Re: OpenVPN 2.x with kernel acceleration

2022-02-04 Thread David Sommerseth 

[bouncing this msg, as Antonio is not subscribed to this devel list]

Hi,

On 04/02/2022 15:35, David Sommerseth wrote:


On 04/02/2022 15:09, Neal Becker wrote:

Does this modified openvpn support all the same features/options as the
stable release version?


Almost.  I recommend to have a look at the README.dco.md [0]
documentation for details, as that lists the limitations quite nicely.

[0]



I would like to add that if you use an unsupported option, openvpn will
tell you about that with a warning and will fallback to non-DCO mode
(i.e. will just use tun as usual).


Cheers,

--
Antonio Quartulli
OpenVPN Inc.


signature.asc
Description: OpenPGP digital signature
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: OpenVPN 2.x with kernel acceleration

2022-02-04 Thread David Sommerseth 

On 04/02/2022 15:53, Vitaly Zaitsev via devel wrote:

On 04/02/2022 11:03, David Sommerseth wrote:

We plan to release OpenVPN 2.6 later this year, which will be DCO
capable.  This will be available in the existing Fedora repositories, as
well as Fedora Copr for releases (like EPEL 7 and 8) where we cannot
upgrade easily.


You should submit your Linux kernel patches upstream by this date, as
Fedora doesn't allow packaging of kernel modules.
We are going to do that.  But we want more broader *testing* to iron out 
bugs and annoying issues first.


We know that the module works pretty well in our own environments (I'm 
using it on a daily basis with OpenVPN 3 Linux on the client side, 
running on RHEL-8.5).  But there are always some corner cases we might 
have overlooked which should be fixed first.


Once we have performed more testing and gotten more feedback from users, 
we will off course start the job of getting the ovpn-dco module into an 
upstream kernel.  That is the main goal for us.  But we take it step by 
step, to avoid wasting too much of kernel maintainers time on nonsense 
issues.



--
kind regards,

David Sommerseth


signature.asc
Description: OpenPGP digital signature
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: OpenVPN 2.x with kernel acceleration

2022-02-04 Thread David Sommerseth 

On 04/02/2022 15:55, Fabio Valentini wrote:

On Fri, Feb 4, 2022 at 11:04 AM David Sommerseth  wrote:

OpenVPN 2.6 and the openvpn-dco Copr builds should also work even if
kmod-ovpn-dco is not available.  And we will provide and support the
kmod-ovpn-dco via the openvpn3 Copr repository until we can get it into
the far more common Fedora repositories.


Just FYI, packages for out-of-tree kernel modules are not allowed in
the main Fedora repositories:
https://docs.fedoraproject.org/en-US/packaging-guidelines/what-can-be-packaged/#_no_external_kernel_modules



We are well aware of that.  Currently, the ovpn-dco kernel module is
available via the dsommers/openvpn3 Fedora Copr repository, as indicated
in the initial mail (it is provided as a dkms enabled module).  For
testing purposes.

If the ovpn-dco kernel module is unavailable on a system, this DCO
enabled OpenVPN build will _fallback_ to tun automatically.

Once we have p
erformed more testing and gotten more feedback from users,
we will off course start the job of getting the ovpn-dco module into the
upstream kernel.  That is the main goal.


--
kind regards,

David Sommerseth
OpenVPN Inc.


signature.asc
Description: OpenPGP digital signature
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: OpenVPN 2.x with kernel acceleration

2022-02-04 Thread Fabio Valentini 
On Fri, Feb 4, 2022 at 11:04 AM David Sommerseth  wrote:
> OpenVPN 2.6 and the openvpn-dco Copr builds should also work even if
> kmod-ovpn-dco is not available.  And we will provide and support the
> kmod-ovpn-dco via the openvpn3 Copr repository until we can get it into
> the far more common Fedora repositories.

Just FYI, packages for out-of-tree kernel modules are not allowed in
the main Fedora repositories:
https://docs.fedoraproject.org/en-US/packaging-guidelines/what-can-be-packaged/#_no_external_kernel_modules

Fabio
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: OpenVPN 2.x with kernel acceleration

2022-02-04 Thread Vitaly Zaitsev via devel 

On 04/02/2022 11:03, David Sommerseth wrote:

We plan to release OpenVPN 2.6 later this year, which will be DCO
capable.  This will be available in the existing Fedora repositories, as
well as Fedora Copr for releases (like EPEL 7 and 8) where we cannot
upgrade easily.


