[strongSwan-dev] TAP-Windows6 driver integration

Noel Kuntze noel at familie-kuntze.de
Fri Sep 30 01:03:10 CEST 2016

Hello list,

I implemented support for the TAP-Windows6 driver, which is used by openvpn to support
I developed it on top of commit 1dabd0fb1cfdb5b3381d45a39a7cb134651b72a9.

The diff attached to this email contains the following:
*support to manage IPs with kernel-iph on top of Martin Willi's branch win-vip.
 It contains changes to honor charon.install_virtual_ip and charon.install_virtual_ip_on.
*changes to kernel-libipsec and libipsec to work on Windows correctly
 handle_plain is implemented with asynchronous IO on top of WaitForMultipleObjects() and events.
*support to open and configure TAP devices on Windows in libstrongswan
*IPv4 and IPv6 support

My changes are under the MIT-X11 license where required. The repo "strongswan" on my Github account[1]
contains all the required changes.

The performance of the driver is limited to 60 Mbit/s. The TAP-Windows6 driver is known to be quite slow,
so I do not think that is an issue that can be fixed by changes to my code. You might reach higher speeds
if you use a faster test environment than me.
My test environment is a host with the Intel(R) Core(TM) i7-3820 CPU CPU with four cores at 3.60 GHz.
Windows ran in a VirtualBox VM with 3 cores. The test was performed using iperf3 over a tunnel with 60 seconds.
The server was on the VM host. The client was on the VM guest.
In my test, about 90% of the CPU was maxed out.

To make use of the TAP-Windows6 driver, it needs to be patched with the changes that can be found in the
fork on my Github account[2]. It implements an option to disable the ARP source check in the ARP
handling code of the driver. The patch is already known by OpenVPN Tech, which developed and maintains the driver, and should be applied in the next months.
It is tracked under #721 on the openvpn bug tracker[3]. The TAP-Windows6 support that I implemented does
not work without it. It theoretically could, but that requires that the driver handles ARP requests for all
IP addresses that the Windows host tries to reach over it and fills up the neighbor table.

Please take a look at it and tell me what is required to get this merged into the master branch of strongSwan.

[1] https://github.com/Thermi/strongswan
[2] https://github.com/Thermi/tap-windows6
[3] https://community.openvpn.net/openvpn/ticket/721


Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

-------------- next part --------------
A non-text attachment was scrubbed...
Name: tap-handling.patch
Type: text/x-patch
Size: 70569 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20160930/8e5b1ea2/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20160930/8e5b1ea2/attachment-0001.sig>

More information about the Dev mailing list