Re: [Openvpn-devel] Many to one TCP question
Lonnie Cumberland said: > Thanks for replying to my posting on this matter as I am still trying to > get clear understanding as to the advantages/disadvantages of using > TCP/UDP protocals. > > My guess is that most things are done via TCP over the Internet and I > seem to remember that there are supposed to be many problems with trying > to use UDP over the Internet because of firewalls, bridges and the like, > or something like that. > > Also, is it true that you cannot bridge with UDP connections for road > warriors with Windows (OpenVPN) machines wishing to connect to Linux > (OpenVPN) machines and servers? No, you should have no trouble bridging with UDP. > I could be totally off base here, but it UDP protos would work then I > could go along that route instead for my project which needs to also > scale to a (potentially maybe) very large number of road wariors. In general UDP is much more scalable when dealing with a large number of connections. James
Re: [Openvpn-devel] Many to one TCP question
Hi, I have never found any problems using UDP as the tunnel mechanism over the internet. I was under the impression that UDP packets were less likely to be blocked at the firewall than TCP, since historically it has been under utilized. These days with streaming video/media where speed is more important than reliability, UDP is really beginning to be used a lot and so I would have said the difficulties in using UDP through firewalls is equal to using TCP. The advantages of using UDP to tunnel data are that it reflects the underlying physical layer very well, whereas TCP has reliability controls built in. These monitor the speed of connections, include timeouts in case of lag and various other mechanisms to maintain a connection. Unfortunately if you then tunnel TCP on top of TCP, these mechanisms can interact poorly and produce very poor results. At least that what I recall reading somewhere (after a quick dig it turns out the page was part of the CIPE project which was also based on the tun/tap virtual adaptor system, see http://sites.inka.de/sites/bigred/devel/tcp-tcp.html). Anyway, personally I would always use UDP, I currently have a LAN bridged with a many to one UDP openvpn (linux) server, all the various openvpn (windows and linux) clients can interact with the LAN clients as if they were all on the LAN (and vice versa). I would definitely recommend this for road warrior solutions. Hope this helps... Mike 5:)
Re: [Openvpn-devel] Windows and Shaper
Here is the function. Don't forget to #DEFINE HAVE_GETTIMEOFDAY in config-win32.h. Let me know what you think. Derek Burdick - Original Message - From: "James Yonan" To: "Derek Burdick" ; Sent: Tuesday, April 27, 2004 12:48 PM Subject: Re: [Openvpn-devel] Windows and Shaper > Derek Burdick said: > > > I was browsing the online CVS repository and noticed the > > config-win32.h.in says that HAVE_GETTIMEOFDAY is specified in misc.c. When > > I look in misc.c, I don't see the file. Is the latest version just not > > checked in? I also implemented a gettimeofday for windows. It is based on > > QueryPerformanceCounter. If you are interested in this version let me know. > > If somebody knows the correct status of gettimeofday for the cvs code, I > > would appreciate an update. > > Derek, > > Yes, I'd like to see your gettimeofday for Windows that uses > QueryPerformanceCounter. OpenVPN 2.0 will have a gettimeofday function for > Windows so that --shaper and --mode server can be supported. > > James > > windows-gtod.diff Description: Binary data
Re: [Openvpn-devel] Many to one TCP question
Thanks for replying to my posting on this matter as I am still trying to get clear understanding as to the advantages/disadvantages of using TCP/UDP protocals. My guess is that most things are done via TCP over the Internet and I seem to remember that there are supposed to be many problems with trying to use UDP over the Internet because of firewalls, bridges and the like, or something like that. Also, is it true that you cannot bridge with UDP connections for road warriors with Windows (OpenVPN) machines wishing to connect to Linux (OpenVPN) machines and servers? I could be totally off base here, but it UDP protos would work then I could go along that route instead for my project which needs to also scale to a (potentially maybe) very large number of road wariors. Cheers, Lonnie James Yonan wrote: Lonnie Cumberland said: Hello All, Well, I've been away from the list for a little while and was wondering if someone could please bring me up to speed on the development of the "Many-to-One" TCP progress? It is my understanding that in the OpenVPN 2.0 (early) Beta, that UDP connections can be established in a many to one TAP/TUN interface, but how about the TCP side? TCP support for multiple-clients going through a single tun/tap interface is probably not going to be here for a while unless someone sponsors the work. The problem is that it's difficult to scale, because TCP connections require one socket per client, while UDP connections can use a single socket to talk to any number of clients. Most OSes lack an efficient API for waiting on the status of a large number of sockets. The one notable exception is Linux 2.6 which has the epoll API. Most application developers get around this limitation by using multiple threads or processes, where each thread/process waits on a single socket. But then you have the inefficiency of a large number of threads/processes and the interprocess communication overhead entailed by that. James
Re: [Openvpn-devel] Many to one TCP question