You should submit your Linux kernel patches upstream by this date, as 
Fedora doesn't allow packaging of kernel modules.


--
Sincerely,
  Vitaly Zaitsev (vit...@easycoding.org)
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: OpenVPN 2.x with kernel acceleration

2022-02-04 Thread David Sommerseth 


On 04/02/2022 15:09, Neal Becker wrote:

Does this modified openvpn support all the same features/options as the
stable release version?


Almost.  I recommend to have a look at the README.dco.md [0]
documentation for details, as that lists the limitations quite nicely.

[0]



--
kind regards,

David Sommerseth


signature.asc
Description: OpenPGP digital signature
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: OpenVPN 2.x with kernel acceleration

2022-02-04 Thread Neal Becker 
Does this modified openvpn support all the same features/options as the
stable release version?

Thanks,
Neal

On Fri, Feb 4, 2022 at 5:04 AM David Sommerseth  wrote:

> On 03/02/2022 05:52, Demi Marie Obenour wrote:
> > On 2/2/22 13:34, David Sommerseth wrote:
> >>
> >> Hi,
> >>
> >> An OpenVPN colleague of me, Antonio Quartulli (on Cc), has been working
> >> on a kernel acceleration module for OpenVPN for quite some time.  We
> >> call this OpenVPN Data Channel Offload (DCO).  This moves the tunnelled
> >> network traffic to a new kernel module (ovpn-dco) and keep only the
> >> control channel (authentication, VPN IP configuration, etc) in
> >> user-space.  This is gives a noticeable improved performance.
> >
> > Do you plan to submit this kernel module to upstream Linux?  Fedora
> > does not ship out-of-tree kernel modules last I checked.
>
> Yes, we do plan for that.  But before we're ready to do so, we'd like to
> see more broader testing of this module.  This comes in addition to have
> OpenVPN packages available with DCO support.
>
> We use Fedora Copr for the time being to make the availability of both
> kmod-ovpn-dco and OpenVPN builds with DCO support more
>  easily available
> for more testers.
>
> These builds and repository is currently fully supported by the OpenVPN
> community, with the standard clause that this is development builds
> which may contain bugs and not necessarily be as stable as ordinary
> releases.
>
>
> Going forward ...
>
> We plan to release OpenVPN 2.6 later this year, which will be DCO
> capable.  This will be available in the existing Fedora repositories, as
> well as Fedora Copr for releases (like EPEL 7 and 8) where we cannot
> upgrade easily.
>
> As long as RHEL-9 is in Beta, we are considering to move to OpenVPN 2.6
> in the EPEL-9 repositories.  Depending on the community testing of the
> Copr repos announced now, we might also provide similar snapshots in
> default EPEL-9 repos instead of OpenVPN 2.5.z until OpenVPN 2.6 is
> officially released.
>
> Basically: If you want to see OpenVPN 2.6 in EPEL-9, please test our
> EPEL-9 builds in the openvpn-dco Copr repo and provide feedback ASAP.
> If we get confidence t
> his works well, we will start preparing for
> pre-releases in EPEL-9 sooner than later.
>
>
> OpenVPN 2.6 and the openvpn-dco Copr builds should also work even if
> kmod-ovpn-dco is not available.  And we will provide and support the
> kmod-ovpn-dco via the openvpn3 Copr repository until we can get it into
> the far more common Fedora repositories.
>
>
> --
> kind regards,
>
> David Sommerseth
> OpenVPN Inc
> ___
> devel mailing list -- devel@lists.fedoraproject.org
> To unsubscribe send an email to devel-le...@lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>


-- 
*Those who don't understand recursion are doomed to repeat it*
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: OpenVPN 2.x with kernel acceleration

2022-02-04 Thread David Sommerseth 

On 03/02/2022 05:52, Demi Marie Obenour wrote:

On 2/2/22 13:34, David Sommerseth wrote:


Hi,

An OpenVPN colleague of me, Antonio Quartulli (on Cc), has been working
on a kernel acceleration module for OpenVPN for quite some time.  We
call this OpenVPN Data Channel Offload (DCO).  This moves the tunnelled
network traffic to a new kernel module (ovpn-dco) and keep only the
control channel (authentication, VPN IP configuration, etc) in
user-space.  This is gives a noticeable improved performance.


Do you plan to submit this kernel module to upstream Linux?  Fedora
does not ship out-of-tree kernel modules last I checked.


Yes, we do plan for that.  But before we're ready to do so, we'd like to
see more broader testing of this module.  This comes in addition to have
OpenVPN packages available with DCO support.

