Re: [Openvpn-devel] Preliminary Wintun support in OpenVPN2

Tue, 11 Jun 2019 22:24:59 -0700 

Hi,

On Tue, Jun 11, 2019 at 05:55:43PM -0400, Selva Nair wrote:
> A quick comment:
> 
> IMO, we should use the interactive service to open the pipe and pass
> the handle to OpenVPN.exe. This avoids allowing arbitrary users to
> access the pipe or requiring users to start OpenVPN as admin which is
> not a safe practice. As the service only starts a well-defined
> executable present at a location read from HKLM\... and can pass a
> duplicated handle targeted for the process, such an approach looks
> safe to me. And, it should be fairly easy to implement.

Agree.  This is the first thought I had when I heard about "you must
have privileges to access wintun" - just use our existing privilege
handling mechanism.  I have no idea how to actually *do* that (= pass
a handle to wintun over our service pipe), but I'm all willing to 
review and test :-)

[..]
> Lev:
> > A comment about performance. According to my measurements,
> > openvpn2 with Wintun is 27% faster comparison to tap-windows6, but
> > I think we (openvpn) can go even faster with Wintun. WSASend, which
> > we use to send data to link, allows multiple send buffers. We do
> > not use this functionality since with tap-windows6 we process packets
> > one by one. In my tests Wintun read returns about 100 IP packets
> > and I think that decreasing amount of WSASend calls by factor of
> > 100 would give us noticeable performance boost.

I wonder if we couldn't do this with tap-windows6 as well - read/write
multiple packets at once.  The driver should handle this - from what
I saw when reading patches "all is done using NBL lists"...

Steffan had some code to do multiple packets on the socket side
(sendmmsg()).

Not sure what is missing in OpenVPN 2.x to do multi-packet read/write,
not sure if there is anything missing in the tap6-driver.

What does OpenVPN 3 do on Windows?

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             g...@greenie.muc.de

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel






















					Reply via email to