Re: [Openvpn-devel] Viscosity patch to TAP driver (was: Summary of the community meeting) 2018)

[Gert Doering]

Hi Eric,

On Thu, Mar 22, 2018 at 02:25:56PM +1100, Eric Thorpe wrote:
> One of the Viscosity developers here. The TAP driver used by Viscosity 
> is based on the OpenVPN TAP-Windows driver. We're surprised to hear of 
> any performance differences, as the changes we've made are very minimal.
> 
> Besides a name and version number change, the only other modification is 
> a change to the reported network adapter speed, which has Windows report 
> the driver as 1000 Mbit instead of 100 Mbit.
> 
> This change was made not because of any actual performance gains, but 
> because of user reports that certain firewall or AV software tries to 
> QoS the adapter based on its reported adapter speed, which is of course 
> a problem if the VPN connection is capable of more than 100 Mbit.
> 
> Please find a patch file of the changes attached.

I think it would make sense for us to merge that patch - for two reasons,
one is "the change could indeed help performance in high-bandwidth
situtions", and the more important one is "another patch to tap-windows6
is forthcoming, and that way we can keep the version numbers aligned
so people can know what is inside".

Do you have the patch in git?  If yes, could you please do the commit
with "-s" (so the signed-off-by: line is added) and send it as regular
git commit (git-send-email)?  Alternatively a PR against tap-windows6
on github should do as well.

Thanks in advance,

gert

-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Viscosity patch to TAP driver (was: Summary of the community meeting) 2018)

[Selva Nair]

Hi,

On Thu, Apr 12, 2018 at 4:26 AM, Gert Doering  wrote:

> Hi Eric,
>
> On Thu, Mar 22, 2018 at 02:25:56PM +1100, Eric Thorpe wrote:
> > One of the Viscosity developers here. The TAP driver used by Viscosity
> > is based on the OpenVPN TAP-Windows driver. We're surprised to hear of
> > any performance differences, as the changes we've made are very minimal.
> >
> > Besides a name and version number change, the only other modification is
> > a change to the reported network adapter speed, which has Windows report
> > the driver as 1000 Mbit instead of 100 Mbit.
> >
> > This change was made not because of any actual performance gains, but
> > because of user reports that certain firewall or AV software tries to
> > QoS the adapter based on its reported adapter speed, which is of course
> > a problem if the VPN connection is capable of more than 100 Mbit.
> >
> > Please find a patch file of the changes attached.
>
> I think it would make sense for us to merge that patch - for two reasons,
> one is "the change could indeed help performance in high-bandwidth
> situtions", and the more important one is "another patch to tap-windows6
> is forthcoming, and that way we can keep the version numbers aligned
> so people can know what is inside".
>

One can get > 100 Mbits/s from the stock TAP driver, so that parameter does
not appear to affect the actual "speed". With 100Mbit setting, Windows will
classify the device as fast ethernet for heuristics like choosing the
default metric. But now we do have code for setting a custom metric isn't
it? Or is it only used when --block-outside-dns is in use?

Or am I mistaken -- does this setting really affect the max throughput?

Selva
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Viscosity patch to TAP driver (was: Summary of the community meeting) 2018)

[Gert Doering]

Hi,

On Thu, Apr 12, 2018 at 10:27:08AM -0400, Selva Nair wrote:
> > > This change was made not because of any actual performance gains, but
> > > because of user reports that certain firewall or AV software tries to
> > > QoS the adapter based on its reported adapter speed, which is of course
> > > a problem if the VPN connection is capable of more than 100 Mbit.
[..]
> Or am I mistaken -- does this setting really affect the max throughput?

Not normally, but when certain 'helpful' software is around...

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Viscosity patch to TAP driver (was: Summary of the community meeting) 2018)

[Selva Nair]

Hi,

On Thu, Apr 12, 2018 at 10:50 AM, Gert Doering  wrote:

> Hi,
>
> On Thu, Apr 12, 2018 at 10:27:08AM -0400, Selva Nair wrote:
> > > > This change was made not because of any actual performance gains, but
> > > > because of user reports that certain firewall or AV software tries to
> > > > QoS the adapter based on its reported adapter speed, which is of
> course
> > > > a problem if the VPN connection is capable of more than 100 Mbit.
> [..]
> > Or am I mistaken -- does this setting really affect the max throughput?
>
> Not normally, but when certain 'helpful' software is around...
>

Aha, my bad not reading carefully..