We use Fedora Copr for the time being to make the availability of both
kmod-ovpn-dco and OpenVPN builds with DCO support more
easily available
for more testers.

These builds and repository is currently fully supported by the OpenVPN
community, with the standard clause that this is development builds
which may contain bugs and not necessarily be as stable as ordinary
releases.


Going forward ...

We plan to release OpenVPN 2.6 later this year, which will be DCO
capable.  This will be available in the existing Fedora repositories, as
well as Fedora Copr for releases (like EPEL 7 and 8) where we cannot
upgrade easily.

As long as RHEL-9 is in Beta, we are considering to move to OpenVPN 2.6
in the EPEL-9 repositories.  Depending on the community testing of the
Copr repos announced now, we might also provide similar snapshots in
default EPEL-9 repos instead of OpenVPN 2.5.z until OpenVPN 2.6 is
officially released.

Basically: If you want to see OpenVPN 2.6 in EPEL-9, please test our
EPEL-9 builds in the openvpn-dco Copr repo and provide feedback ASAP.
If we get confidence t
his works well, we will start preparing for
pre-releases in EPEL-9 sooner than later.


OpenVPN 2.6 and the openvpn-dco Copr builds should also work even if
kmod-ovpn-dco is not available.  And we will provide and support the
kmod-ovpn-dco via the openvpn3 Copr repository until we can get it into
the far more common Fedora repositories.


--
kind regards,

David Sommerseth
OpenVPN Inc


signature.asc
Description: OpenPGP digital signature
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: OpenVPN 2.x with kernel acceleration

2022-02-02 Thread Demi Marie Obenour 
On 2/2/22 13:34, David Sommerseth wrote:
> 
> Hi,
> 
> An OpenVPN colleague of me, Antonio Quartulli (on Cc), has been working
> on a kernel acceleration module for OpenVPN for quite some time.  We
> call this OpenVPN Data Channel Offload (DCO).  This moves the tunnelled
> network traffic to a new kernel module (ovpn-dco) and keep only the
> control channel (authentication, VPN IP configuration, etc) in
> user-space.  This is gives a noticeable improved performance.

Do you plan to submit this kernel module to upstream Linux?  Fedora
does not ship out-of-tree kernel modules last I checked.

-- 
Sincerely,
Demi Marie Obenour (she/her/hers)

OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

OpenVPN 2.x with kernel acceleration

2022-02-02 Thread David Sommerseth 


Hi,

An OpenVPN colleague of me, Antonio Quartulli (on Cc), has been working
on a kernel acceleration module for OpenVPN for quite some time.  We
call this OpenVPN Data Channel Offload (DCO).  This moves the tunnelled
network traffic to a new kernel module (ovpn-dco) and keep only the
control channel (authentication, VPN IP configuration, etc) in
user-space.  This is gives a noticeable improved performance.

We have had that support available in the OpenVPN 3 Linux for quite some
time.  But that is currently only a client-mode only implementation.  So
the real benefit of DCO has been limited when connecting to OpenVPN 2.x
servers.

In parallel with that, we have now reached a point where we also have
code ready for OpenVPN 2.x which can make use of DCO - also for the
server side.  This code is currently going through review in among the
developers in the OpenVPN community.

But!  We have now a dedicated Fedora Copr repository available for those
willin
g to test this out.

  # yum copr enable dsommers/openvpn-dco
  # yum copr enable dsommers/openvpn3
  # yum install openvpn kmod-ovpn-dco

The ovpn-dco kernel module is tried first, and if that succeeds OpenVPN
2.x will now use that instead of tun.ko.  There is a new --disable-dco
option which will force not using DCO, which is useful when testing
performance.

One performance tip ... Ensure your tun-mtu is 1420 or slightly lower,
this is to avoid packet fragmentation which will reduce ability for
ovpn-dco to work optimally.  We are looking into ways to make the MTU
settings better by default, but we're not there yet.  This is the only
configuration change which might be needed.

Even though, I've mentioned OpenVPN 2.x server mode explicitly here ...
It will also work with OpenVPN 2.x in client mode too.  If you also try
the OpenVPN 3 Linux to compare the performance, you should not really
notice much difference - as it's the same kernel module doing th
e heavy
lifting.

If you test this out, feel free to reach out on our OpenVPN developers
mailing list [0], on IRC [0] or to Antonio (Cc) who is overseeing the
DCO development.


[0]



--
kind regards,

David Sommerseth
OpenVPN Inc


signature.asc
Description: OpenPGP digital signature
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure