search

OpenVPN / openvpn

OpenVPN is an open source VPN daemon
http://openvpn.net
Other
10.68k stars 2.97k forks source link

Is it possible to use specific adapter for OpenVPN connection? #431

Closed oblomingo closed 11 months ago

oblomingo commented 11 months ago

Question There are a couple of VPN client applications, each of them installs and uses DCO drivers. After an installation, openvpn detects two available adapters. openvpn --show-adapters

C:\Temp>openvpn --show-adapters
Available TAP-WIN32 / Wintun adapters [name, GUID, driver]:
'Local Area Connection' {DE11DDDE-EB7A-4F60-86F5-354D2ABD3917} ovpn-dco
'OpenVPN DCO' {662ED260-0C8F-453D-957F-B923D3D68087} ovpn-dco

I have noticed that both applications uses the first adapter and ignores the second one. I'm wandering is it possible setup openvpn to use specific adapter (for example, by adapter name or id)?

cron2 commented 11 months ago

openvpn --dev-node 'OpenVPN DCO' should do the job.

lstipakov commented 11 months ago

May I ask what are "both applications"? Normally OpenVPN will use first available DCO adapter, which looks something like this (assuming the first of two adapters is already in use):

2023-10-20 09:12:20 us=421000 CreateFile failed on ovpn-dco device: \\?\ROOT#NET#0002#{cac88484-7515-4c03-82e6-71a87abac361}\ovpn-dco: Käyttö estetty.   (errno=5)
2023-10-20 09:12:20 us=421000 ovpn-dco device [OpenVPN Data Channel Offload #1] opened
oblomingo commented 10 months ago

@cron2 Sorry for a late reply, but it seems your proposed approach doesn't work with DCO drivers. For example:

c:\>openvpn.exe --show-adapters
Available TAP-WIN32 / Wintun adapters [name, GUID, driver]:
'OpenVPN Connect DCO Adapter' {E546A7EB-97AA-4FCA-B99C-0AAB717B5421} ovpn-dco
'Another DCO Adapter' {6E1AE63F-3387-46BF-9435-4359D2886A53} ovpn-dco
c:\>openvpn.exe --config config.ovpn --dev-node "Another DCO Adapter"
...
Note: ignoring --dev-node as it has no effect when using data channel offload
...
ovpn-dco device [OpenVPN Connect DCO Adapter] opened
...

@lstipakov for example a user installs OpenVPN Connect official client and then he (or she) installs another VPN product that uses the same OpenVPN protocol and DCO driver. In this case, it is reasonable to have a separate DCO driver for each app, otherwise, the first app uninstall would remove the DCO driver and the second VPN product wouldn't work. Another case would be specific network adapter firewall/killswitch or split tunneling settings. If one VPN would set some such settings, then another VPN would have unexpected behavior if it used the same network adapter (or the same DCO driver).

For the reasons described above, I believe OpenVPN should have the possibility to use specific DCO drivers/network adapters. Can we reopen the issue?

P.S It seems the main problem is here: https://github.com/OpenVPN/openvpn/blob/master/src/openvpn/options.c (3760)

#else  /* _WIN32 */
    if (dco_enabled(o) && o->dev_node)
    {
        msg(M_WARN, "Note: ignoring --dev-node as it has no effect when using "
            "data channel offload");
        o->dev_node = NULL;
    }
#endif /* _WIN32 */
lstipakov commented 10 months ago

@cron2 Sorry for a late reply, but it seems your proposed approach doesn't work with DCO drivers. For example: c:>openvpn.exe --config config.ovpn --dev-node "Another DCO Adapter" ... Note: ignoring --dev-node as it has no effect when using data channel offload

This is odd - that warning should not even be printed for _WIN32 builds.

Here is how it works for me:

c:\Program Files\OpenVPN\bin>openvpn.exe --show-adapters
Available adapters [name, GUID, driver]:
'OpenVPN Wintun' {D87493F6-AD0E-4A22-BBF5-0AF5C81966A0} wintun
'OpenVPN TAP-Windows6' {D1F91A60-5E8B-44D5-9596-92A0E4D0EAA0} tap-windows6
'OpenVPN Data Channel Offload' {F27B2E8D-2B06-49F5-8D71-395A4867B704} ovpn-dco
'OpenVPN Data Channel Offload #1' {5568F0F3-CA6B-4192-8332-B8B4216A7603} ovpn-dco

c:\Program Files\OpenVPN\bin>openvpn.exe --dev-node "OpenVPN Data Channel Offload #1" --config c:\Users\lev\OpenVPN\config\aws-dev\aws-dev.ovpn
2023-11-07 17:29:35 us=531000 Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2023-11-07 17:29:35 us=531000 Current Parameter Settings:
<...>
2023-11-07 17:29:35 us=578000 OpenVPN 2.6.6 [git:v2.6.6/c9540130121bfc21] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Aug 15 2023
2023-11-07 17:29:35 us=578000 Windows version 10.0 (Windows 10 or greater), amd64 executable
2023-11-07 17:29:35 us=578000 library versions: OpenSSL 3.1.2 1 Aug 2023, LZO 2.10
2023-11-07 17:29:35 us=578000 DCO version: v0
2023-11-07 17:29:35 us=578000 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2023-11-07 17:29:35 us=593000 Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
2023-11-07 17:29:35 us=593000 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
2023-11-07 17:29:35 us=593000 TCP/UDP: Preserving recently used remote address: [AF_INET]34.253.81.160:1194
2023-11-07 17:29:35 us=593000 Enumerate drivers in registy:
2023-11-07 17:29:35 us=593000 NetCfgInstanceId: {D87493F6-AD0E-4A22-BBF5-0AF5C81966A0}, Driver: wintun
2023-11-07 17:29:35 us=593000 NetCfgInstanceId: {D1F91A60-5E8B-44D5-9596-92A0E4D0EAA0}, Driver: tap-windows6
2023-11-07 17:29:35 us=593000 NetCfgInstanceId: {F27B2E8D-2B06-49F5-8D71-395A4867B704}, Driver: ovpn-dco
2023-11-07 17:29:35 us=593000 NetCfgInstanceId: {5568F0F3-CA6B-4192-8332-B8B4216A7603}, Driver: ovpn-dco
2023-11-07 17:29:35 us=593000 Enumerate device interface lists:
2023-11-07 17:29:35 us=593000 NetCfgInstanceId: {E61ACE02-33F5-4CC0-8E51-9C2DBBBB25EA}, Device Interface: \\?\SWD#MSRRAS#MS_PPPOEMINIPORT#{cac88484-7515-4c03-82e6-71a87abac361}
2023-11-07 17:29:35 us=593000 NetCfgInstanceId: {4719829E-C4F7-4F96-BE18-A1E2A32F8E18}, Device Interface: \\?\ROOT#VMS_VSMP#0001#{cac88484-7515-4c03-82e6-71a87abac361}
2023-11-07 17:29:35 us=593000 NetCfgInstanceId: {646287CF-9968-49FB-8314-C70539509255}, Device Interface: \\?\SWD#MSRRAS#MS_PPTPMINIPORT#{cac88484-7515-4c03-82e6-71a87abac361}
2023-11-07 17:29:35 us=593000 NetCfgInstanceId: {3F2617E7-BF40-4002-B54F-ACF9C04C50A1}, Device Interface: \\?\SWD#MSRRAS#MS_AGILEVPNMINIPORT#{cac88484-7515-4c03-82e6-71a87abac361}
2023-11-07 17:29:35 us=593000 NetCfgInstanceId: {E224BE0B-72F6-42DF-9E18-42C9D495D14C}, Device Interface: \\?\BTH#MS_BTHPAN#6&2e26d6c0&0&2#{cac88484-7515-4c03-82e6-71a87abac361}
2023-11-07 17:29:35 us=593000 NetCfgInstanceId: {F29F422B-A142-41B8-BBB7-0475E27791C8}, Device Interface: \\?\SWD#MSRRAS#MS_NDISWANBH#{cac88484-7515-4c03-82e6-71a87abac361}
2023-11-07 17:29:35 us=593000 NetCfgInstanceId: {6B519C07-F3A2-4C21-9C74-25876A3AEABD}, Device Interface: \\?\SWD#MSRRAS#MS_NDISWANIP#{cac88484-7515-4c03-82e6-71a87abac361}
2023-11-07 17:29:35 us=593000 NetCfgInstanceId: {3B8BAB7E-618F-48D4-A295-EAB27EFA3EA2}, Device Interface: \\?\{5d624f94-8850-40c3-a3fa-a4fd2080baf3}#vwifimp_wfd#4&32e06cf9&0&11#{cac88484-7515-4c03-82e6-71a87abac361}
2023-11-07 17:29:35 us=593000 NetCfgInstanceId: {38F08C3C-4297-4D16-9DFC-B563163E5163}, Device Interface: \\?\{5d624f94-8850-40c3-a3fa-a4fd2080baf3}#vwifimp_wfd#4&32e06cf9&0&12#{cac88484-7515-4c03-82e6-71a87abac361}
2023-11-07 17:29:35 us=593000 NetCfgInstanceId: {533B0913-879B-4DBB-B916-B1D37E6100EB}, Device Interface: \\?\SWD#MSRRAS#MS_SSTPMINIPORT#{cac88484-7515-4c03-82e6-71a87abac361}
2023-11-07 17:29:35 us=593000 NetCfgInstanceId: {15A0AF27-6FE2-4474-AD51-8E864431EFBE}, Device Interface: \\?\PCI#VEN_8086&DEV_51F1&SUBSYS_00908086&REV_01#3&11583659&1&A3#{cac88484-7515-4c03-82e6-71a87abac361}
2023-11-07 17:29:35 us=593000 NetCfgInstanceId: {0E67C86E-9521-4C6E-AB40-2C7F0BBB8097}, Device Interface: \\?\ROOT#VMS_MP#0000#{cac88484-7515-4c03-82e6-71a87abac361}
2023-11-07 17:29:35 us=593000 NetCfgInstanceId: {DC36CD22-1AA2-4CB5-8045-3AB0DDBE4ECF}, Device Interface: \\?\SWD#MSRRAS#MS_NDISWANIPV6#{cac88484-7515-4c03-82e6-71a87abac361}
2023-11-07 17:29:35 us=593000 NetCfgInstanceId: {990F689F-F3D9-437D-B2E7-0857A36FD8B2}, Device Interface: \\?\SWD#MSRRAS#MS_L2TPMINIPORT#{cac88484-7515-4c03-82e6-71a87abac361}
2023-11-07 17:29:35 us=593000 NetCfgInstanceId: {D6181BC5-E936-4C91-A9FE-2FE81326C164}, Device Interface: \\?\ROOT#VMS_VSMP#0000#{cac88484-7515-4c03-82e6-71a87abac361}
2023-11-07 17:29:35 us=593000 NetCfgInstanceId: {D87493F6-AD0E-4A22-BBF5-0AF5C81966A0}, Device Interface: \\?\ROOT#NET#0000#{cac88484-7515-4c03-82e6-71a87abac361}
2023-11-07 17:29:35 us=593000 NetCfgInstanceId: {D1F91A60-5E8B-44D5-9596-92A0E4D0EAA0}, Device Interface: \\?\ROOT#NET#0001#{cac88484-7515-4c03-82e6-71a87abac361}
2023-11-07 17:29:35 us=593000 NetCfgInstanceId: {F27B2E8D-2B06-49F5-8D71-395A4867B704}, Device Interface: \\?\ROOT#NET#0002#{cac88484-7515-4c03-82e6-71a87abac361}\ovpn-dco
2023-11-07 17:29:35 us=593000 NetCfgInstanceId: {F27B2E8D-2B06-49F5-8D71-395A4867B704}, Device Interface: \\?\ROOT#NET#0002#{cac88484-7515-4c03-82e6-71a87abac361}\{F27B2E8D-2B06-49F5-8D71-395A4867B704}
2023-11-07 17:29:35 us=593000 NetCfgInstanceId: {5568F0F3-CA6B-4192-8332-B8B4216A7603}, Device Interface: \\?\ROOT#NET#0003#{cac88484-7515-4c03-82e6-71a87abac361}\ovpn-dco
2023-11-07 17:29:35 us=593000 NetCfgInstanceId: {5568F0F3-CA6B-4192-8332-B8B4216A7603}, Device Interface: \\?\ROOT#NET#0003#{cac88484-7515-4c03-82e6-71a87abac361}\{5568F0F3-CA6B-4192-8332-B8B4216A7603}
2023-11-07 17:29:35 us=609000 Using device interface: \\?\ROOT#NET#0003#{cac88484-7515-4c03-82e6-71a87abac361}\ovpn-dco
2023-11-07 17:29:35 us=609000 ovpn-dco device [OpenVPN Data Channel Offload #1] opened
2023-11-07 17:29:35 us=609000 dco_create_socket
<skip>

The uninstall should not matter, since both Connect and OpenVPN-GUI installers use the shared module for the driver with reference counting. The driver will be removed when all apps which use the driver are removed.

lstipakov commented 10 months ago

--dev-node support for dco-win was added in May 2023, so make sure you have the latest version installed.

oblomingo commented 10 months ago

@lstipakov it seems I have an older version:

c:\>openvpn.exe --version
OpenVPN 2.6.3 [git:v2.6.3/94aad8c51043a805] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Apr 26 2023
library versions: OpenSSL 3.1.0 14 Mar 2023, LZO 2.10
Windows version 10.0 (Windows 10 or greater), amd64 executable
DCO version: v0
Originally developed by James Yonan
Copyright (C) 2002-2023 OpenVPN Inc <sales@openvpn.net>
Compile time defines: N/A