Thanks,

Selva
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH v2] Add Interactive Service developer documentation

[Simon Rozman]

The OpenVPN Interactive Service documentation from
https://community.openvpn.net/openvpn/wiki/OpenVPNInteractiveService was
upgraded with a description of the client-service communication flow,
service registry configuration, and non-default instance installation.
---
 doc/Makefile.am   |   2 +-
 doc/interactive-service-notes.txt | 316 ++
 2 files changed, 317 insertions(+), 1 deletion(-)
 create mode 100644 doc/interactive-service-notes.txt

diff --git a/doc/Makefile.am b/doc/Makefile.am
index cd1bcfdf..4e307c4b 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -17,6 +17,7 @@ CLEANFILES = openvpn.8.html
 SUBDIRS = doxygen

 dist_doc_DATA = \
+   interactive-service-notes.txt \
management-notes.txt

 dist_noinst_DATA = \
@@ -30,4 +31,3 @@ openvpn.8.html: $(srcdir)/openvpn.8
 else
 dist_man_MANS = openvpn.8
 endif
-
diff --git a/doc/interactive-service-notes.txt 
b/doc/interactive-service-notes.txt
new file mode 100644
index ..9b3b8f6c
--- /dev/null
+++ b/doc/interactive-service-notes.txt
@@ -0,0 +1,316 @@
+=
+OpenVPN Interactive Service Notes
+=
+
+
+Introduction
+
+
+OpenVPN Interactive Service, also known as "iservice" or
+"OpenVPNServiceInteractive", is a Windows system service which allows
+unprivileged users to do certain privileged operations required by OpenVPN, 
such
+as adding routes. This removes the need to always run OpenVPN as administrator,
+which was the case for a long time, and continues to be the case for OpenVPN
+2.3.x.
+
+The 2.4.x release and git "master" versions of OpenVPN contain the Interactive
+Service code and OpenVPN-GUI is setup to use it by default. Starting from
+version 2.4.0, OpenVPN-GUI is expected to be started as user (do not 
right-click
+and "run as administrator" or do not set the shortcut to run as administrator).
+This ensures that OpenVPN and the GUI run with limited privileges.
+
+
+How It Works
+
+
+Here is a brief explanation of how the Interactive Service works, based on
+`Gert's email`_ to openvpn-devel mailing list. The example user, *joe*, is not
+an administrator, and does not have any other extra privileges.
+
+- OpenVPN-GUI runs as a *joe*
+- Interactive Service runs as a local Windows service with maximum privileges
+- OpenVPN-GUI connects to the Interactive Service and asks it "run openvpn.exe
+  with the following arguments, using the *joe*'s credentials" - Windows can do
+  this - pass credentials across a pipe, which you can't fake
+- Interactive Service forks openvpn.exe, and runs this as the user *joe*, and
+  keeps a "service pipe" between Interactive Service and openvpn.exe
+- If openvpn.exe wants to do ipconfig/route/dns stuff, it sends these as
+  requests over the service pipe to the Interactive Service, which will then
+  execute them (and clean up should openvpn.exe crash)
+- ``--up`` scripts are run by openvpn.exe itself, which is already running as
+  *joe*, all privileges are nicely in place
+- Scripts run by the GUI will run as user *joe*, so that automated tasks like
+  mapping of drives work as expected
+
+This also avoids the use of scripts for privilege escalation to admin (as was
+possible by running an ``--up`` script from openvpn.exe which is run as admin).
+
+
+Client-Service Communication
+
+
+Connecting
+--
+
+The client (OpenVPN GUI) and the Interactive Service communicate using a named
+message pipe. By default, the service provides the ``\\.\pipe\openvpn\service``
+named pipe.
+
+The client connects to the pipe for read/write and sets the pipe state to the
+``PIPE_READMODE_MESSAGE``::
+
+   HANDLE pipe = CreateFile(_T(".\\pipe\\openvpn\\service"),
+   GENERIC_READ | GENERIC_WRITE,
+   0,
+   NULL,
+   OPEN_EXISTING,
+   FILE_FLAG_OVERLAPPED,
+   NULL);
+
+   if (pipe == INVALID_HANDLE_VALUE)
+   {
+   // Error
+   }
+
+   DWORD dwMode = PIPE_READMODE_MESSAGE;
+   if (!SetNamedPipeHandleState(pipe, , NULL, NULL)
+   {
+   // Error
+   }
+
+
+openvpn.exe Startup
+---
+
+After the client is connected to the service, the client must send a startup
+message to have the service start the openvpn.exe process. The startup message
+is comprised of three UTF-16 strings delimited by U zero characters::
+
+   startupmsg = workingdir WZERO openvpnoptions WZERO stdin WZERO
+
+   workingdir = WSTRING
+   openvpnoptions = WSTRING
+   stdin  = WSTRING
+
+   WSTRING= *WCHAR
+   WCHAR  = %x0001-
+   WZERO  = %x
+
+``workingdir``
+   Represents the folder openvpn.exe process should be started in.
+
+``openvpnoptions``
+   String contains ``--config`` and other OpenVPN command line options, without
+   the ``argv[0]`` executable name ("openvpn" or "openvpn.exe"). When there is
+   only one option specified, the ``--config`` option is assumed and 

