Re: [OpenIndiana-discuss] about tuntap
sorry to but in, but how does this differ from the tuntap made by Maxim Krasnyansky that's in the SFE? Jon On 21 February 2013 19:24, Gordon Ross gordon.w.r...@gmail.com wrote: On Thu, Feb 21, 2013 at 1:40 PM, Maurizio Boriani bau...@yahoo.it wrote: Hi all, in openindiana 151a7, the tuntap driver is: http://www.whiteboard.ne.jp/~admin2/tuntap/ or it has its' own? thanks, baux I have a userland style build for tuntap and openvpn here: https://bitbucket.org/gwr/userland-openvpn Works for me. -- Gordon Ross g...@nexenta.com Nexenta Systems, Inc. www.nexenta.com Enterprise class storage for everyone ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] about tuntap
On 2013-02-22 13:21, Jonathan Adams wrote: sorry to but in, but how does this differ from the tuntap made by Maxim Krasnyansky that's in the SFE? (Moderately informed FUD follows) I believe, that the original tuntap by Maxim Krasnyansky was made primarily for BSD/Linux, and needed some developer love to work under Solaris. http://vtun.sourceforge.net/tun/faq.html http://vtun.info One project of Solarisizing the tuntap was Kazuyoshi's work: http://www.whiteboard.ne.jp/~admin2/tuntap/ He also made (and ultimately RTI'd) some tweaks for OpenVPN. Last summer he also Improved throughput perfomance by increasing q_hiwat of read side stream head queue which boosted my TCP IO's (like CIFS over OpenVPN) by about 5-7 times, and this is the build version supposedly present in the repository. Now, I don't really know now which code is in which repo, but they both come from same roots; it may also be possible that the original project borrowed some improvements from this branch. I haven't used Maxim's tuntap with Solaris at all, so can't comment on it more. HTH, //Jim ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] about tuntap
I know it's not totally relevant, but do you know how significant the difference is between our iptun/vnic/bridges and tun/tap would it ever be possible to configure OpenVPN to work with a pure Illumos/Solaris 11 interface? We use static IP tun interfaces here between our known sites, and OpenVPN to connect laptops for users at their home addresses (and over wifi dongles that might change address) ... Windows (yuk!), Linux, and 1 Solaris/Illumos laptop (fool that I am) ... the easiest by far is the Linux (Ubuntu) Laptops which have OpenVPN in their network-manager. Jon On 22 February 2013 12:35, Jim Klimov jimkli...@cos.ru wrote: On 2013-02-22 13:21, Jonathan Adams wrote: sorry to but in, but how does this differ from the tuntap made by Maxim Krasnyansky that's in the SFE? (Moderately informed FUD follows) I believe, that the original tuntap by Maxim Krasnyansky was made primarily for BSD/Linux, and needed some developer love to work under Solaris. http://vtun.sourceforge.net/tun/faq.html http://vtun.info One project of Solarisizing the tuntap was Kazuyoshi's work: http://www.whiteboard.ne.jp/~admin2/tuntap/ He also made (and ultimately RTI'd) some tweaks for OpenVPN. Last summer he also Improved throughput perfomance by increasing q_hiwat of read side stream head queue which boosted my TCP IO's (like CIFS over OpenVPN) by about 5-7 times, and this is the build version supposedly present in the repository. Now, I don't really know now which code is in which repo, but they both come from same roots; it may also be possible that the original project borrowed some improvements from this branch. I haven't used Maxim's tuntap with Solaris at all, so can't comment on it more. HTH, //Jim ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] about tuntap
On 2013-02-22 13:58, Jonathan Adams wrote: I know it's not totally relevant, but do you know how significant the difference is between our iptun/vnic/bridges and tun/tap would it ever be possible to configure OpenVPN to work with a pure Illumos/Solaris 11 interface? AFAIK, no or not soon. * Similar request 2 years ago: http://mail.opensolaris.org/pipermail/crossbow-discuss/2010-March/002379.html From that thread: That driver (tuntap) is IP-over-SSL, and is not a Generic Lan Driver (GLDv3) device. The iptun driver is merely IP-in-IP, but it does present as a GLDv3 device, so it can be flow-sliced, virtualized, or anything else you want. You can then use ipsecconf(1M) to set up tunnel-mode IPsec on a particular IP-in-IP device. My post on OpenVPN forum remains unanswered for a year, except that is how Kazuyoshi informed me of his updated tuntap half a year ago ;-) * https://forums.openvpn.net/topic9542.html Overall, I don't think it is impossible to wrap tuntap into something that looks like GLDv3 for management purposes, but it might be tricky. In particular, on an OpenVPN server which processes dozens of VPN IP addresses, there is just one tap device per protocol (one UDP and one TCP server for us). Separation of incoming bytes into per-client streams is AFAIK done by OpenVPN, if I haven't forgotten (I haven't refreshed that knowledge for a couple of years now). The driver is Solarisey enough for routing and IPFilter (firewall and NAT rules) to work with the individual addresses at least as long as they leave the box via some other interface. I don't think we tried to filter or route between VPN clients themselves. We use static IP tun interfaces here between our known sites, and OpenVPN to connect laptops for users at their home addresses (and over wifi dongles that might change address) ... Windows (yuk!), Linux, and 1 Solaris/Illumos laptop (fool that I am) ... the easiest by far is the Linux (Ubuntu) Laptops which have OpenVPN in their network-manager. Jon On 22 February 2013 12:35, Jim Klimov jimkli...