User Tools

Site Tools


doc:uci:mptcp

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:uci:mptcp [2014/08/04 10:47]
xedp3x
doc:uci:mptcp [2015/12/30 13:30] (current)
tmomas corrected OpenWrt spelling
Line 1: Line 1:
 +====== MultipathTCP and OpenWrt ======
  
 +This page discusses the MultipathTCP support in OpenWrt.
 +
 +===== Disclaimer =====
 +
 +**this is not part of the trunk jet**
 +
 +Clone the multipath TCP capable kernel from https://​github.com/​xedp3x/​openwrt if you like.
 +
 +===== Multipath TCP =====
 +
 +Multipath TCP (MPTCP) is an effort towards enabling the simultaneous use of several IP-addresses/​interfaces by a modification of TCP that presents a regular TCP interface to applications,​ while in fact spreading data across several subflows. Benefits of this include better resource utilization,​ better throughput and smoother reaction to failures.
 +
 +You have to install the patched kernel on both devices that are involved in a Multipath TCP connection. ​
 +If these devices are PC's more info can be found at [[http://​multipath-tcp.org]]
 +
 +If your PC and Server have an ordinary TCP-connection,​ your router cannot use the MPTCP-protocol by default. ​
 +To make it work, you have two possible solutions:
 +  * Use a proxy on the router
 +  * Use a VPN to an endpoint with faster network. In this way, you can use all uplinks for all traffic, even trafic to a non-MPTCP-server.
 +
 +==== Build image ====
 +**MP-TCP works with a patched kernel.**
 +See [[doc/​howto/​build]] for a better manual on how to compile your own version of OpenWrt.
 +
 + - clone the repo
 +
 + - load the feeds
 +
 + - make menuconfig
 +  - select your device
 +  - select the '​mptcp'​ package
 +  - //It is useful to also compile OpenVPN and it's dependencies and possible other packages that you plan to use in this step. //
 + - make kernel_menuconfig
 +  - on the top the kernel version is shown. Only version 3.10.x and 3.14.x are supported.
 +  - activate mptcp
 + - make
 +
 + 
 +==== Configuration ====
 +MPTCP is running without any configuration. But if you want to use it with multiple interfaces on your device you have to configure these interfaces.
 +
 +To enable the scripts call
 +  uci set network.globals.multipath=enable
 +
 +the interface you set by:
 +  uci set network.<​name>​.multipath=<​option>​
 +
 +Here you can choose one of the following options:
 +| on | No special config |
 +| master | Like "​on"​ but also set the default route for all other traffic (**use it for one interface!**) |
 +| off | Disable the interface for mp-tcp (default option) |
 +| backup | Use this interface but don't forward traffic until no other interface are available (faster switch) |
 +| handover | Establish a connection only if no other interface available (slower switch but normally none traffic) |
 +
 +Save your changes with:
 +  * uci commit
 +  * /​etc/​init.d/​network restart
 +
 +The script generates multiple default routes in different tables and rules. These may make problems with other packages. I'm sure that it will **not work with multiwan**
 +
 +==== Test ====
 +
 +you can see all current connections by using:
 +  multipath -c
 +
 +If you have installed the patched net-tools on your pc you can see MPTCP'​s behaviour in a better way by using
 +  netstat -m
 +  ​
 +The patched version of netstat is not yet ported to this repo yet.
 +
 +===== VPN Example =====
 +This is an example for a VPN over 2 WAN connections. It routes the entire network to the VPN endpoint and sends the data to the internet there, consequently it needs a back route from there which is why you should (also) implement NAT on the remote side of the VPN tunnel.
