[Sfw-team] [OpenIndiana Distribution - Feature #2623] (Rejected) Package and provide OpenVPN and tun/tap drivers manageable by dladm

[illumos project]

Issue #2623 has been updated by Bayard Bell.

Status changed from New to Rejected
Priority changed from Normal to Low

The scope of this issue is all over the place. We don't really do big RFEs, and this has a bunch of touch points in different gates. Slim this down to something a developer is likely to read and circulate it for discussion before putting it into a tracker. Start by talking to the networking list.
----------------------------------------
Feature #2623: Package and provide OpenVPN and tun/tap drivers manageable by dladm
https://www.illumos.org/issues/2623

Author: Jim Klimov
Status: Rejected
Priority: Low
Assignee: OI SFW
Category: SFW (Solaris Freeware)
Target version: 
Difficulty: Medium
Tags: needs-triage


SHORT PITCH:

Many users have implemented the free OpenSSL-based VPN solution in their networks - OpenVPN servers and clients. This software is easily installable on small router boxes with Linux inside, on servers and PCs to connect into their networks from "the scary outside", as well as to unite several LANs (branch offices etc.) with a VPN over untrusted WANs, using an L3 routing or L2 bridging approach. In some ways this solution might be easier to use than GRE or PPTP based VPNs, and it is somewhat more "standardized" being a single-vendor's open product running on countless hardware and OS platforms ;)

Pre-packaged OpenVPN and TUN/TAP tunnel driver software can be downloaded from repositories like Blastwave, or they can be compiled from source by the user; however, having a standard solution in the OpenIndiana distribution out-of-the-box seems like a better solution. Especially since there is some work to be done on OpenVPN and/or its drivers to make the solution not "just able to work", but also become more performant (think network tunnel driver changes) and tighter integrated with the OS (think SMF).

Unfortunately, the solution does often perform poorly, with the most notable example being the use of CIFS/SMBfs over OpenVPN as compared to native VPN-less CIFS, rsync or scp (using same OpenSSL) between the same two hosts over the same WAN or even over same OpenVPN tunnels over this WAN. 
However, there are vast performance differences between implementations and platforms (i.e. upload from the Windows OpenVPN client into the secured server behind an OpenSolaris OpenVPN router works a lot faster than downloads from that secured server over the same VPN), so it might be possible that changes in (or replacement of) the TUN/TAP drivers and/or updates to OpenVPN might solve the Solaris-side problems. Further detail will be posted below.

MORE DETAIL:
I will post further thoughts on this matter as an update to the RFE, because otherwise the whole flood of text is mailed on every update to the ticket ;)

EXPECTED DELIVERABLES:
I think this project is complex in research in integration, so it can be phased.

Phase 1 - Package the 3rd party software as-is, and include SMFization for OpenVPN instances:
* Check that current OpenVPN (http://openvpn.net/index.php/open-source/downloads.html) and TUN/TAP drivers for Solaris (http://www.whiteboard.ne.jp/~admin2/tuntap/) can be compiled for illumos/OpenIndiana by both SS12 and GCC3.4.3 or whatever compiler stacks are officially supported at that moment.
* Prepare the several packages for 32/64-bit platforms - Compile TUN/TAP drivers, Bridge drivers, their management utilities; Compile OpenVPN software; Create SMF manifests and methods to manage OpenVPN instances; prepare packaging manifests; publish to repo.

At this moment the end-users can use OpenVPN in OpenIndiana at least as well as they can do with other sources of the package, it's integrated with SMF and it's available from the default repositories.
Now let's try to make it better.

Phase 2 - Research the (CIFS) performance problems with TUN/TAP drivers and OpenVPN as they are:
* determine whether TUN/TAP, OpenVPN or OpenSSL are at fault in CIFS-over-OpenVPN performance degradation
* see if something can be done in the default stack to improve (CIFS) performance
* see if existing OpenSolaris interfaces for IP tunneling (ClearView/CrossBow) can be used with OpenVPN, out-of-the-box or after some OpenVPN patching, or after some OpenSolaris patching, and if the resulting VPN performs better than TUN/TAP-based VPN ;)
The positive result includes that these tunnels should work correctly with TUN/TAP drivers on the other side of the tunnel.
* If any of the attempted solutions does indeed improve the VPN performance, work with upstream of the opensource projects to integrate the patches for everyone's benefit.

Phase 3 depends on results of Phase 2 research, and may involve some or all of the following:
* if TUN/TAP and bridge drivers are here to stay, as-is or improved by patching - integrate them tighter with OpenSolaris network management (dladm configuration, flow controls and bandwidth limits per-link, maybe add dtrace visibility, etc.)
* if OpenVPN can work with existing OpenSolaris IP tunnels, document how that can be done
* optionally, for the CIFS problem in particular, it might be possible to create a proxy service, which would somehow streamline the IP dialog within the VPN (so that its encryption is more optimal and fast) and "serve" the end-client on the other side, while the proxy would act as a client to (its local) CIFS server and interact with it at wire-speed.

At this point, if the project succeeds, the illumos OpenVPN tunnels work better and faster than original ones (after Phase 1), while keeping interoperability with TUN/TAP/bridge on the other side - either by improving TUN/TAP/bridge drivers for OpenSolaris and expanding their integration with illumos, or by using native OpenSolaris tunnels and improving OpenVPN to use them. Maybe different improvement solutions spring up and are implemented instead.

See also:
* illumos bug #277 (closed as "we don't plan to include VPNs yet").
* my unanswered (as of yet) question in the OpenVPN forums: https://forums.openvpn.net/topic9542.html
* http://www.c0t0d0s0.org/archives/4147-Solaris-Features-Service-Management-Facility-Part-4-Developing-for-SMF.html



-- 
You have received this notification because you have either subscribed to it, or are involved in it.
To change your notification preferences, please click here: http://www.illumos.org/my/account