The New OpenVPN 2.5 Client

by | 15 Oct 2020

The new OpenVPN 2.5 client brings with it a new adapter type for Microsoft Windows. OpenVPN 2.5 has implemented the WireGaurd Wintun adapter. From the Wintun description: “Wintun is a very simple and minimal TUN driver for the Windows kernel, which provides userspace programs with a simple network adapter for reading and writing packets. It is akin to Linux’s /dev/net/tun and BSD’s /dev/tun. Originally designed for use in WireGuard, Wintun is meant to be generally useful for a wide variety of layer 3 networking protocols and experiments. The driver is open source, so anybody can inspect and build it. Due to Microsoft’s driver signing requirements, we also offer precompiled and signed versions, and ways of including it in Windows installers. The goal of the project is to be as simple as possible, opting to do things in the most pure and straight-forward way provided by NDIS.”

Improvements for Cloud Multicast

What does this mean for OpenVPN being utilized for encrypted overlay networks? Well first it has significant performance characteristics over the previously implemented TAP adapter; somewhere in the order of double the throughput. Which is more than significant in itself. Though there is another area that it really brings some much needed improvement and that is in it’s ability to handle UDP Multicast traffic. Multicast in cloud has always been a blocker for bringing a huge amount of applications from fully controlled and owned on premise networks to cloud networks which allow for a subset of networking protocols. Multicast has traditionally been used, apart from video streaming and some other applications, for autonomic; things like service election, clustering and discovery. To some extent this has forced new design patterns to make up for this lack of traditional network protocols. Though there has been a way to take these unsupported protocols to the cloud and that is through utilizing overlay networks; laying a layer 3 network over the top of an existing layer 3 network.

Improvements for Windows in Cloud

Employing a complex method of running a network on a network is something Cohesive Networks has always strived to simplify for the operator. This architecture does however require stable and performant entry points. Which brings us back to the new OpenVPN 2.5 client. The Wintun device driver fixes things, it’s not just more performant. Microsoft Windows in cloud has always been a bit broken in the virtual world. Point in fact is that by default it sets up routes to the full multicast network ( on its primary ‘virtual’ network interface cards in cloud, where no such capabilities exist. The fix is to setup a startup script to delete this route if you are going to implement an overlay network to actually handle this traffic. Moreover the previous implementations of TAP adapter drivers have had issues with joining and leaving multicast groups without a restart of the entire network stack, i.e. rebooting.

Like many things cloud, there were many clever ways to work around these things, even though these workarounds often introduced new quirky limitations. Wireguard’s Wintun network adapter driver clears out some of these problems in the world of Windows. We now have a performant virtual network adapter that handles protocols in expectant ways that can be used to build overlay networks where the operator has full control, visibility and attest ability. Not every application needs to be rewritten for new patterns. Products like Cohesive Networks VNS3 can help you achieve architectural flexibility. Frameworks that allow you to design for today and tomorrow. Another step in the journey to the cloud.