Re: [Openvpn-users] OpenVPN architecture questions
Gert Doering wrote: > Hi, > > On Mon, Nov 30, 2015 at 09:54:32PM +1300, Jason Haar wrote: > >> eg, if there's no UDP error checking built into openvpn, then shouldn't >> DNS lookups (ie udp inside a udp openvpn tunnel) fail a lot? Or is the >> Internet generally so reliable that it doesn't matter? (eg 1% packet >> loss on Internet leads to 1% packet loss inside openvpn tunnel?) >> > > This is how it is: if you have packet loss outside, you have packet loss > inside the tunnel as well - for good reason, OpenVPN does not add a > reliability layer here, because we have one: TCP. > > If a DNS query gets lost, DNS knows how to retransmit - and this is how > layering is supposed to work. > > Imagine doing real-time audio over OpenVPN. If a packet gets lost, you > hear a bit of noise, but then the stream goes on. If the lower layers > do retransmission, the stream will stop until the missing packet has been > retransmitted, and then you're out of sync... what now? > > I agree with both you and Steffan but there *is* an interesting tidbit in the OpenVPN manual page: In this sense, it could be argued that TCP tunnel transport is preferred when tunneling non-IP or UDP application protocols which might be vulnerable to a message deletion or reordering attack which falls within the normal operational parameters of IP networks. So I would make the statement that one should never tunnel a non-IP protocol or UDP applica- tion protocol over UDP, if the protocol might be vulnerable to a message deletion or reorder- ing attack that falls within the normal operating parameters of what is to be expected from the physical IP layer. The problem is easily fixed by simply using TCP as the VPN transport layer. (in the section --replay-window) In general, however, one should run OpenVPN over UDP wherever possible, as a TCP-over-TCP penalty is far worse than a UDP-over-UDP penalty/reordering attack. JM2CW, JJK -- Go from Idea to Many App Stores Faster with Intel(R) XDK Give your users amazing mobile app experiences with Intel(R) XDK. Use one codebase in this all-in-one HTML5 development environment. Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs. http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN architecture questions
On Mon, Nov 30, 2015 at 9:54 AM, Jason Haar wrote: > On 29/11/15 22:56, Steffan Karger wrote: >> OpenVPN makes a distinction between control traffic (key/config >> exchange, etc) and data traffic (actual vpn network packets). For >> control packets, OpenVPN has a reliability layer that ACKs packets, >> retransmits, etc. For data packets, OpenVPN does not do any of that. >> (But, when you're using TCP mode, TCP does that, ofc.) > ...Then why does it work so well over UDP? > > I almost exclusively use openvpn over UDP and I would have thought the > lack of error checking on the data channel would hurt, so why doesn't it? > > eg, if there's no UDP error checking built into openvpn, then shouldn't > DNS lookups (ie udp inside a udp openvpn tunnel) fail a lot? Or is the > Internet generally so reliable that it doesn't matter? (eg 1% packet > loss on Internet leads to 1% packet loss inside openvpn tunnel?) You're tunnelling IP over UDP. IP assumes no reliable transport. Either you run a protocol over IP that provides the reliability (e.g. TCP), or you design your application such that it does not assume reliable transport (e.g. DNS). DNS over UDP-OpenVPN over Internet will experience (almost) the same packet loss, out-of-order transmissions and whatnot behaviour as UDP-over-Internet on the same route would. Because the assumptions IP makes on the underlying transport are similar to the behaviour of UDP tunnelling, UDP tunnelling generally works well. TCP tunnelling however can cause problems with TCP-over-TCP, because the two layers of reliability features can cause strange interactions. So yes, 1% packet loss on the underlying transport will cause 1% packet loss on your UDP-OpenVPN tunnel. And that's (generally) a good thing ;) -Steffan (Disclaimer: I'm really not a networking expert, so I might not use the correct terms, be imprecise or even incorrect. Please correct me if that is the case.) -- Go from Idea to Many App Stores Faster with Intel(R) XDK Give your users amazing mobile app experiences with Intel(R) XDK. Use one codebase in this all-in-one HTML5 development environment. Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs. http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN architecture questions
Hi, On Mon, Nov 30, 2015 at 09:54:32PM +1300, Jason Haar wrote: > eg, if there's no UDP error checking built into openvpn, then shouldn't > DNS lookups (ie udp inside a udp openvpn tunnel) fail a lot? Or is the > Internet generally so reliable that it doesn't matter? (eg 1% packet > loss on Internet leads to 1% packet loss inside openvpn tunnel?) This is how it is: if you have packet loss outside, you have packet loss inside the tunnel as well - for good reason, OpenVPN does not add a reliability layer here, because we have one: TCP. If a DNS query gets lost, DNS knows how to retransmit - and this is how layering is supposed to work. Imagine doing real-time audio over OpenVPN. If a packet gets lost, you hear a bit of noise, but then the stream goes on. If the lower layers do retransmission, the stream will stop until the missing packet has been retransmitted, and then you're out of sync... what now? gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de signature.asc Description: PGP signature -- Go from Idea to Many App Stores Faster with Intel(R) XDK Give your users amazing mobile app experiences with Intel(R) XDK. Use one codebase in this all-in-one HTML5 development environment. Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs. http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN architecture questions
On 29/11/15 22:56, Steffan Karger wrote: > OpenVPN makes a distinction between control traffic (key/config > exchange, etc) and data traffic (actual vpn network packets). For > control packets, OpenVPN has a reliability layer that ACKs packets, > retransmits, etc. For data packets, OpenVPN does not do any of that. > (But, when you're using TCP mode, TCP does that, ofc.) ...Then why does it work so well over UDP? I almost exclusively use openvpn over UDP and I would have thought the lack of error checking on the data channel would hurt, so why doesn't it? eg, if there's no UDP error checking built into openvpn, then shouldn't DNS lookups (ie udp inside a udp openvpn tunnel) fail a lot? Or is the Internet generally so reliable that it doesn't matter? (eg 1% packet loss on Internet leads to 1% packet loss inside openvpn tunnel?) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Go from Idea to Many App Stores Faster with Intel(R) XDK Give your users amazing mobile app experiences with Intel(R) XDK. Use one codebase in this all-in-one HTML5 development environment. Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs. http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN architecture questions
Hi Leroy, On Mon, Nov 30, 2015 at 5:21 AM, Leroy Tennison wrote: > Thank you for your reply, I appreciate it (and the technical > distinctions concerning reliability). Do you have a pointer to a source > for additional information about what is retained in OpenVPN's "state"? > I don't mind doing the reading if I just knew where to look (even a > well-labeled C struct would be fine, I just don't know how extensive the > source code is). I'm afraid there isn't a clear piece of documentation describing the internal state. However, 'struct context' in openvpn.h should give you a good starting point when you start digging in the code: https://github.com/OpenVPN/openvpn/blob/master/src/openvpn/openvpn.h#L508 What we do have, and what might help you, is looking at the generated doxygen documentation. Either run 'doxygen doc/doxygen/openvpn.doxyfile' from the source root, or look at the doxygen I regularly generate for git-master: https://delft.syzzer.nl/openvpn-doxygen/ (no guarantees on this one, if it breaks it might take me a while to notice and/or fix). -Steffan -- Go from Idea to Many App Stores Faster with Intel(R) XDK Give your users amazing mobile app experiences with Intel(R) XDK. Use one codebase in this all-in-one HTML5 development environment. Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs. http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users