VNS3 Network Platform

Since the release of OpenVPN 2.5 the OpenVPN Project has moved it’s installer from an EXE (executable file) to the more modern MSI (windows installation file) method. MSI files have some clear advantages so no surprise that they have gone this route.

Previously the OpenVPN EXE had well documented installation parameters for their Windows installer:

/S – silent installation

/D=path – specify a custom installation path

Note – the /D parameter has to appear last on the command line, and the path may not be enclosed in quotes. The installer simply takes all of the command line left, and uses it as path (thus supporting spaces in the path).

To select individual OpenVPN components (1 = install, 0 = do not install; the values below indicate defaults):

/SELECT_SHORTCUTS=1 – create the start menu shortcuts

/SELECT_OPENVPN=1 – OpenVPN itself

/SELECT_SERVICE=1 – install the OpenVPN service

/SELECT_TAP=1 – install the TAP device driver

/SELECT_OPENVPNGUI=1 – install the default OpenVPN GUI

/SELECT_ASSOCIATIONS=1 – associate with .ovpn files

/SELECT_OPENSSL_UTILITIES=0 – install the utilities for generating public-private key pairs

/SELECT_EASYRSA=0 – install the RSA X509 certificate management scripts

/SELECT_PATH=1 – add openvpn.exe in PATH

/SELECT_OPENSSLDLLS=1 – dependencies – OpenSSL DLL’s

/SELECT_LZODLLS=1 – dependencies – LZO compressor DLL’s

/SELECT_PKCS11DLLS=1 – dependencies – PCKS#11 DLL’s

These parameters are useful and necessary when performing an unattended or programatic installation. Unfortunately with the release of 2.5 and the moving to an MSI installer these parameters no longer work and at the time of this writing the OpenVPN Project has not documented new parameters. Luckilyfor us MSI files have some basic characteristics and behaviors.

You can run any MSI file with logging like this:

msiexec /i installer.msi /l*v log.txt

It will pop up your installation GUI and you can then pick the customize option and choose the combination of features that you need. Once complete you can open your log file that you signified and search for ADDLOCAL. In our case where we desire to install only the OpenVPN Service and the new Wintun Drivers we find this:

ADDLOCAL=OpenVPN.Service,OpenVPN,Drivers,Drivers.Wintun

We can now run the installer on subsequent windows servers with the following command:

msiexec /i OpenVPN-2.5.0-I601-amd64.msi ADDLOCAL=OpenVPN.Service,OpenVPN,Drivers,Drivers.Wintun /passive

If we wanted to change the installation directory we could do so like this:

msiexec /i OpenVPN-2.5.0-I601-amd64.msi PRODUCTDIR=”C:\Program Files\OpenVPN25\” ADDLOCAL=OpenVPN.Service,OpenVPN,Drivers,Drivers.Wintun /passive

If you are looking to install the GUI and the older Windows TAP adapter you would do so like this:

msiexec /i OpenVPN-2.5.0-I601-amd64.msi ADDLOCAL=OpenVPN.GUI,OpenVPN,OpenVPN.GUI.OnLogon,Drivers.TAPWindows6,Drivers /passive

So there you have it. An easy work around to perform silent windows installations. Hopefully this will save some time and effort for people looking to utilize the new OpenVPN 2.5 client in their DevOps environments.

The new OpenVPN 2.5 client brings with it a new adapter type for Microsoft Windows. OpenVPN 2.5 has implemented the WireGaurd Wintun adapter. From the Wintun description: “Wintun is a very simple and minimal TUN driver for the Windows kernel, which provides userspace programs with a simple network adapter for reading and writing packets. It is akin to Linux’s /dev/net/tun and BSD’s /dev/tun. Originally designed for use in WireGuard, Wintun is meant to be generally useful for a wide variety of layer 3 networking protocols and experiments. The driver is open source, so anybody can inspect and build it. Due to Microsoft’s driver signing requirements, we also offer precompiled and signed versions, and ways of including it in Windows installers. The goal of the project is to be as simple as possible, opting to do things in the most pure and straight-forward way provided by NDIS.”

Improvements for Cloud Multicast

What does this mean for OpenVPN being utilized for encrypted overlay networks? Well first it has significant performance characteristics over the previously implemented TAP adapter; somewhere in the order of double the throughput. Which is more than significant in itself. Though there is another area that it really brings some much needed improvement and that is in it’s ability to handle UDP Multicast traffic. Multicast in cloud has always been a blocker for bringing a huge amount of applications from fully controlled and owned on premise networks to cloud networks which allow for a subset of networking protocols. Multicast has traditionally been used, apart from video streaming and some other applications, for autonomic; things like service election, clustering and discovery. To some extent this has forced new design patterns to make up for this lack of traditional network protocols. Though there has been a way to take these unsupported protocols to the cloud and that is through utilizing overlay networks; laying a layer 3 network over the top of an existing layer 3 network.

Improvements for Windows in Cloud

Employing a complex method of running a network on a network is something Cohesive Networks has always strived to simplify for the operator. This architecture does however require stable and performant entry points. Which brings us back to the new OpenVPN 2.5 client. The Wintun device driver fixes things, it’s not just more performant. Microsoft Windows in cloud has always been a bit broken in the virtual world. Point in fact is that by default it sets up routes to the full multicast network (224.0.0.0/4) on its primary ‘virtual’ network interface cards in cloud, where no such capabilities exist. The fix is to setup a startup script to delete this route if you are going to implement an overlay network to actually handle this traffic. Moreover the previous implementations of TAP adapter drivers have had issues with joining and leaving multicast groups without a restart of the entire network stack, i.e. rebooting.

Like many things cloud, there were many clever ways to work around these things, even though these workarounds often introduced new quirky limitations. Wireguard’s Wintun network adapter driver clears out some of these problems in the world of Windows. We now have a performant virtual network adapter that handles protocols in expectant ways that can be used to build overlay networks where the operator has full control, visibility and attest ability. Not every application needs to be rewritten for new patterns. Products like Cohesive Networks VNS3 can help you achieve architectural flexibility. Frameworks that allow you to design for today and tomorrow. Another step in the journey to the cloud.