Porting OpenVpn Client only

[btk015]

Hello,
I am trying to port the OpenVpn to an embedded platform which has never been using the OpenVpn before.
Now, this OS has no support for TUN/TAP, so my question is whether this is a must for a client only configuration?
Also, for implementing the TUN, anyone has an effort estimates for such an implementation?

[janjust]

the client and server code are part of the same package - I wouldn't bother try to separate them.

Porting a tun/tap adapter to another OS is a different matter - that might be a lot of work. You're talking about a kernel level network driver - they can be VERY tricky.

[btk015]

Thanks janjust!
I need this driver, can even satisfy with TUN only, assuming I can easily access Layer 3 in my module.
The module is running OSE166 (operating system) with LWIP stack.
Can you please explain which capabilities I need from the platform being ported into with regards to the TUN needs?
I need to know whether this is doable, and time estimate, need some requirement to start with.

[janjust]

you'd need to talk to the OS supplier (ENEA?) : it's impossible to tell how hard it will be to port a kernel-level network driver to a new OS ; the fact that they're using LWIP does not say much - it just means the OS can do TCP/IP (which you do need, of course) .

[btk015]

I am probably missing something.
Why does this considered as a kernel level?
TUN requires changes at the IP layer, and the IP stack is fully accessible.
What is required from the OS? Is there a list of dependencies from a platform to be able to port this into?

[janjust]

That's more or less the way OpenVPN works: OpenVPN uses a virtual network interface known as a tun (or tap) driver; the OS should regard this interface as a "regular" network interface , so that packets can be routed to and from this interface. The 'tun' interface must accept these packets and must forward them to the OpenVPN process, which will deal with the actual contents.

When OpenVPN receives data from the other end of the VPN tunnel it will decode the data and will forward the reconstructed packet out onto the virtual interface.

[btk015]

I understand.
So, why can't I sit at the IP layer, performing the tunneling there (ofcourse, have some virtual device, which I will define myself only, but not within the OS). IP layer, in my case, is not part of the OS.

[janjust]

in theory, you could, of course, but it will increase the porting effort quite a bit. OpenVPN is built on the basis of a virtual network interface AND on a GNU-like environment - if those are not present then porting OpenVPN to your OS will take up a lot of time.

[btk015]

I understand.
I am trying to get the protocol picture, understand from a high level how it works.
When OpenVpn gets the data from the other end (from the IP), how does it know that this data belongs to the virtual device? Is this by analyzing the packet itself (in which will indicate the virtual IP being sent from?

[janjust]

openvpn decodes the data coming from the remote endpoint and will inject the resulting packet into the virtual network interface; whether the i/f decides to drop it or forward it is left to the i/f itself.
there are some sanity checks before a packet is sent to the virtual network i/f but openvpn more or less trusts its remote VPN endpoints.

[btk015]

Thanks!
Is there anywhere I can look at the TUN requirements?
I need to know what is required from a TUN device. Is it a standart?

[janjust]

it's OS dependent:

• * in linux it's included in the kernel
  * on MacOS and Solaris there's an addon package
  * for Windows OpenVPN supplies a TAP-Win32 adapter (source code included in the openvpn tarball).

[btk015]

So, How does the OpenVpn uses the tun device, in terms of flow?
I mean who writes/reads to/from the tun, what is done with the data read from the tun?

Also, if my understanding correct, tun is some sort of an IP pipe, where data can be sent between entities in the user space by reading/writing to the specified pipe. It is app to an application what is done with the info read. Is that right?

What is the expected behavior when you link a tun device to an ip device? Data received on the IP (from the server, assuming we are running at the client) is forwarded to the tun? Data received on the tun is forwarded to the IP?

[janjust]

did you try YourFavouriteSearchEngine:

http://en.wikipedia.org/wiki/TUN/TAP

[btk015]

Well, everywhere there is a piece of information but never all information at one place.
I kind of figured out whart is required to implement a tun device, I see no issue as I have full access to the IP layer.

Are there any other dependencies I should be aware of?
The HW we use is pretty wick, less than ARM7, this is a real time enviroment, OS is very minimal (however, we do have mini SSL component, TCP/UDP stack)...

[janjust]

read up on
http://openvpn.net/index.php/open-sourc ... notes.html

[btk015]

Going a bit forward: The source code has a conditional compilation flag called USE_CRYPTO.
Is this mandatory for VPN? What is crypto being used when SSL/TLS is in place as well?

[janjust]

the USE_CRYPTO flag is needed for all practical purposes; I would be surprised if openvpn actually even compiles when this flag is not set.

[btk015]

Do you happen to know if anyone tried porting the openvpn to MatrixSSL instead of openssl?
I see the vpn closely rely on openssl, and requires a lot of work to rip this.
Has anyone even replaced openssl with any other ssl implementation?

[janjust]

there is a major effort underway to make openvpn less dependent on the SSL implementation. This will be included in the upcoming 2.3 release, in which PolarSSL will also be supported. You can find the latest source code in the openvpn git hub. You'd better talk to the developers on the #openvpn-devel freenode channel about this.