 +
 +The following configuration has **no encryption** on the VPN link. This is faster but it is not secure. The configuration also updates the MAC address to prevent problems in case you have 2 ISP clients but the same address.
 +
 +  network.globals.multipath=enable
 +  ​
 +  network.wan1=interface
 +  network.wan1.proto=dhcp
 +  network.wan1.ifname=eth0.1
 +  network.wan1.macaddr=XX:​XX:​XX:​XX:​XX:​01
 +  network.wan1.multipath=master
 +  ​
 +  network.wan2=interface
 +  network.wan2.proto=dhcp
 +  network.wan2.ifname=eth0.2
 +  network.wan2.macaddr=XX:​XX:​XX:​XX:​XX:​02
 +  network.wan2.multipath=on
 +  ​
 +  network.tap1337=interface
 +  network.tap1337.proto=none
 +  network.tap1337.ifname=tap1337
 +  ​
 +  ​
 +  firewall.@zone[1].name=wan
 +  firewall.@zone[1].network=wan1 wan2
 +  ​
 +  firewall.@zone[2]=zone
 +  firewall.@zone[2].name=vpn
 +  firewall.@zone[2].input=ACCEPT
 +  firewall.@zone[2].output=ACCEPT
 +  firewall.@zone[2].network=tap1337
 +  firewall.@zone[2].forward=ACCEPT
 +  ​
 +  firewall.@forwarding[0]=forwarding
 +  firewall.@forwarding[0].dest=vpn
 +  firewall.@forwarding[0].src=lan
 +  firewall.@forwarding[2]=forwarding
 +  firewall.@forwarding[2].dest=lan
 +  firewall.@forwarding[2].src=vpn
 +  ​
 +  ​
 +  openvpn.mptcp=openvpn
 +  openvpn.mptcp.enabled=1
 +  openvpn.mptcp.client=1
 +  openvpn.mptcp.dev=tap1337
 +  openvpn.mptcp.proto=tcp
 +  openvpn.mptcp.remote=X.X.X.X 1194
 +  openvpn.mptcp.resolv_retry=infinite
 +  openvpn.mptcp.nobind=1
 +  openvpn.mptcp.persist_key=1
 +  openvpn.mptcp.persist_tun=1
 +  openvpn.mptcp.ca=/​etc/​openvpn/​ca.crt
 +  openvpn.mptcp.cert=/​etc/​openvpn/​client.crt
 +  openvpn.mptcp.key=/​etc/​openvpn/​client.key
 +  openvpn.mptcp.cipher=none
 +  openvpn.mptcp.verb=3
 +  openvpn.mptcp.link_mtu=1480
 +  openvpn.mptcp.script_security=2
 +  openvpn.mptcp.up=/​etc/​openvpn/​up.sh
 +  openvpn.mptcp.down=/​etc/​openvpn/​down.sh
 +
 +/​etc/​openvpn/​up.sh
 +  #!/bin/sh
 +  # ^ must be the first line
 +  # set the execution bit by 'chmod +x /​etc/​openvpn/​up.sh'​
 +  ​
 +  # Route the traffic from the bridged interface "​lan"​ via table 1
 +  # multipath-tcp will use the table 2 and up
 +  ip rule add iif br-lan table 1
 +  # set the default route via vpn (only table 1)
 +  ip route add 10.9.8.0/24 via 10.9.8.1 dev $1 table 1
 +  ip route add default via 10.9.8.1 dev $1 table 1
 +  # refresh the routes
 +  ip route flush cache
 +
 +/​etc/​openvpn/​down.sh
 +  #!/bin/sh
 +  ​
 +  ip rule del table 1
 +  ip route flush table 1
 +  ip route flush cache
 +
 +**Server Configuration**
 +
 +OpenVPN
 +  port 1194
 +  proto tcp
 +  dev tap
 +  ​
 +  ca      /​etc/​openvpn/​keys/​ca.crt ​   # generated keys
 +  cert    /​etc/​openvpn/​keys/​server.crt
 +  key     /​etc/​openvpn/​keys/​server.key ​ # keep secret
 +  dh      /​etc/​openvpn/​keys/​dh1024.pem
 +  ​
 +  server 10.9.8.0 255.255.255.0 ​ # internal tun0 connection IP
 +  ifconfig-pool-persist ipp.txt
 +  keepalive 10 120
 +  ​
 +  #​comp-lzo ​        # Compression - must be turned on at both ends
 +  persist-key
 +  persist-tun
 +  cipher none       # < No encryption!!!
 +  status /​var/​log/​openvpn-status.log
 +  verb 3
 +  client-to-client
 +  link-mtu 1480 
 +  script-security 2
 +  up /​etc/​openvpn/​up.sh ​ # < Set the back route in this script.
 +
 +Example of the server up.sh //(replace 192.168.1.0 with your own value)//.
 +  #!/bin/sh
 +  #The client IPs are fixed in the ipp.txt
 +  ip route add 192.168.1.0/​24 via 10.9.8.2 dev $1
 +
 +Don't forget to implement NAT at the Server. ​
 +//
 +(for examples, browse "​debian nat"​)//​