Lonnie Cumberland said: > Hello All, > > Well, I've been away from the list for a little while and was wondering > if someone could please bring me up to speed on the development of the > "Many-to-One" TCP progress? > > It is my understanding that in the OpenVPN 2.0 (early) Beta, that UDP > connections can be established in a many to one TAP/TUN interface, but > how about the TCP side? TCP support for multiple-clients going through a single tun/tap interface is probably not going to be here for a while unless someone sponsors the work. The problem is that it's difficult to scale, because TCP connections require one socket per client, while UDP connections can use a single socket to talk to any number of clients. Most OSes lack an efficient API for waiting on the status of a large number of sockets. The one notable exception is Linux 2.6 which has the epoll API. Most application developers get around this limitation by using multiple threads or processes, where each thread/process waits on a single socket. But then you have the inefficiency of a large number of threads/processes and the interprocess communication overhead entailed by that. James
Re: [Openvpn-devel] Windows and Shaper
Derek Burdick said: > I was browsing the online CVS repository and noticed the > config-win32.h.in says that HAVE_GETTIMEOFDAY is specified in misc.c. When > I look in misc.c, I don't see the file. Is the latest version just not > checked in? I also implemented a gettimeofday for windows. It is based on > QueryPerformanceCounter. If you are interested in this version let me know. > If somebody knows the correct status of gettimeofday for the cvs code, I > would appreciate an update. Derek, Yes, I'd like to see your gettimeofday for Windows that uses QueryPerformanceCounter. OpenVPN 2.0 will have a gettimeofday function for Windows so that --shaper and --mode server can be supported. James
[Openvpn-devel] Bridging Question
Hello Al, I was looking over the OpenVPN site documentation on the Mini-Bridging HOWTO and came up with a question. It appears that on each side of the VPN that the hubs are allowing got masked IP on the range of 192.189.0.0/24. Since each side is allowing the same range of IP's, doesn't this particular set up require that no two machines have the same IP even though they are on different sides of the bridge? I would think that an IP conflict would occur if that were to happen, right? Thanks, Lonnie
[Openvpn-devel] Find programer to develope manage function
Dear All, Our company are looking for programer to implement OpenVPN Server/Client userfriend manager interface, like CA key integration DB, Key manager, OpenVPN Server/Client configuration UI, etc.. If you are interesting, please contact me Jacky
Re: [Openvpn-devel] Many to one TCP question
Thanks for the reply to my email on this matter. In reading over the information on the site, I can see what you are talking about and also about the memory consumption because of the many instances, one for each user. In the early Beta 2.0 release notes, it talks about UDP in a "many-to-one" design which I assume means only one instance per user. I was wondering if this would soon be available for the TCP side of the house as well as it seems to be more valuable for road warrior connections over the Internet and can easily tunnel through firewalls, although I could be wrong on this. Thanks again, Lonnie - Original Message - From: Stephan Scholz To: Lonnie Cumberland Cc: Openvpn-devel@lists.sourceforge.net Sent: Tue, 27 Apr 2004 16:12:32 +0200 Subject: Re: [Openvpn-devel] Many to one TCP question Hi Lonnie, this could already be done with 1.6 by some tweaks and using inetd. I have tried it and it worked fine. Disadvantage: one OpenVPN process per user is created -> memory consumption. In the FAQ on the openvpn homepage, there is a short howto: "How can I implement OpenVPN as a classic, forking TCP server which can service multiple clients over a single TCP port?" Stephan > Hello All, > > Well, I've been away from the list for a little while and was wondering > if someone could please bring me up to speed on the development of the > "Many-to-One" TCP progress? > > It is my understanding that in the OpenVPN 2.0 (early) Beta, that UDP > connections can be established in a many to one TAP/TUN interface, but > how about the TCP side? > > I am hoping to get a project under way as soon at this has been > implemented. > > Thanks All, > Lonnie > > > > > --- > This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek > For a limited time only, get FREE Ground shipping on all orders of $35 > or more. Hurry up and shop folks, this offer expires April 30th! > http://www.thinkgeek.com/freeshipping/?cpg=12297 > ___ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] Many to one TCP question
Hi Lonnie, this could already be done with 1.6 by some tweaks and using inetd. I have tried it and it worked fine. Disadvantage: one OpenVPN process per user is created -> memory consumption. In the FAQ on the openvpn homepage, there is a short howto: "How can I implement OpenVPN as a classic, forking TCP server which can service multiple clients over a single TCP port?" Stephan Hello All, Well, I've been away from the list for a little while and was wondering if someone could please bring me up to speed on the development of the "Many-to-One" TCP progress? It is my understanding that in the OpenVPN 2.0 (early) Beta, that UDP connections can be established in a many to one TAP/TUN interface, but how about the TCP side? I am hoping to get a project under way as soon at this has been implemented. Thanks All, Lonnie --- This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek For a limited time only, get FREE Ground shipping on all orders of $35 or more. Hurry up and shop folks, this offer expires April 30th! http://www.thinkgeek.com/freeshipping/?cpg=12297 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
