Discussion:
[strongSwan-dev] TAP-Windows6 driver integration
Noel Kuntze
2016-09-29 23:03:10 UTC
Permalink
Hello list,

I implemented support for the TAP-Windows6 driver, which is used by openvpn to support
Windows.
I developed it on top of commit 1dabd0fb1cfdb5b3381d45a39a7cb134651b72a9.

The diff attached to this email contains the following:
*support to manage IPs with kernel-iph on top of Martin Willi's branch win-vip.
It contains changes to honor charon.install_virtual_ip and charon.install_virtual_ip_on.
*changes to kernel-libipsec and libipsec to work on Windows correctly
handle_plain is implemented with asynchronous IO on top of WaitForMultipleObjects() and events.
*support to open and configure TAP devices on Windows in libstrongswan
*IPv4 and IPv6 support

My changes are under the MIT-X11 license where required. The repo "strongswan" on my Github account[1]
contains all the required changes.

The performance of the driver is limited to 60 Mbit/s. The TAP-Windows6 driver is known to be quite slow,
so I do not think that is an issue that can be fixed by changes to my code. You might reach higher speeds
if you use a faster test environment than me.
My test environment is a host with the Intel(R) Core(TM) i7-3820 CPU CPU with four cores at 3.60 GHz.
Windows ran in a VirtualBox VM with 3 cores. The test was performed using iperf3 over a tunnel with 60 seconds.
The server was on the VM host. The client was on the VM guest.
In my test, about 90% of the CPU was maxed out.

To make use of the TAP-Windows6 driver, it needs to be patched with the changes that can be found in the
fork on my Github account[2]. It implements an option to disable the ARP source check in the ARP
handling code of the driver. The patch is already known by OpenVPN Tech, which developed and maintains the driver, and should be applied in the next months.
It is tracked under #721 on the openvpn bug tracker[3]. The TAP-Windows6 support that I implemented does
not work without it. It theoretically could, but that requires that the driver handles ARP requests for all
IP addresses that the Windows host tries to reach over it and fills up the neighbor table.

Please take a look at it and tell me what is required to get this merged into the master branch of strongSwan.

[1] https://github.com/Thermi/strongswan
[2] https://github.com/Thermi/tap-windows6
[3] https://community.openvpn.net/openvpn/ticket/721
--
Mit freundlichen GrÌßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Emanuil Hristov
2016-11-17 11:21:45 UTC
Permalink
Hello,
could you please binaries (as possible with charon-cmd) and tun/tap driver.
I really want to test it.

Cheers,
Post by Noel Kuntze
Hello list,
I implemented support for the TAP-Windows6 driver, which is used by openvpn to support
Windows.
I developed it on top of commit 1dabd0fb1cfdb5b3381d45a39a7cb134651b72a9.
*support to manage IPs with kernel-iph on top of Martin Willi's branch win-vip.
It contains changes to honor charon.install_virtual_ip and
charon.install_virtual_ip_on.
*changes to kernel-libipsec and libipsec to work on Windows correctly
handle_plain is implemented with asynchronous IO on top of
WaitForMultipleObjects() and events.
*support to open and configure TAP devices on Windows in libstrongswan
*IPv4 and IPv6 support
My changes are under the MIT-X11 license where required. The repo
"strongswan" on my Github account[1]
contains all the required changes.
The performance of the driver is limited to 60 Mbit/s. The TAP-Windows6
driver is known to be quite slow,
so I do not think that is an issue that can be fixed by changes to my
code. You might reach higher speeds
if you use a faster test environment than me.
My test environment is a host with the Intel(R) Core(TM) i7-3820 CPU CPU
with four cores at 3.60 GHz.
Windows ran in a VirtualBox VM with 3 cores. The test was performed using
iperf3 over a tunnel with 60 seconds.
The server was on the VM host. The client was on the VM guest.
In my test, about 90% of the CPU was maxed out.
To make use of the TAP-Windows6 driver, it needs to be patched with the
changes that can be found in the
fork on my Github account[2]. It implements an option to disable the ARP
source check in the ARP
handling code of the driver. The patch is already known by OpenVPN Tech,
which developed and maintains the driver, and should be applied in the next
months.
It is tracked under #721 on the openvpn bug tracker[3]. The TAP-Windows6
support that I implemented does
not work without it. It theoretically could, but that requires that the
driver handles ARP requests for all
IP addresses that the Windows host tries to reach over it and fills up the neighbor table.
Please take a look at it and tell me what is required to get this merged
into the master branch of strongSwan.
[1] https://github.com/Thermi/strongswan
[2] https://github.com/Thermi/tap-windows6
[3] https://community.openvpn.net/openvpn/ticket/721
--
Mit freundlichen GrÌßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
_______________________________________________
Dev mailing list
https://lists.strongswan.org/mailman/listinfo/dev
Noel Kuntze
2016-11-19 01:34:58 UTC
Permalink
Post by Emanuil Hristov
Hello,
could you please binaries (as possible with charon-cmd) and tun/tap driver.
I really want to test it.
AFAIK, charon-cmd is not supported on Windows. Only charon-svc is.
I put that topic on my TODO, but I don't know when I'll get around to doing it.
I collected performance data as part of my bachelor thesis. It's available
in German in a Github repo[1]. The data is displayed and discussed in the thesis.