[Openvpn-devel] [PATCH] Add Interactive Service developer documentation

[Simon Rozman]

The OpenVPN Interactive Service documentation from
https://community.openvpn.net/openvpn/wiki/OpenVPNInteractiveService was
upgraded with a description of the client-service communication flow,
service registry configuration, and non-default instance installation.
---
 doc/interactive-service-notes.txt | 316 ++
 1 file changed, 316 insertions(+)
 create mode 100644 doc/interactive-service-notes.txt

diff --git a/doc/interactive-service-notes.txt 
b/doc/interactive-service-notes.txt
new file mode 100644
index ..9b3b8f6c
--- /dev/null
+++ b/doc/interactive-service-notes.txt
@@ -0,0 +1,316 @@
+=
+OpenVPN Interactive Service Notes
+=
+
+
+Introduction
+
+
+OpenVPN Interactive Service, also known as "iservice" or
+"OpenVPNServiceInteractive", is a Windows system service which allows
+unprivileged users to do certain privileged operations required by OpenVPN, 
such
+as adding routes. This removes the need to always run OpenVPN as administrator,
+which was the case for a long time, and continues to be the case for OpenVPN
+2.3.x.
+
+The 2.4.x release and git "master" versions of OpenVPN contain the Interactive
+Service code and OpenVPN-GUI is setup to use it by default. Starting from
+version 2.4.0, OpenVPN-GUI is expected to be started as user (do not 
right-click
+and "run as administrator" or do not set the shortcut to run as administrator).
+This ensures that OpenVPN and the GUI run with limited privileges.
+
+
+How It Works
+
+
+Here is a brief explanation of how the Interactive Service works, based on
+`Gert's email`_ to openvpn-devel mailing list. The example user, *joe*, is not
+an administrator, and does not have any other extra privileges.
+
+- OpenVPN-GUI runs as a *joe*
+- Interactive Service runs as a local Windows service with maximum privileges
+- OpenVPN-GUI connects to the Interactive Service and asks it "run openvpn.exe
+  with the following arguments, using the *joe*'s credentials" - Windows can do
+  this - pass credentials across a pipe, which you can't fake
+- Interactive Service forks openvpn.exe, and runs this as the user *joe*, and
+  keeps a "service pipe" between Interactive Service and openvpn.exe
+- If openvpn.exe wants to do ipconfig/route/dns stuff, it sends these as
+  requests over the service pipe to the Interactive Service, which will then
+  execute them (and clean up should openvpn.exe crash)
+- ``--up`` scripts are run by openvpn.exe itself, which is already running as
+  *joe*, all privileges are nicely in place
+- Scripts run by the GUI will run as user *joe*, so that automated tasks like
+  mapping of drives work as expected
+
+This also avoids the use of scripts for privilege escalation to admin (as was
+possible by running an ``--up`` script from openvpn.exe which is run as admin).
+
+
+Client-Service Communication
+
+
+Connecting
+--
+
+The client (OpenVPN GUI) and the Interactive Service communicate using a named
+message pipe. By default, the service provides the ``\\.\pipe\openvpn\service``
+named pipe.
+
+The client connects to the pipe for read/write and sets the pipe state to the
+``PIPE_READMODE_MESSAGE``::
+
+   HANDLE pipe = CreateFile(_T(".\\pipe\\openvpn\\service"),
+   GENERIC_READ | GENERIC_WRITE,
+   0,
+   NULL,
+   OPEN_EXISTING,
+   FILE_FLAG_OVERLAPPED,
+   NULL);
+
+   if (pipe == INVALID_HANDLE_VALUE)
+   {
+   // Error
+   }
+
+   DWORD dwMode = PIPE_READMODE_MESSAGE;
+   if (!SetNamedPipeHandleState(pipe, , NULL, NULL)
+   {
+   // Error
+   }
+
+
+openvpn.exe Startup
+---
+
+After the client is connected to the service, the client must send a startup
+message to have the service start the openvpn.exe process. The startup message
+is comprised of three UTF-16 strings delimited by U zero characters::
+
+   startupmsg = workingdir WZERO openvpnoptions WZERO stdin WZERO
+
+   workingdir = WSTRING
+   openvpnoptions = WSTRING
+   stdin  = WSTRING
+
+   WSTRING= *WCHAR
+   WCHAR  = %x0001-
+   WZERO  = %x
+
+``workingdir``
+   Represents the folder openvpn.exe process should be started in.
+
+``openvpnoptions``
+   String contains ``--config`` and other OpenVPN command line options, without
+   the ``argv[0]`` executable name ("openvpn" or "openvpn.exe"). When there is
+   only one option specified, the ``--config`` option is assumed and the option
+   is the configuration filename.
+
+   Please, note that the interactive service validates the options (e.g. 
OpenVPN
+   config file must reside in one of the approved folders, or the invoking user
+   must be a member of local Administrators group, or a member of the
+   "OpenVPN Administrators" group).
+
+``stdin``
+   The content of the ``stdin`` string is sent to the openvpn.exe process to 
its
+   stdin stream after it starts.
+
+   

