OpenVPN Optimization-Establishment of TLS handshake Control CHannel
An optimization of the OpenVPN data tunnel is in progress. After referring to the concept and idea of the "giant frame", I carefully considered the design and implementation of the TCP/IP protocol stack, so I come up with a possible error, but at least it is very practical in my scenario: although the upper-layer protocol sends data, it doesn't matter the data size. If it really needs to be split, it should be done by the lower layer.
OpenVPN protocol analysis I analyzed the OpenVPN protocol three years ago. At that time, almost no one analyzed the OpenVPN protocol, and my analysis was only due to interest and had no practical use. Looking at the messy code of OpenVPN, it was so painful to analyze the Protocol through packet capture. At that time, I had the urge to write the Wireshark plug-in of OpenVPN protocol, if it was not restricted by the Windows and Gnome/QT programming environments, I may have implemented it for a long time, and I don't like or turn to IDE. The old dream made me eager to use time quickly on the problem itself rather than anything else. Although the current programming tools and frameworks are almost all claiming to "Focus on your own logic without worrying about XXYYOO", I cannot see this, the high learning cost will offset your attention to the periphery. Raising a cow for a cup of milk is a silly idea.
This figure shows the ClienHello encapsulation,? No, but it is ClientHello. You can see the first few bytes of data: 16030100... If you see the SSL protocol or the SSL protocol cruelly broken, you will lose your temper. But why is this ClientHello not resolved in OpenVPN? Because it is segmented... Does ClientHello have to be segmented? Yes, too! The OpenVPN protocol header occupies some space. With ClientHello itself, we can see that the length of the OpenVPN data is 100, and the other part of it is in the Data Segment 29, so let's take a look at 29:
Indeed, CIDR Block 28 and CIDR Block 29 are merged into ClientHello. Is that true? Of course!
In this way, even if a 1000-byte SSL handshake message is sent, the reliable layer can split it into 10 UDP packets of over 100 bytes. After the data arrives at the peer end, each 100-byte UDP packet enters its ssl bio memory BIO, and the implementation of the SSL protocol is responsible for reorganizing data. "The article is" OpenVPN Protocol Resolution-handshake packet analysis ", and there was no reason for the effort.
The handshake performance under UDP can be seen from the packet capture analysis that an SSL handshake is going to interact with so many packets. Each packet must be confirmed on the Reliability layer, which will greatly affect the efficiency. Why not hand over the splitting process to the lower layer? The IP layer or network card will do better. Even if you do not do well, you do not have to work overtime to debug your programs and troubleshooting. For protocol stack faults, you only need to browse Maillist and update the driver...
Static void tls_init_control_channel_frame_parameters (const struct frame * data_channel_frame, struct frame * frame) {.../* set dynamic link MTU to minimum value * // WHY? WHY? How many times have the MTU at both ends be consistent! This is the most likely to be consistent! After all, the control channel is not set up and everything cannot be negotiated! Frame_set_mtu_dynamic (frame, 0, SET_MTU_TUN );}
PAYLOAD_SIZE_DYNAMIC (& multi-> opt. frame), which is the result set by frame_set_mtu_dynamic.
During the test, I transmitted big data through OpenVPN to calculate a performance value. For comparison, I disabled the OpenVPN process but did not remove the machine. Previously, the machine running OpenVPN only used forward, transmit the same big data. At this time, someone spoke, and there were more than one person. They had to remove two machines that were originally running OpenVPN and directly connect the testing machine to the network cable! Is this necessary? Is your data still expected to be able to fill the router? If the forwarding mechanism in Linux can make a distinction between your data, how many devices will be removed from the shelf in the world! Don't you know how many devices in the world are directly connected to a network cable in the real environment? Is the invention of a vro or vswitch an error?
Blind socket code writing dare to ask who can not read man, not google, not baidu ,... write a TCP socket server directly without using select/poll. If you can, try to write a select, then poll, and finally epoll... neither can I...