Re: [PATCH net-next v2 00/22] Introducing OpenVPN Data Channel Offload

[Sergey Ryazanov <ryazanov.s.a@gmail.com>]

Hello Antonio,

On 04.03.2024 17:08, Antonio Quartulli wrote:
> Hi all!
> 
> After the comments received last month, I reworked the large patch that
> I have previously sent and I came up with this patchset hoping to make
> the review process more human and less cumbersome.
> 
> Some features are stricly intertwined with each other, therefore I
> couldn't split everything up to the very last grain of salt, but I did
> my best to create a reasonable set of features that add up on top of
> each other.
> 
> I don't expect the kernel module to work between intermediate
> patches, therefore it is important that all patches are applied if you
> want to see something meaningful happening.
> 
> 
> The following is just the introductory text from v1. It's a useful
> summary of what this new kernel module represents.
> 
> As an intereting note, an earlier version of this kernel module is already
> being used by quite some OpenVPN users out there claiming important
> improvements in terms of performance. By merging the ovpn kernel module
> upstream we were hoping to extend cooperation beyond the mere OpenVPN
> community.
> 
> ===================================================================
> 
> `ovpn` is essentialy a device driver that allows creating a virtual
> network interface to handle the OpenVPN data channel. Any traffic
> entering the interface is encrypted, encapsulated and sent to the
> appropriate destination.
> 
> `ovpn` requires OpenVPN in userspace
> to run along its side in order to be properly configured and maintained
> during its life cycle.
> 
> The `ovpn` interface can be created/destroyed and then
> configured via Netlink API.
> 
> Specifically OpenVPN in userspace will:
> * create the `ovpn` interface
> * establish the connection with one or more peers
> * perform TLS handshake and negotiate any protocol parameter
> * configure the `ovpn` interface with peer data (ip/port, keys, etc.)
> * handle any subsequent control channel communication
> 
> I'd like to point out the control channel is fully handles in userspace.
> The idea is to keep the `ovpn` kernel module as simple as possible and
> let userspace handle all the non-data (non-fast-path) features.
> 
> NOTE: some of you may already know `ovpn-dco` the out-of-tree predecessor
> of `ovpn`. However, be aware that the two are not API compatible and
> therefore OpenVPN 2.6 will not work with this new `ovpn` module.
> More adjustments are required.
> 
> If you want to test the `ovpn` kernel module, for the time being you can
> use the testing tool `ovpn-cli` available here:
> https://github.com/OpenVPN/ovpn-dco/tree/master/tests
> 
> The `ovpn` code can also be built as out-of-tree module and its code is
> available here https://github.com/OpenVPN/ovpn-dco (currently in the dev
> branch).
> 
> For more technical details please refer to the actual patches.
> 
> Any comment, concern or statement will be appreciated!
> Thanks a lot!!

Thank you for preparing this series. I briefly check it and now it looks 
much more promising!

I will do my best to do a careful review in a reasonable time, but 
please expected a delay in a few weeks :( It still a considerable amount 
of code for checking, despite it's well arrangement.

--
Sergey