Re: [Openvpn-devel] Viscosity patch to TAP driver

[Eric Thorpe]

Hi Gert,

PR #47 has been submitted to tap-windows6 on github.

Regards,
Eric

--
Eric Thorpe
SparkLabs Developer
https://www.sparklabs.com
https://twitter.com/sparklabs
supp...@sparklabs.com

On 12/04/2018 6:26 PM, Gert Doering wrote:

Hi Eric,

On Thu, Mar 22, 2018 at 02:25:56PM +1100, Eric Thorpe wrote:

One of the Viscosity developers here. The TAP driver used by Viscosity
is based on the OpenVPN TAP-Windows driver. We're surprised to hear of
any performance differences, as the changes we've made are very minimal.

Besides a name and version number change, the only other modification is
a change to the reported network adapter speed, which has Windows report
the driver as 1000 Mbit instead of 100 Mbit.

This change was made not because of any actual performance gains, but
because of user reports that certain firewall or AV software tries to
QoS the adapter based on its reported adapter speed, which is of course
a problem if the VPN connection is capable of more than 100 Mbit.

Please find a patch file of the changes attached.

I think it would make sense for us to merge that patch - for two reasons,
one is "the change could indeed help performance in high-bandwidth
situtions", and the more important one is "another patch to tap-windows6
is forthcoming, and that way we can keep the version numbers aligned
so people can know what is inside".

Do you have the patch in git?  If yes, could you please do the commit
with "-s" (so the signed-off-by: line is added) and send it as regular
git commit (git-send-email)?  Alternatively a PR against tap-windows6
on github should do as well.

Thanks in advance,

gert




--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Add Interactive Service developer documentation

[Selva Nair]

Hi,

On Thu, Apr 12, 2018 at 2:48 PM, Simon Rozman  wrote:

Moving up the most important part:

Hi,
> I'm back. :)
>

Welcome back!


> I took the short Interactive Service introduction found at
> https://community.openvpn.net/openvpn/wiki/OpenVPNInteractiveService and
> extended it with my experience while developing the eduVPN client.
> This document is not up to the RFC standards nor it intends to be.
> It's written using reStructuredText markup as suggested by Iliya, but
> keeping
> the filename and ".txt" extension as suggested by Samuli.
> I suggest replacing the
> https://community.openvpn.net/openvpn/wiki/OpenVPNInteractiveService wiki
> page


+1 to that and to keep it up to date.


> with this document analogous to the Management Interface Notes document
> published online at
> https://openvpn.net/index.php/open-source/documentation/misc
> ellaneous/79-management-interface.html.


This one too occasionally needs to be kept in sync with the source

Your comments are welcome.


Thanks for writing this up. Some minor comments below:

