Re: [Openvpn-devel] OpenVPN 3 Linux client - v11 beta released

2020-11-02 Thread Gert Doering 
Hi,

On Mon, Nov 02, 2020 at 03:00:58PM +0100, David Sommerseth wrote:
> >   Then the imported configuration profile must get the DCO feature
> >   enabled:
> > 
> >   $ openvpn3 config-manage --show --name CFGNAME --dco true
> 
> So I managed to introduce a typo here, this config-manage operation
> should use --config instead of --name:
> 
> $ openvpn3 config-manage --show --name CFGNAME --dco true

Yeah, right.  The difference is quite obvious :-)

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 3 Linux client - v11 beta released

2020-11-02 Thread David Sommerseth 
On 02/11/2020 14:30, David Sommerseth wrote:
>   With the kernel module installed, the configuration file must be
>   be imported:
> 
>   $ openvpn3 config-import --config CONFIG_FILENAME \
>  --name CFGNAME \
>  --persistent
> 
>   Then the imported configuration profile must get the DCO feature
>   enabled:
> 
>   $ openvpn3 config-manage --show --name CFGNAME --dco true

So I managed to introduce a typo here, this config-manage operation
should use --config instead of --name:

$ openvpn3 config-manage --show --name CFGNAME --dco true

Thanks to Lev for spotting this.  It is correct in the wiki page and
Fedora Copr repository page.


-- 
kind regards,

David Sommerseth
OpenVPN Inc




signature.asc
Description: OpenPGP digital signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] OpenVPN 3 Linux client - v11 beta released

2020-11-02 Thread David Sommerseth 
Hi,

The OpenVPN 3 Linux v11 beta is now released.

This is available in our git repositories [0] and URLs for source tarballs
are listed later in this e-mail.  We have pre-built binaries for the
following Linux distributions:

* Fedora 31, 32, 33 and Rawhide (via Fedora Copr: x86_64, aarch64, s390x)
* RHEL/CentOS 7 and 8   (via Fedora Copr: x86_64, aarch64)
* Debian 9 and 10   (amd64)
* Ubuntu 16.04, 18.04, 19.10 and 20.04 (amd64)

A quick-start guide for OpenVPN 3 Linux can be found here:




The highlights of this release includes:

* Feature: OpenVPN Data Channel Off-load (DCO)

  This features is currently a tech-preview feature.  It is not
  targeted for production usage in its current shape.  As this is
  still under heavy development, we currently only support the latest
  Fedora releases (Fedora 32 and newer) and Ubuntu 20.04.  This
  currently requires Linux kernel 5.4 and newer.

  This facilitates a brand new kernel module, ovpn-dco, where all the
  crypto operations related to the OpenVPN data channel happens directly
  inside the kernel.  The data channel operations are related to the
  tunnelled network traffic.  This has the advantage of being able to
  reduce the network packet processing overhead compared to the
  traditional tun devices.

  When using the tun interfaces with OpenVPN, the remote side sends
  encrypted network traffic to a UDP or TCP socket.  The Linux kernel
  forwards these packets from kernel space to the OpenVPN user space
  process, which decrypts the packet and extracts the unencrypted
  network traffic.  This unencrypted data is then passed to a tun
  interface, which sends the traffic back to the kernel space for
  further processing.

  The ovpn-dco module changes this packet route.  When the remote
  side sends data channel packets, the ovpn-dco kernel module will
  receive the packet and will have the encryption keys needed to
  decrypt the packet directly in the kernel space and then pass it
  directly to the virtual interface ovpn-dco manages.  If the OpenVPN
  packet from the remote side is a control channel packet, the ovpn-dco
  kernel module will pass this traffic up to the OpenVPN user space
  process.  Control channel packets are used to pass authentication
  credentials, configuration setup, data channel key exchanges, etc.

  To make use of this feature, the kmod-ovpn-dco kernel module must be
  installed on the system.  The OpenVPN 3 Linux project provides
  kmod-ovpn-dco packages for Fedora 32, 33 and Rawhide in addition
  to Ubuntu 20.04.

  On Fedora, with the openvpn3 Copr repository enabled:

  # yum install kmod-ovpn-dco

  On Ubuntu, with the openvpn3 apt repository configured:

  # apt install kmod-ovpn-dco

  With the kernel module installed, the configuration file must be
  be imported:

  $ openvpn3 config-import --config CONFIG_FILENAME \
 --name CFGNAME \
 --persistent

  Then the imported configuration profile must get the DCO feature
  enabled:

  $ openvpn3 config-manage --show --name CFGNAME --dco true

  To preserve this setting through reboots, --persistent was added
  when importing the configuration file via 'openvpn3 config-import'.

  Now everything is ready and a VPN session can be started:

  $ openvpn3 session-start --config CFGNAME

  The ovpn-dco kernel module from the openvpn3 repositories has some
  limitations:

  - No TCP support
ovpn-dco will require a UDP connection to the server.

  - No IPv6 support
ovpn-dco does only support IPv4 for the connection
to the remote server.

  - Limited data channel cipher support
ovpn-dco only supports the AES-GCM ciphers.  Support for
more ciphers will arrive later.

  - No interface statistics available
The ovpn-dco module has not yet implemented traffic statistics.

  These limitations will be resolved in future releases.  A more
  comprehensive list of what ovpn-dco is working on and will support can
  be found in the ovpn-dco project.

  WARNING:
  The ovpn-dco kernel module is under heavy development.
  This means that the API used between the kernel space
  and OpenVPN user space processes may change.  Therefore
  the kernel module version must be the same which
  OpenVPN 3 Linux has been compiled against.  Once
  the API is has become stable, this restriction will no
  longer be needed.

* Bugfix: OpenVPN 3 Linux configuration manager could crash
  If an imported persistent configuration file would contain syntax
  errors, the openvpn3-service-configmgr process could crash (SEGV).
  This has been improved and the configuration manager will now ignore
  incorrect or corrupted persistent configuration files.

* Bugfix: openvpn3 and openvpn3-admin could sometimes crash
  Occasionally on certain hosts, the 'openvpn3' and 'openvpn3-admin'
  tools could crash unexpectedly.