OpenVPN taps into CIPE's kernel driver|
"James Yonan" <jim,AT,yonan,DOT,net>|
Wed, 23 Jul 2003 16:01:52 -0000|
I'm happy to announce that OpenVPN has been ported to Windows using the
CIPE-Win32 kernel driver as a TAP device driver.
I've been a lurker on this list for a while, so I'm aware of how much work has
gone into developing, testing, and stabilizing the kernel driver -- thanks to
all the developers and testers for making this kernel driver happen! It is
really one-of-a-kind in terms of providing open source virtual networking
capabilities for Windows, and I was able to easily communicate with the TAP
driver on Linux using it.
For those of you unfamiliar with OpenVPN, it is an effort to create a highly
modular and portable VPN in user-space. OpenVPN offloads most of the crypto
functions to the OpenSSL library, and uses generic TUN or TAP devices to
accomplish virtual networking. The code focuses on attaining extreme
portability with a single code base that now runs on Linux, *BSD, Solaris, Mac
OS X, and both 32 and 64-bit processor architectures. The security model is
fairly advanced, and has attempted to draw from the IPSec effort but with the
goal of providing a portable, user-space solution. Protection against active
attacks includes HMAC authentication, sliding-window replay protection, and
SSL/TLS support. Both UDP and TCP is supported for the tunnel transport
layer, though UDP is obviously preferred for tunneling IP.
Basically what I did is decouple the TAP driver from the CIPE-Win32 package
and add a couple of new features: (a) random MAC generation to allow for
ethernet bridging with a low probability of MAC collisions, and (b) implement
the ability to lock the TAP adapter, so that no more than one user-space
process can open it at once. Both of these options are enabled by #ifdef and
are off by default -- eventually they will be implemented as IOCTLs.
While my work has essentially created a new fork of the CIPE-Win32 kernel
driver (See the OpenVPN CVS on sourceforge for the code), I am hoping that the
CIPE-Win32 developer community will be amenable to some restructuring of the
driver .inf files, naming conventions, and distribution packaging that would
decouple and modularize the driver so that it could be installed and used in a
standalone fashion by other userspace apps that want to open TAP devices.