ooh, Kernel space OpenVPN dataplane on net-dev https://lore.kernel.org/netdev/20241209-b4-ovpn-v14-0-ea243cf16417@openvpn.net/T/ The KEX/Auth,etc stuff is still user space with this, vs wg being entirely kernel space Unsure what to think about this, seems like a "well if wg can do it, why can't we"
hikhvar@norden.socia..
replied 09 Dec 2024 16:57 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/h6Lf25VHgjPHy3Tnyc
@benjojo Sounds like a sane approach. The KEX/Auth part in OpenVPN is much more complex than the single encryption algorithm in Wireguard. That approach will solve some problems we currently have, as the user space OpenVPN server will stop forwarding traffic if it get stuck. Our auth plugin blocks sometimes and then impact OpenVPN forwarding for all logged in users.
hikhvar@norden.socia..
replied 09 Dec 2024 16:59 +0000
in reply to: https://norden.social/users/hikhvar/statuses/113623920933787718
@benjojo what is more, to use more then a single core for OpenVPN, one must setup load balancing across multiple OpenVPN Daemons on the same host, as OpenVPN ist single threaded.
manawyrm@chaos.socia..
replied 09 Dec 2024 16:57 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/h6Lf25VHgjPHy3Tnyc
grawity@social.treeh..
replied 09 Dec 2024 18:23 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/h6Lf25VHgjPHy3Tnyc
@benjojo Since it uses TLS (among other things) for auth, it makes a lot of sense for that to remain in userspace (like how the TLS handshaking for NFS and NVMe-oF is in user-space as well). All-kernel all-static configuration is what makes WG really unsuitable for "user" VPNs...
dlatchx@fedi.tfnux.o..
replied 09 Dec 2024 18:39 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/h6Lf25VHgjPHy3Tnyc
@benjojo but wg only needs static key pairs, whereas openvpn has a more complex authentication system, where some methods are interactive (client-side) or require access to an external database (server-side)
equinox@chaos.social
replied 09 Dec 2024 22:16 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/h6Lf25VHgjPHy3Tnyc
@benjojo very curious to see how they ended up handling the P2MP peer selection. I talked to them at netdevconf in Portugal and recommended they look at how GRE/NHRP and app_solicit works, but no idea if that's viable for them. There's also lwt on routes, but then the routing system has to deal with it... (app_solicit would allow for a full separation, it's like ARP in that installing a route with a nexthop triggers MAC resolution automatically)