Tweet
Originally posted by Nille_kungen
View Post
-
Yes. This should cut OpenVPN CPU usage dramatically. The parallel encryption should also allow lower clocks across all cores instead of pinning just one. Won't make much difference for casual web browsing, but if you're doing big transfers or watching video, I bet the reduction in battery usage will be easily measurable. -
Comparison to classic userspace OpenVPN is on the linked article: https://openvpn.net/blog/openvpn-data-channel-offload/Originally posted by birdie View Post
Quick summary:
Last edited by oibaf; 21 September 2021, 08:29 AM.Comment
-
It depends on whether the necessary functions are exposed and how old are the kernel versions they intend to support. They might also want to make sure it's always native code, while sometimes eBPF can be JITted and sometimes it will be interpreted by a VM, depending on configuration. Maybe they found it was a better trade off for them to just write a module.Originally posted by M@yeulC View PostComment
-
Correct me if I am wrong:
Wireguard is UDP only and only uses stream ciphers.
OpenVPN supports TCP and therefore TLS.
Same purpose but different approaches.
A kernel approach to process TLS traffic would be a good thing, (I would think) as it would handle the encrypt/decrypt more effectively.Comment
-
So, roughly eight times faster, nice. VPN providers must be extremely interested.Originally posted by oibaf View PostComment
-
Yet Firefox sucks so hard and it is regressing at such a fast pace it is ridiculous. If only OpenVPN could make WireGuard better; still leave a lot to be desired.Originally posted by bitman View PostComment
-
OpenVPN is usually UDP, there is also TCP mode to be used when, for example, only TCP ports 80/443 are permitted by the firewall.Originally posted by edwaleni View Post
The kernel module won't implement TLS, just the data channel, which is where the performance is needed.
TLS in OpenVPN is just used by the control channel and this won't be moved to the kernel.Comment
-
Since the kernel already supports handling TLS (not sure to what level tho), wouldn't it be a reasonable next step to take advantage of that support here?Originally posted by oibaf View PostComment
-
No, there is no point in doing that because, as just said, TLS is only used for the control connection that has a negligible amount of data passing through it.Originally posted by sinepgib View PostComment
Comment