And why is this something the kernel needs to support and not go in a lib? Significantly less context switching or something?

EDIT: nvm, I found the older article that says exactly this:


Curious though... Shouldn't modules be in the kernel if they serve more than 1 potential client? I see this as benefiting only OpenVPN or perhaps others could use if too?

Note that beginning with OpenVPN 2.7, the ability to connect to an unencrypted OpenVPN server will be removed. This has a significant issue: Azilink works by creating an unencrypted OpenVPN server on a phone, which can then be reached by port forwarding over ADB for USB tethering that is almost impossible for carriers to block without so many false positives they lose too many compliant, non-tethering customers. Note that there would be no security advantage to TLS in this case unless you are up against someone able to read RF off the USB line, or who has malware already installed in the phone to intercept this traffic. Latter case is unlikely as this is an unusual mode of tethering.

It is a lot easier to make Azilink work than deal with customer service when a carrier advertises tethering but it does not actually work by default. Azilink is FOSS and available on Github, not proprietary trialware crap that barely works without payment and activation.Also you don't have to root your phone, a process often involving the equivalent of a factory reset and having to set it up from scratch all over again.

This is the deprecation message you get using OpenVPN 2.5 dev versions with Azilink:

2022-12-08 04:35:03 DEPRECATION: No tls-client or tls-server option in configuration detected. OpenVPN 2.7 will remove the functionality to run a VPN without TLS. See the examples section in the manual page for examples of a similar quick setup with peer-fingerprint.

Unless the devs who just picked up supporting Azilink after 10 years with no maintainance (but no breakage) reconfigure everything to use TLS and in so doing increase the CPU load on the phone, its use will require installing an older version of OpenVPN once 2.7 is being offered by your distro or 2.8 is released and offered by most distros. Eventually that might require a local build of OpenVPN. The user cannot switch OpenVPN over to encrypting the USB traffic, the Azilink devs would have to do that.

Not removing that code, just keeping it deprecated would be appreciated by Azilink users, especially those with de jure or de facto "device only" cell phone plans and no wired Internet access. The cellular company bosses can kiss my ass on this one: I would love to see mesh networking put them out of business for good.

doesn't wireguard have one client? doesn't IPsec? (but it, at least, is a standard). /s.

In any case, the DCO module (we authored the FreeBSD one) can be used to make your own VPN. We've done one (using the Noise framework, rather than TLS).