module has also been developed for Windows, namely ''ovpn-dco-win''. 42 It is a device driver implemented in kernelspace that substitutes all previous drivers used by OpenVPN (i.e. tap-windows6, wintun, etc..). Differently from the other drivers, ovpn-dco-win uses the Windows Kernel API to also implement crypto operations, thus allowing t o process data packets entirely in kernelspace, similarly to ovpn-dco for Linux.42 It is a device driver implemented in kernelspace that substitutes all previous drivers used by OpenVPN (i.e. tap-windows6, wintun, etc..). Differently from the other drivers, ovpn-dco-win uses the Windows Kernel API to also implement crypto operations, thus allowing the driver to process data packets entirely in kernelspace, similarly to ovpn-dco for Linux. 43 43 The main limitation of ovpn-dco-win is that it only supports client/p2p mode, while server mode is not available. This decision was made due to the fact that there is less and less demand for running OpenVPN server on Windows. 44 44