when an 'iperf' packet is sent to the VPN server IP address, the packet enters the kernel's 'tun0' device. The packet is then forwarded to the userspace OpenVPN process, where the headers are stripped. The packet is encrypted and signed using OpenSSL calls. The encryption and signing algorithms can be configured using the '--cipher' and '--auth' options.
The resulting packet is then fragmented into pieces according to the '--fragment' and --mssfix' options. Afterwards, the encrypted packet is sent out over the regular network to the OpenVPN server. On the server, the process is reversed. First, the packet is reassembled, then decrypted and finally sent out the 'tun0' interface.
The given example shows the packetflow between two machines.
Let`s say we have routed client -> server -> client
The server has two ports: client -> (eth0 -> server -> eth1) -> client
My question is, how would the packetflow look like internally in the server?
Thanks.
Re: The packetflow
Posted: Sat Apr 23, 2016 1:43 pm
by Traffic
Pippin wrote:The server has two ports: client -> (eth0 -> server -> eth1) -> client
It depends .. are both clients using the same openvpn server instance ?
Re: The packetflow
Posted: Sat Apr 23, 2016 7:19 pm
by Pippin
Yes, they are using the same instance.
I`m doing some throughput testing on my new self build pfSense router and want to understand the results I'm getting.
So, packets are flowing through the server, from client to client, routed, not internal client-to-client.
I can imagine in a client server client flow the server has maybe double encrypt/decrypt/fragment task.
So I'm curious how the packets flow and how that affects performance.
There are two more things I want to test:
Client -> Server
Client -> Server -> LAN-client
Thank you.
Re: The packetflow
Posted: Sat Apr 23, 2016 9:35 pm
by Traffic
Pippin wrote:Yes, they are using the same instance.
I`m doing some throughput testing on my new self build pfSense router and want to understand the results I'm getting. So, packets are flowing through the server, from client to client, routed, not internal client-to-client.
Pippin wrote:I can imagine in a client server client flow the server has maybe double encrypt/decrypt/fragment task.
So I'm curious how the packets flow and how that affects performance.
I am not sure of the details maybe ask the mailing list ..
Yes, I was thinking something similar. One small correction, there are two interfaces.
*internet* -> NIC.device1 -> reassemble/decrypt(1) -> tun.device -> (routing)
tun.device -> encrypt/frag/mmsfix -> NIC.device2 -> *internet*
When I have enough time I will also test your suggestion, client-to-client, I guess througput will drop but it`s a guess, I have no good understanding of the packet flow and want to "mess around" first