No flaws found in OpenVPN software. Our response to the CVE-2019-14899 vulnerability report.

OpenVPN Hackathon 2019

Recap from the OpenVPN Hackathon 2019

by Julie McLelland

OpenVPN’s open source community wrapped up their annual hackathon on November 10th, in Trento, Italy. In attendance were ten software developers that are all members of the OpenVPN community. “The goal of the Hackathon is to get the open source guys together, and discuss current topics, and then execute on them.” Johan Draaisma, Product Manager at OpenVPN, explained. As open source participation is of course voluntary, and most people have a full-time job and a family, there usually isn’t much time to collaborate together at the same time throughout the year. The hackathon provides a place for that connection. As Draaisma explains, “a hackathon is a great way to dedicate time to furthering the open source OpenVPN project and achieve items that may have been overlooked.”

Accomplishments

The team had a very productive 48 hours, including completing an important code review with the community. They moved forward on implementing Wintun support, which the community are working on to get ready for OpenVPN 2.5 release. They also consulted the community in key usage for our commercial products, worked on improving IPv6 support, and are continuously working on increasing security. Most notably, they informed the community on the plans for open sourcing a kernel acceleration module.

Kernel Acceleration Module Explained

The kernel is one of the first things to start up when you power on your computer, whether it’s running off Windows, Linux, or MacOS. It is a highly efficient base layer upon which all the rest operates. So the more layers you have, the slower the program that you're using will run.

The kernel space is the closest to the actual hardware that your computer uses and it operates the fastest with any hardware-operated action, like video, or transferring files to a hard disk. The layers start at the bottom with hardware, then it’s the kernel space, followed by the user space. Finally, on top are programs that you actually use. The higher up in a layer, the further you are away from the hardware.

The disadvantage of this approach is that if you want to do things like send network packets for VPN purposes, it isn't very efficient, if it’s at the top layers. The plan is to have the OpenVPN module accepted into the Linux kernel, meaning that this module will be available on modern Linux distributions.

“So the best way to accelerate speed is to process them in the kernel, which is essentially what we’re doing,” Draaisma explains. “We're taking it from a slow and simplistic approach to an approach that is built into the operating system itself. We're moving from a model where we're just an application to a model where we're really part of the operating system.”

In some testing that was done at the Hackathon, the team had results of between 1.5 and 1.8 Gbps with a Windows client using wintun and OpenVPN 3 test client, and around 4 Gbps with Linux using a kernel acceleration module. They used Private Tunnel's OpenVPN 3 enhancements to achieve this result, enhancements that they want to make available to the open source community.

The team expects to open source their kernel module in Q1 of 2020 and afterwards work on merging it into the kernel mainline.

More About OpenVPN Open Source Community

OpenVPN is the name of the open source project started by our co-founder, James Yonan. OpenVPN protocol has emerged to establish itself as a de-facto standard in the open source networking space with over 60 million downloads. OpenVPN is entirely a community-supported OSS project which uses the GPL license. The project has many developers and contributors from OpenVPN Inc. and from the broader OpenVPN community. In addition, there are numerous projects that extend or are otherwise related to OpenVPN.

 

Share