Re: [Openvpn-devel] OpenVPN multi instancing

[James Yonan]

Matthias Andree  said:

> On Sun, 29 Feb 2004, Christian Daniel wrote:
> 
> > Hello everybody!
> > 
> > For a student research project I'm trying to add multi instance capability 
> > to 
> > OpenVPN. The basic idea is to rip the main openvpn()-function apart, put 
> > all 
> > variables in a struct and then have only one select()-call for all open 
> > tunnels at once.
> 
> Oh. You're in for plentiful fun with the various select()
> "features"^Wbugs across the various operating system kernels.
> 
> Better check out poll() and epoll() where available. These happen to
> (usually) be more scalable as the number of fds increases.

Luckily, UDP scales up fairly well without hitting up against the limitations
of select() since a single UDP socket can be used to communicate with an
unlimited number of clients.  TCP will be harder to scale with select()
because every incoming client will need its own socket.

I don't see how poll() is that much of an improvement over select() because it
still requires that you scan all the FDs to see which ones require service.

epoll() looks like a real improvement, and has obviously been designed with
scalability in mind.

It's too bad that poll and epoll move the timeout from microsecond to
millisecond resolution, as that makes things like traffic shaping harder to
implement.

James

Re: [Openvpn-devel] OpenVPN multi instancing

[James Yonan]

Christian Lademann  said:

> Hello, James hello, Christian,
> 
> is it also going to be supported in 2.0 to have multiple tup/tap interfaces
> but only a single TCP-port on the server side waiting for incoming 
> connections?

The ultimate goal is to have all connection options open in either
point-to-point or point-to-multipoint mode.  The initial 2.0 beta will
specialize in serving multiple clients on a single UDP port, single tun/tap
interface, and single config file.

Actually if you want single TCP-port, one tun/tap interface per client, that
sounds like the inetd-based forking server model which is already functional
(in a limited sense) in the 1.6 beta series.  The limitation is that you use
SSL/TLS + bridging.  See the FAQ for more info.

James

Re: [Openvpn-devel] OpenVPN multi instancing

[James Yonan]

Matthias Andree  said:

> On Mon, 01 Mar 2004, James Yonan wrote:
> 
> > Christian Daniel  said:
> > 
> > > Hello everybody!
> > > 
> > > For a student research project I'm trying to add multi instance
capability to 
> > > OpenVPN. The basic idea is to rip the main openvpn()-function apart, put
all 
> > > variables in a struct and then have only one select()-call for all open 
> > > tunnels at once.
> > 
> > It's already been done :)
> > 
> > See the BETA20 branch in the CVS.
> 
> Is there a document that mentions the development tags so the daring
> know what to check out? Or a mailing list I should subscribe to?

It's not too complicated.  The HEAD branch is stable, or a beta series which
is leading to a stable release, i.e. 1.6-betaX.  The BETA20 branch at this
point mostly contains a lot of refactorization.  All the stuff that used to be
on the stack in the openvpn() function is now kept in a struct context. 
openvpn.c and the main() function is clean and minimalistic once again.

Every major or beta release gets a tag that is constructed from the version
number.  When I do a cvs commit I use this simple script:

cvs commit -m "version $OPENVPN_VER" && cvs tag `echo openvpn-$OPENVPN_VER |
tr . -`

where $OPENVPN_VER is something like "1.6-beta7" or "1.5.0".

> May I suggest to post the pointer to the document or add one to
> openvpn.sourceforge.net?

There's not a lot of people actually working on the code right now, so it's
easier to just ask questions on the list or search the archives.

James

Re: [Openvpn-devel] OpenVPN multi instancing

[Christian Lademann]

Hello, James hello, Christian,

is it also going to be supported in 2.0 to have multiple tup/tap interfaces
but only a single TCP-port on the server side waiting for incoming connections?

Regards,

Christian Lademann

Re: [Openvpn-devel] OpenVPN multi instancing

[Matthias Andree]

On Mon, 01 Mar 2004, James Yonan wrote:

> Christian Daniel  said:
> 
> > Hello everybody!
> > 
> > For a student research project I'm trying to add multi instance capability 
> > to 
> > OpenVPN. The basic idea is to rip the main openvpn()-function apart, put 
> > all 
> > variables in a struct and then have only one select()-call for all open 
> > tunnels at once.
> 
> It's already been done :)
> 
> See the BETA20 branch in the CVS.

Is there a document that mentions the development tags so the daring
know what to check out? Or a mailing list I should subscribe to?

May I suggest to post the pointer to the document or add one to
openvpn.sourceforge.net?

Thanks. (It's incredible how much room for improvement OpenVPN still
has, while having been stable and production-ready for so long already.)

-- 
Matthias Andree

Encrypt your mail: my GnuPG key ID is 0x052E7D95

Re: [Openvpn-devel] OpenVPN multi instancing

[Matthias Andree]

On Sun, 29 Feb 2004, Christian Daniel wrote:

> Hello everybody!
> 
> For a student research project I'm trying to add multi instance capability to 
> OpenVPN. The basic idea is to rip the main openvpn()-function apart, put all 
> variables in a struct and then have only one select()-call for all open 
> tunnels at once.

Oh. You're in for plentiful fun with the various select()
"features"^Wbugs across the various operating system kernels.

Better check out poll() and epoll() where available. These happen to
(usually) be more scalable as the number of fds increases.

> Each tunnel should have it's own tun/tap-device open - the linux kernel has 
> no 
> problem to cope with so many interfaces... I don't think, that it's a good 
> idea, to create only one tun-device and then have some kind of internal 
> routing-engine...

It cannot work. The interfaces have distinct addresses and netmasks, for
some kind of internal routing-engine, you'd have to re-implement the
stack on top of raw sockets. Not easy, not portable, not desirable.

> - how to handle the garbage collection? Is it really necessary or is the code 
> leak-free?

go figure as a side project, going to fill your thesis or
homework or whatever other paper or PDF you're going to turn in. :-)

-- 
Matthias Andree

Encrypt your mail: my GnuPG key ID is 0x052E7D95

Re: [Openvpn-devel] OpenVPN multi instancing

[Jon Nelson]

On Mon, 1 Mar 2004, James Yonan wrote:

> One virtual interface per tunnel is supported now and will be supported going
> forward.

^ That's the part I needed to hear. Thanks!

--
Life's short and hard, kind of like a bodybuilding elf.

Jon Nelson