@cos.ru wrote: On 2013-02-22 13:21, Jonathan Adams wrote: sorry to but in, but how does this differ from the tuntap made by Maxim Krasnyansky that's in the SFE? (Moderately informed FUD follows) I believe, that the original tuntap by Maxim Krasnyansky was made primarily for BSD/Linux, and needed some developer love to work under Solaris. http://vtun.sourceforge.net/tun/faq.html http://vtun.info One project of Solarisizing the tuntap was Kazuyoshi's work: http://www.whiteboard.ne.jp/~admin2/tuntap/ He also made (and ultimately RTI'd) some tweaks for OpenVPN. Last summer he also Improved throughput perfomance by increasing q_hiwat of read side stream head queue which boosted my TCP IO's (like CIFS over OpenVPN) by about 5-7 times, and this is the build version supposedly present in the repository. Now, I don't really know now which code is in which repo, but they both come from same roots; it may also be possible that the original project borrowed some improvements from this branch. I haven't used Maxim's tuntap with Solaris at all, so can't comment on it more. HTH, //Jim ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss -- ++ || | Климов Евгений, Jim Klimov | | технический директор CTO | | ЗАО ЦОС и ВТ JSC COSHT | || | +7-903-7705859 (cellular) mailto:jimkli...@cos.ru | |CC:ad...@cos.ru,jimkli...@gmail.com | ++ | () ascii ribbon campaign - against html mail | | /\- against microsoft attachments | ++ ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] about tuntap
On 2013-02-22 13:58, Jonathan Adams wrote: I know it's not totally relevant, but do you know how significant the difference is between our iptun/vnic/bridges and tun/tap would it ever be possible to configure OpenVPN to work with a pure Illumos/Solaris 11 interface? Giving it a bit more thought for a more definite answer: it is two-fold :) On one hand, I don't think OpenVPN can use iptun/vnic interfaces, nor that it should begin to do so - in interests of interoperability (that is, same tuntap is available on many platforms, IPSec also - but the standards and implementations are often so different and quirky that it is quite complicated to make two random vendors' devices and programs actually communicate). On another hand, it might be possible to make a GLDv3 interface type which implements its networking over tuntap (possibly, along with all or much of OpenVPN - including the per-client cyphering with OpenSSL) and use that with dladm/flowadm/etc. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] about tuntap
Okay, with that in mind, I take it that we should be looking to migrate to the tuntap by Kazuyoshi Aizawa, since this is being actively maintained (Maxim Krasnyansky's driver was last updated in 2001) are there any significant disadvantages in doing this? I currently have system/network/tuntap (sfe) version 1.3.0-0.151.1.7 installed, via the repositories, would I need to compile OpenVPN and the tuntap software manually by myself (and de-install the packages?) Jon On 22 February 2013 13:27, Jim Klimov jimkli...@cos.ru wrote: On 2013-02-22 13:58, Jonathan Adams wrote: I know it's not totally relevant, but do you know how significant the difference is between our iptun/vnic/bridges and tun/tap would it ever be possible to configure OpenVPN to work with a pure Illumos/Solaris 11 interface? Giving it a bit more thought for a more definite answer: it is two-fold :) On one hand, I don't think OpenVPN can use iptun/vnic interfaces, nor that it should begin to do so - in interests of interoperability (that is, same tuntap is available on many platforms, IPSec also - but the standards and implementations are often so different and quirky that it is quite complicated to make two random vendors' devices and programs actually communicate). On another hand, it might be possible to make a GLDv3 interface type which implements its networking over tuntap (possibly, along with all or much of OpenVPN - including the per-client cyphering with OpenSSL) and use that with dladm/flowadm/etc. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] about tuntap
SFE is using http://www.whiteboard.ne.jp/~admin2/tuntap/ as the source Milan On 22.02.2013 14:21, Jonathan Adams wrote: sorry to but in, but how does this differ from the tuntap made by Maxim Krasnyansky that's in the SFE? Jon On 21 February 2013 19:24, Gordon Ross gordon.w.r...@gmail.com wrote: On Thu, Feb 21, 2013 at 1:40 PM, Maurizio Boriani bau...@yahoo.it wrote: Hi all, in openindiana 151a7, the tuntap driver is: http://www.whiteboard.ne.jp/~admin2/tuntap/ or it has its' own? thanks, baux I have a userland style build for tuntap and openvpn here: https://bitbucket.org/gwr/userland-openvpn Works for me. -- Gordon Ross g...@nexenta.com Nexenta Systems, Inc. www.nexenta.com Enterprise class storage for everyone ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
[OpenIndiana-discuss] about tuntap
Hi all, in openindiana 151a7, the tuntap driver is: http://www.whiteboard.ne.jp/~admin2/tuntap/ or it has its' own? thanks, baux ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] about tuntap
On Thu, Feb 21, 2013 at 1:40 PM, Maurizio Boriani bau...@yahoo.it wrote: Hi all, in openindiana 151a7, the tuntap driver is: http://www.whiteboard.ne.jp/~admin2/tuntap/ or it has its' own? thanks, baux I have a userland style build for tuntap and openvpn here: https://bitbucket.org/gwr/userland-openvpn Works for me. -- Gordon Ross g...@nexenta.com Nexenta Systems, Inc. www.nexenta.com Enterprise class storage for everyone ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
