Endstille wrote: ↑Wed Feb 24, 2021 10:29 pm
as far as I understand it, it's just the connection-oriented nature of TCP, correct?
Yep.
Endstille wrote: ↑Wed Feb 24, 2021 10:29 pm
then the authorization is initialized but the client can't verify his nature (since he doesn't have the dh parameters etc.) so he's kicked out.
Not sure I understand you ..
How openvpn verifies a client has nothing to do with the TCP layer, which is the discussion here.
Endstille wrote: ↑Wed Feb 24, 2021 10:29 pm
In some way, that is a comforting thing to know but in another way it's still a connection and i'm not tech savvy enough feel comfortable about that/to know what can be done with that connection
You have nothing to fear.
The Linux kernel is Open source and peer reviewed. And then it has to provide the internet at large a working system. And that system is tested daily by gazillions of network transactions. It's quite good at it ..
If you are concerned then the simple answer is to use UDP. It is unlikely that TCP is giving you any real benefit and that is why UDP is the default.
Endstille wrote: ↑Wed Feb 24, 2021 11:10 pm
Would it be an option to implement the error handling and flow control functions of TCP (sequence nr, ack number, window size, checksum, etc...) in the OpenVPN software so that UDP can be used with the same reliability as TCP?
Openvpn does this for you as it stands. Although, not in the way you are thinking.
Endstille wrote: ↑Wed Feb 24, 2021 11:10 pm
This would make it possible to dodge a special implementation of the SYN/SYNACK/ACK process and the server would also not aknowledge
that it is running a service on the used port.
I suggested exactly this on the mailing list but, again, not as you describe.
Changing TCP protocol to support TCP Fast Open allows for data to be sent in the SYN packet.
TCP already allows data in the SYN packet but it has never been used by the internet at large.
Allowing data in a SYN packet is largely banned by firewalls because it is deemed to be an attack of some sort.
However, TFO began back in 2010 (or earlier) and by now firewalls are probably more likely to have a knob to twiddle to allow this traffic.
TFO still requires the initial three-way-handshake to complete at least once.
As I understand it, the of cookie of a TFO SYN-COOKIE packet is still only handled by the kernel (i think).
My idea was to take that a step further and pass the cookie data directly and immediately to the application and for the kernel to wait for the application to respond. That is miles outside the scope of TFO but it was TFO that spawned the idea.
Endstille wrote: ↑Thu Feb 25, 2021 12:05 am
Does this also mean that any TCP based protocol (e.g. SMB shares) can pass along an UDP tunnel and still ''be fine'' if packets are received out of order?
Of course. The internet would be out-of-business if it were not so ..
Endstille wrote: ↑Thu Feb 25, 2021 12:05 am
TCP Meltdown occurs when you stack one transmission protocol on top of another, like what happens when an OpenVPN TCP tunnel is transporting TCP traffic inside it
It is exactly like Feedback when you put an electric guitar to close to the speakers