The OpenVPN Interactive Service documentation from
> https://community.openvpn.net/openvpn/wiki/OpenVPNInteractiveService was
> upgraded with a description of the client-service communication flow,
> service registry configuration, and non-default instance installation.
> ---
>  doc/interactive-service-notes.txt | 316 ++
> 
>  1 file changed, 316 insertions(+)
>  create mode 100644 doc/interactive-service-notes.txt
>
> diff --git a/doc/interactive-service-notes.txt
> b/doc/interactive-service-notes.txt
> new file mode 100644
> index ..9b3b8f6c
> --- /dev/null
> +++ b/doc/interactive-service-notes.txt
> @@ -0,0 +1,316 @@
> +=
> +OpenVPN Interactive Service Notes
> +=
> +
> +
> +Introduction
> +
> +
> +OpenVPN Interactive Service, also known as "iservice" or
> +"OpenVPNServiceInteractive", is a Windows system service which allows
> +unprivileged users to do certain privileged operations required by
> OpenVPN, such
> +as adding routes. This removes the need to always run OpenVPN as
> administrator,
> +which was the case for a long time, and continues to be the case for
> OpenVPN
> +2.3.x.
> +
> +The 2.4.x release and git "master" versions of OpenVPN contain the
> Interactive
> +Service code and OpenVPN-GUI is setup to use it by default. Starting from
> +version 2.4.0, OpenVPN-GUI is expected to be started as user (do not
> right-click
> +and "run as administrator" or do not set the shortcut to run as
> administrator).
> +This ensures that OpenVPN and the GUI run with limited privileges.
> +
> +
> +How It Works
> +
> +
> +Here is a brief explanation of how the Interactive Service works, based on
> +`Gert's email`_ to openvpn-devel mailing list. The example user, *joe*,
> is not
> +an administrator, and does not have any other extra privileges.
> +
> +- OpenVPN-GUI runs as a *joe*
> +- Interactive Service runs as a local Windows service with maximum
> privileges
> +- OpenVPN-GUI connects to the Interactive Service and asks it "run
> openvpn.exe
> +  with the following arguments, using the *joe*'s credentials" - Windows
> can do
> +  this - pass credentials across a pipe, which you can't fake
> +- Interactive Service forks openvpn.exe, and runs this as the user *joe*,
> and
> +  keeps a "service pipe" between Interactive Service and openvpn.exe
> +- If openvpn.exe wants to do ipconfig/route/dns stuff, it sends these as
> +  requests over the service pipe to the Interactive Service, which will
> then
> +  execute them (and clean up should openvpn.exe crash)
> +- ``--up`` scripts are run by openvpn.exe itself, which is already
> running as
> +  *joe*, all privileges are nicely in place
> +- Scripts run by the GUI will run as user *joe*, so that automated tasks
> like
> +  mapping of drives work as expected

+
> +This also avoids the use of scripts for privilege escalation to admin (as
> was
> +possible by running an ``--up`` script from openvpn.exe which is run as
> admin).

+
>

Considering the more formal style used below, the above paragraph could be
rewritten too. IMO, its not necessary to preserve the "original"
description of
"How it works". Just saying..


> +
> +Client-Service Communication
> +
> +
> +Connecting
> +--
> +
> +The client (OpenVPN GUI) and the Interactive Service communicate using a
> named
> +message pipe. By default, the service provides the
> ``\\.\pipe\openvpn\service``
> +named pipe.
> +
> +The client connects to the pipe for read/write and sets the pipe state to
> the
>

state to the --> state to


> +``PIPE_READMODE_MESSAGE``::
> +
> +   HANDLE pipe = CreateFile(_T(".\\pipe\\openvpn\\service"),
> +   GENERIC_READ | GENERIC_WRITE,
> +   0,
> +   NULL,
> +   OPEN_EXISTING,
> +   FILE_FLAG_OVERLAPPED,
> +   NULL);
> +
> +   if (pipe == 

Re: [Openvpn-devel] Viscosity patch to TAP driver

[Antonio Quartulli]

On 13/04/18 04:22, Jan Just Keijser wrote:
> Hi,
> 
> On 12/04/18 16:50, Gert Doering wrote:
>> Hi,
>>
>> On Thu, Apr 12, 2018 at 10:27:08AM -0400, Selva Nair wrote:
> This change was made not because of any actual performance gains, but
> because of user reports that certain firewall or AV software tries to
> QoS the adapter based on its reported adapter speed, which is of
> course
> a problem if the VPN connection is capable of more than 100 Mbit.
>> [..]
>>> Or am I mistaken -- does this setting really affect the max throughput?
>> Not normally, but when certain 'helpful' software is around...
>>
>>
> as a side note: there is one thing to keep in mind when changing this:
> Windows calculates its automatic routing metrics based on the adapter
> speed. So if we increase the speed then there are scenarios possible
> where the tun adapter route will take precedence over a lan route : in
> most cases that is what a user would want, but there are (rare)
> scenarios where that could have nasty side effects (including the
> "biting your own tail" problem)

Can't we come up with a reasonable default that works for 99.9% of the
users (i.e. 1Gbps) and allow experts to tweak that? or tweak the metric
(I think this is already possible, given what Selva said)?


Cheers,



-- 
Antonio Quartulli



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel