mixed networks with openvpn tunnel (XP)

Sergey_Pisarev · March 18, 2013, 6:11am

Good day !

i use openvpn virtual NIC to create tunnel.

network configuration on one side of the tunnel is

real network:
IP Address. . . . . . . . . . . . : 192.168.1.14
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1

virtual network:
IP Address. . . . . . . . . . . . : 10.10.1.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.10.1.1

and

real network:
IP Address. . . . . . . . . . . . : 192.168.1.13
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1

virtual network:
IP Address. . . . . . . . . . . . : 10.10.1.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.10.1.1

on the other side.

as i understand there mustn’t be any 192.168.1.* packets on virtual network
(10.10.1.*) and vice versa.

this is true for windows 7, but not for xp.

for xp i have packets with source and destination from different networks
on each NIC

for example on real adapter i have something like this:

frame source destination protocol description
number

41458 10.10.1.1 192.168.1.14 SMB SMB:R; Read Andx, FID = 0x0000,
61440 bytes {SMB:6, NbtSS:3, TCP:2, IPv4:1}

41475 192.168.1.14 192.168.1.13 UDP UDP:SrcPort = 2189, DstPort =
13333, Length = 62 {UDP:5, IPv4:4}
41476 10.10.1.1 192.168.1.14 TCP TCP:[Continuation to
#41458]Flags=…A…, SrcPort=NETBIOS Session Service(139), DstPort=2217,
PayloadLen=1460, Seq=3446886924 - 3446888384, Ack=959602042, Win=64338 {TCP:2,
IPv4:1}
41477 10.10.1.1 192.168.1.14 TCP TCP:[Continuation to
#41458]Flags=…A…, SrcPort=NETBIOS Session Service(139), DstPort=2217,
PayloadLen=1460, Seq=3446888384 - 3446889844, Ack=959602042, Win=64338 {TCP:2,
IPv4:1}

and for virtual adapter:

frame source destination protocol description
number

14055 192.168.1.14 10.10.1.1 SMB SMB:C; Read Andx, FID = 0x8003,
61440 bytes at Offset 39387136 {SMB:17, NbtSS:3, TCP:2, IPv4:1}
14056 192.168.1.14 10.10.1.1 TCP TCP:Flags=…A…,
SrcPort=2212, DstPort=NETBIOS Session Service(139), PayloadLen=0,
Seq=1201923181, Ack=1793237090, Win=17520 {TCP:2, IPv4:1}
14057 192.168.1.14 10.10.1.1 TCP TCP:Flags=…A…,
SrcPort=2212, DstPort=NETBIOS Session Service(139), PayloadLen=0,
Seq=1201923181, Ack=1793240010, Win=17520 {TCP:2, IPv4:1}

both logs from first configuration - 192.168.1.14 / 10.10.1.2 - local
addresses.

what is the reason ?
is that ok ?
is there some way to control this behavior ?

Maxim_S_Shatskih · March 18, 2013, 6:37am

Note that OpenVPN is virtual Ethernet and not PPP. This is the only suggestion I can make just now, probably you will be able to work around the thing yourself.

–
Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com

“Sergey Pisarev” wrote in message news:xxxxx@ntdev…
Good day !

i use openvpn virtual NIC to create tunnel.

network configuration on one side of the tunnel is

real network:
IP Address. . . . . . . . . . . . : 192.168.1.14
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1

virtual network:
IP Address. . . . . . . . . . . . : 10.10.1.2

Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.10.1.1

and

real network:
IP Address. . . . . . . . . . . . : 192.168.1.13
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1

virtual network:
IP Address. . . . . . . . . . . . : 10.10.1.1

Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.10.1.1

on the other side.

as i understand there mustn’t be any 192.168.1.* packets on virtual network (10.10.1.*) and vice versa.

this is true for windows 7, but not for xp.

for xp i have packets with source and destination from different networks on each NIC

for example on real adapter i have something like this:

frame source destination protocol description
number

41458 10.10.1.1 192.168.1.14 SMB SMB:R; Read Andx, FID = 0x0000, 61440 bytes {SMB:6, NbtSS:3, TCP:2, IPv4:1}

41475 192.168.1.14 192.168.1.13 UDP UDP:SrcPort = 2189, DstPort = 13333, Length = 62 {UDP:5, IPv4:4}
41476 10.10.1.1 192.168.1.14 TCP TCP:[Continuation to #41458]Flags=…A…, SrcPort=NETBIOS Session Service(139), DstPort=2217, PayloadLen=1460, Seq=3446886924 - 3446888384, Ack=959602042, Win=64338 {TCP:2, IPv4:1}
41477 10.10.1.1 192.168.1.14 TCP TCP:[Continuation to #41458]Flags=…A…, SrcPort=NETBIOS Session Service(139), DstPort=2217, PayloadLen=1460, Seq=3446888384 - 3446889844, Ack=959602042, Win=64338 {TCP:2, IPv4:1}

and for virtual adapter:

frame source destination protocol description

number

14055 192.168.1.14 10.10.1.1 SMB SMB:C; Read Andx, FID = 0x8003, 61440 bytes at Offset 39387136 {SMB:17, NbtSS:3, TCP:2, IPv4:1}
14056 192.168.1.14 10.10.1.1 TCP TCP:Flags=…A…, SrcPort=2212, DstPort=NETBIOS Session Service(139), PayloadLen=0, Seq=1201923181, Ack=1793237090, Win=17520 {TCP:2, IPv4:1}
14057 192.168.1.14 10.10.1.1 TCP TCP:Flags=…A…, SrcPort=2212, DstPort=NETBIOS Session Service(139), PayloadLen=0, Seq=1201923181, Ack=1793240010, Win=17520 {TCP:2, IPv4:1}

both logs from first configuration - 192.168.1.14 / 10.10.1.2 - local addresses.

what is the reason ?
is that ok ?
is there some way to control this behavior ?

Sergey_Pisarev · March 18, 2013, 6:50am

thx Max

yes i know that and my helper application wrap and send full packet (eth
header included) over udp connection
and indicate that packet on the over side as if it came right from the
network (virtual network)

On Mon, Mar 18, 2013 at 2:37 PM, Maxim S. Shatskih
wrote:

> Note that OpenVPN is virtual Ethernet and not PPP. This is the only
> suggestion I can make just now, probably you will be able to work around
> the thing yourself.
>
> –
> Maxim S. Shatskih
> Microsoft MVP on File System And Storage
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
> “Sergey Pisarev” wrote in message
> news:xxxxx@ntdev…
> Good day !
>
>
> i use openvpn virtual NIC to create tunnel.
>
>
> network configuration on one side of the tunnel is
>
>
> real network:
> IP Address. . . . . . . . . . . . : 192.168.1.14
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . . : 192.168.1.1
>
>
> virtual network:
> IP Address. . . . . . . . . . . . : 10.10.1.2
>
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . . : 10.10.1.1
>
>
> and
>
>
> real network:
> IP Address. . . . . . . . . . . . : 192.168.1.13
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . . : 192.168.1.1
>
>
> virtual network:
> IP Address. . . . . . . . . . . . : 10.10.1.1
>
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . . : 10.10.1.1
>
>
> on the other side.
>
>
> as i understand there mustn’t be any 192.168.1.* packets on virtual
> network (10.10.1.*) and vice versa.
>
>
> this is true for windows 7, but not for xp.
>
>
> for xp i have packets with source and destination from different networks
> on each NIC
>
>
> for example on real adapter i have something like this:
>
>
> frame source destination protocol description
> number
>
>
> 41458 10.10.1.1 192.168.1.14 SMB SMB:R; Read Andx, FID = 0x0000,
> 61440 bytes {SMB:6, NbtSS:3, TCP:2, IPv4:1}
>
>
> 41475 192.168.1.14 192.168.1.13 UDP UDP:SrcPort = 2189, DstPort =
> 13333, Length = 62 {UDP:5, IPv4:4}
> 41476 10.10.1.1 192.168.1.14 TCP TCP:[Continuation to
> #41458]Flags=…A…, SrcPort=NETBIOS Session Service(139), DstPort=2217,
> PayloadLen=1460, Seq=3446886924 - 3446888384, Ack=959602042, Win=64338
> {TCP:2, IPv4:1}
> 41477 10.10.1.1 192.168.1.14 TCP TCP:[Continuation to
> #41458]Flags=…A…, SrcPort=NETBIOS Session Service(139), DstPort=2217,
> PayloadLen=1460, Seq=3446888384 - 3446889844, Ack=959602042, Win=64338
> {TCP:2, IPv4:1}
>
>
>
>
> and for virtual adapter:
>
>
> frame source destination protocol description
>
> number
>
>
> 14055 192.168.1.14 10.10.1.1 SMB SMB:C; Read Andx, FID = 0x8003,
> 61440 bytes at Offset 39387136 {SMB:17, NbtSS:3, TCP:2, IPv4:1}
> 14056 192.168.1.14 10.10.1.1 TCP TCP:Flags=…A…,
> SrcPort=2212, DstPort=NETBIOS Session Service(139), PayloadLen=0,
> Seq=1201923181, Ack=1793237090, Win=17520 {TCP:2, IPv4:1}
> 14057 192.168.1.14 10.10.1.1 TCP TCP:Flags=…A…,
> SrcPort=2212, DstPort=NETBIOS Session Service(139), PayloadLen=0,
> Seq=1201923181, Ack=1793240010, Win=17520 {TCP:2, IPv4:1}
>
>
> both logs from first configuration - 192.168.1.14 / 10.10.1.2 - local
> addresses.
>
>
> what is the reason ?
> is that ok ?
> is there some way to control this behavior ?
>
> —
> NTDEV is sponsored by OSR
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

James_Harper · March 18, 2013, 8:07am

>

Note that OpenVPN is virtual Ethernet and not PPP. This is the only
suggestion I can make just now, probably you will be able to work around the
thing yourself.

This depends on if you are using TUN or TAP mode. It still sort of appears to behave like a L2 tunnel in either mode, but in TUN mode you are tunnelling IP packets which is more like PPP. TAP is virtual Ethernet, and I find it works a lot more reliably with Windows despite the increased overheads.

For the OP, I suggest trying TAP mode, and only have default gateway on one interface at each end. That may well be why windows is getting confused.

James

Sergey_Pisarev · March 18, 2013, 10:00am

James thx

i actually use TAP mode from the start - at least i think so since i’ve
done nothing to truncate the packet

the thing is i have source and destination from different networks on XP,
it’s confusing, but fast - around 80-90 % of real network speed

on windows 7 i have source and dest on the same net, but about 6-7 % of
real network speed

my concern actually is not different subnets, but low speed for win7

i just think that this two problems (low speed and different addresses) are
somehow related

On Mon, Mar 18, 2013 at 4:06 PM, James Harper > wrote:

> >
> > Note that OpenVPN is virtual Ethernet and not PPP. This is the only
> > suggestion I can make just now, probably you will be able to work around
> the
> > thing yourself.
> >
>
> This depends on if you are using TUN or TAP mode. It still sort of appears
> to behave like a L2 tunnel in either mode, but in TUN mode you are
> tunnelling IP packets which is more like PPP. TAP is virtual Ethernet, and
> I find it works a lot more reliably with Windows despite the increased
> overheads.
>
> For the OP, I suggest trying TAP mode, and only have default gateway on
> one interface at each end. That may well be why windows is getting confused.
>
> James
>
> —
> NTDEV is sponsored by OSR
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Sergey_Pisarev · March 18, 2013, 12:17pm

ok i just tried to set only one gateway on xp - got source and destination
form the same network as result and low speed as bonus too

so now i know how to make xp connection as slow as win 7 but unfortunately
not the opposite

On Mon, Mar 18, 2013 at 6:00 PM, Sergey Pisarev wrote:

> James thx
>
> i actually use TAP mode from the start - at least i think so since i’ve
> done nothing to truncate the packet
>
> the thing is i have source and destination from different networks on XP,
> it’s confusing, but fast - around 80-90 % of real network speed
>
> on windows 7 i have source and dest on the same net, but about 6-7 % of
> real network speed
>
> my concern actually is not different subnets, but low speed for win7
>
> i just think that this two problems (low speed and different addresses)
> are somehow related
>
>
> On Mon, Mar 18, 2013 at 4:06 PM, James Harper <
> xxxxx@bendigoit.com.au> wrote:
>
>> >
>> > Note that OpenVPN is virtual Ethernet and not PPP. This is the
>> only
>> > suggestion I can make just now, probably you will be able to work
>> around the
>> > thing yourself.
>> >
>>
>> This depends on if you are using TUN or TAP mode. It still sort of
>> appears to behave like a L2 tunnel in either mode, but in TUN mode you are
>> tunnelling IP packets which is more like PPP. TAP is virtual Ethernet, and
>> I find it works a lot more reliably with Windows despite the increased
>> overheads.
>>
>> For the OP, I suggest trying TAP mode, and only have default gateway on
>> one interface at each end. That may well be why windows is getting confused.
>>
>> James
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> OSR is HIRING!! See http://www.osr.com/careers
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
>

Sergey_Pisarev · March 20, 2013, 10:25am

Somebody have any ideas why vpn is so slow on win7 and how make it fast ?

really doesn’t look like 3rd party driver problem - both my virtual NIC and
openvpn TAP adapter shows pretty much the same speed.

I checked linux TAP adapter sources and looks to me like the same
architecture - and it works fast.

Or my task is hopeless and vpn doomed to be slow in vista+ because of
rewritten network stack ?

On Mon, Mar 18, 2013 at 8:17 PM, Sergey Pisarev wrote:

> ok i just tried to set only one gateway on xp - got source and destination
> form the same network as result and low speed as bonus too
>
> so now i know how to make xp connection as slow as win 7 but unfortunately
> not the opposite
>
>
> On Mon, Mar 18, 2013 at 6:00 PM, Sergey Pisarev wrote:
>
>> James thx
>>
>> i actually use TAP mode from the start - at least i think so since i’ve
>> done nothing to truncate the packet
>>
>> the thing is i have source and destination from different networks on XP,
>> it’s confusing, but fast - around 80-90 % of real network speed
>>
>> on windows 7 i have source and dest on the same net, but about 6-7 % of
>> real network speed
>>
>> my concern actually is not different subnets, but low speed for win7
>>
>> i just think that this two problems (low speed and different addresses)
>> are somehow related
>>
>>
>> On Mon, Mar 18, 2013 at 4:06 PM, James Harper <
>> xxxxx@bendigoit.com.au> wrote:
>>
>>> >
>>> > Note that OpenVPN is virtual Ethernet and not PPP. This is the
>>> only
>>> > suggestion I can make just now, probably you will be able to work
>>> around the
>>> > thing yourself.
>>> >
>>>
>>> This depends on if you are using TUN or TAP mode. It still sort of
>>> appears to behave like a L2 tunnel in either mode, but in TUN mode you are
>>> tunnelling IP packets which is more like PPP. TAP is virtual Ethernet, and
>>> I find it works a lot more reliably with Windows despite the increased
>>> overheads.
>>>
>>> For the OP, I suggest trying TAP mode, and only have default gateway on
>>> one interface at each end. That may well be why windows is getting confused.
>>>
>>> James
>>>
>>> —
>>> NTDEV is sponsored by OSR
>>>
>>> OSR is HIRING!! See http://www.osr.com/careers
>>>
>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>
>>
>

David_R_Cattley · March 20, 2013, 5:18pm

Are you asking us if we have any idea why your VPN is slow? Inbox VPN seems to work just fine. Other third-party vendor’s VPN seems to work pretty well. How are you measuring? What VPN are you talking about? What are your expectations? Dave Cattley

Sergey_Pisarev · March 21, 2013, 12:55am

at first i thought that i have some performance issues with my virtual NIC.
that is why i’ve made tests for openvpn nic.

i have my own little application that:
thread 1 - receive data from socket and writes it to the openvpn device;
thread 2 - reads data from the device and send it over real network;

so test case is not only my VPN.

this (my application and openvpn NIC) works really fast on xp (about 90% of
real network speed) and really slow on win7 (about 7%).

and it’s the same binaries - so only one thing that changed is OS.

i’am testing speed with file copy from samba shares - that’s what our
customers are concerned about, and they don’t care if some other type of
traffic is slow or not.

i would like to have 80-90 % of real network speed for windows 7 too and
not just for xp.

On Thu, Mar 21, 2013 at 12:26 AM, Dave Cattley wrote:

> Are you asking us if we have any idea why your VPN is slow?
>
> Inbox VPN seems to work just fine. Other third-party vendor’s VPN seems
> to work pretty well.
>
> How are you measuring? What VPN are you talking about? What are your
> expectations?
>
> Dave Cattley
>
> —
> NTDEV is sponsored by OSR
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>