Contains
- throughput data [2]
- CPU load and memory usage in a guest (The test client was a VBox VM) [3]
- CPU load on the host [4]


[1] https://github.com/Thermi/bachelorarbeit/tree/master/Bachelorarbeit
[2] https://github.com/Thermi/bachelorarbeit/blob/master/Bachelorarbeit/iperf_server_normalized.txt
[3] https://github.com/Thermi/bachelorarbeit/blob/master/Bachelorarbeit/benchmark_guest.txt
[4] https://github.com/Thermi/bachelorarbeit/blob/master/Bachelorarbeit/benchmark_data.txt
--
Mit freundlichen GrÌßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Noel Kuntze
2016-11-21 23:36:13 UTC
Permalink
This post might be inappropriate. Click to display it.
Emanuil Hristov
2016-11-23 11:25:46 UTC
Permalink
Hello Noel,
thank for the binaries.
I will test them later this week and report back performance numbers and
success stories :)

It's really good to have portable strognswan.

Cheers,
Post by Noel Kuntze
Post by Noel Kuntze
Post by Emanuil Hristov
Hello,
could you please binaries (as possible with charon-cmd) and tun/tap
driver.
Post by Noel Kuntze
Post by Emanuil Hristov
I really want to test it.
AFAIK, charon-cmd is not supported on Windows. Only charon-svc is.
I put that topic on my TODO, but I don't know when I'll get around to
doing it.
Post by Noel Kuntze
I collected performance data as part of my bachelor thesis. It's
available
Post by Noel Kuntze
in German in a Github repo[1]. The data is displayed and discussed in
the thesis.
Post by Noel Kuntze
Contains
- throughput data [2]
- CPU load and memory usage in a guest (The test client was a VBox VM)
[3]
Post by Noel Kuntze
- CPU load on the host [4]
[1] https://github.com/Thermi/bachelorarbeit/tree/master/Bachelorarbeit
[2] https://github.com/Thermi/bachelorarbeit/blob/master/
Bachelorarbeit/iperf_server_normalized.txt
Post by Noel Kuntze
[3] https://github.com/Thermi/bachelorarbeit/blob/master/
Bachelorarbeit/benchmark_guest.txt
Post by Noel Kuntze
[4] https://github.com/Thermi/bachelorarbeit/blob/master/
Bachelorarbeit/benchmark_data.txt
I provide complete binaries and the driver over at a HTTP server[1] that I control.
I have not tested this build. If you can not install the driver, hit me up.
The driver must be installed using devcon.exe. You also require a working OpenSSL library
for the crypto. Both can be gotten from OpenVPN for Windows. Just install it.
"devcon.exe" is at "C:\Program Files\TAP-Window\bin\tapinstall.exe". It
is called "tapinstall.exe",
instead of "devcon.exe". The files in "tap-driver.tar.gz" must all be in
the same directory.
"C:\Program Files\TAP-Window\bin\tapinstall.exe" install <path to OemVista.inf> tap0901
"C:\Program Files\TAP-Window\bin\tapinstall.exe" remove tap0901
I do not know of a way to delete a device manually using the command line.
But I think you can
do it using the device manager.
Put all the libs and binaries into a single directory. Create a directory
"swanctl" in that directory
and store the swanctl configuration and required files in the apropriate
subdirectory, as indicated
by the wiki[2].
Run `charon-svc.exe` as Administrator using cmd.exe (or powershell). You
might also run it as a service.
After that, load the swanctl style configuration using the `swanctl.exe`
binary in a second window.
Then initiate and control as usual. Allow all network access for `charon-svc.exe`.
If you want to load a configuration using `strongswan.conf`, then put that
file into the same directory as `charon-svc.exe`.
[1] https://thermi.strangled.net/~thermi/strongswan-win32-tap/
[2] https://wiki.strongswan.org/projects/strongswan/wiki/SwanctlDirectory
--
Mit freundlichen GrÌßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Noel Kuntze
2016-11-23 14:55:36 UTC
Permalink
Hello Emanuil,
I will test them later this week and report back performance numbers and success stories :)
It's really good to have portable strognswan.
It is important that you keep the restrictions and the use case in mind. This implementation is only useful
as initiator for a roadwarrior style VPN. For site-to-site or as a responder, you need to (or should) use
the kernel-wfp plugin.
--
Mit freundlichen GrÌßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Continue reading on narkive:
Loading...