Changes between Version 6 and Version 7 of DataChannelOffload


Ignore:
Timestamp:
01/16/22 20:57:34 (2 years ago)
Author:
Antonio Quartulli
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • DataChannelOffload

    v6 v7  
    3030Context switch is therefore reduced to the minimum and packet processing can take advantage of the kernel concurrency model.
    3131The two main OpenVPN functions, crypto and routing, are implemented using the kernel provided API.
    32 For what concerns routing, the system routing table is directly used to understand if packets have to re-routed directly to another peer (i.e. client-to-client mode), without the need to ask the userspace process.
     32For what concerns routing, the system routing table is directly used to understand if packets have to be re-routed directly to another peer (i.e. client-to-client mode), without the need to ask the userspace process at all.
    3333
    34 OpenVPN in userspace is still in charge of handling the control channel, where all the complex and less throughput-critical operations take place. This is considered an advantage as it allowed to keep the complexity of the ovpn-dco kernel module to the minimum and thus reduce the attack surface.
     34OpenVPN in userspace is still in charge of handling the control channel, where all the complex and less throughput-critical operations take place. This is considered an advantage as it allowed to keep the complexity of the ovpn-dco kernel module to the minimum and thus reduce the attack surface. This means that the TLS handshake, data channel key (re-)negotiations and parameters exchange is still performed in userspace.
    3535
    3636Please note that **OpenVPN 2.6 or greater** is required in order to use ovpn-dco.
     
    4040=== DCO on Windows
    4141A kernel module has also been developed for Windows, namely ''ovpn-dco-win''.
    42 It is a device driver implemented in kernelspace that substitutes all previous drivers used by OpenVPN (i.e. tap-windows6, wintun, etc..). Differently from the other drivers, ovpn-dco-win uses the Windows Kernel API to also implement crypto operations, thus allowing to process data packets entirely in kernelspace, similarly to ovpn-dco for Linux.
     42It is a device driver implemented in kernelspace that substitutes all previous drivers used by OpenVPN (i.e. tap-windows6, wintun, etc..). Differently from the other drivers, ovpn-dco-win uses the Windows Kernel API to also implement crypto operations, thus allowing the driver to process data packets entirely in kernelspace, similarly to ovpn-dco for Linux.
    4343The main limitation of ovpn-dco-win is that it only supports client/p2p mode, while server mode is not available. This decision was made due to the fact that there is less and less demand for running OpenVPN server on Windows.
    4444