Accelerate OpenVPN for $ 9.99 * or embed Orange Pi One into a router

Some of us do not use the Internet without VPN for one reason or another: someone needs a dedicated IP, and it's easier and cheaper to buy VPS with two IPs than to buy an address from an ISP, someone wants to get access to all websites, and not only allowed on the territory of the Russian Federation, third needs IPv6, but the provider does not provide it ...
Most often, a VPN connection is established on the device itself, which is used at some point, which is justified if you have only one computer and one phone, and you rarely use them at the same time. If there are many devices in your home network, or, for example, there are those on which you cannot configure VPN, it would be more convenient to raise the tunnel directly on the home router, so as not to think about setting up each device separately.

If you ever installed OpenVPN on your router, you were probably unpleasantly surprised by the speed of its work. SoC 'and even cheap routers pass around okigigabit traffic without any problems, due to the removal of the routing and NAT functions on a separate chip designed exclusively for this task, and the main processors of such routers are rather weak, since There is practically no load on them. Such a compromise allows you to achieve high speed of the router and significantly reduce the price of the finished device - routers with powerful processors are several times more expensive, and are positioned not only as a box for distributing the Internet, but also as a NAS, torrentokachalki and home multimedia system.
')
My router, TP-Link TL-WDR4300, cannot be called new - the model appeared in the middle of 2012 and has a 560 MHz processor of the MIPS32 74Kc architecture, which has enough power for 20-23 Mb / s of encrypted traffic through OpenVPN, which is by the standards The speed of the modern home Internet is quite a bit.
How can we increase the speed of an encrypted tunnel? My router is quite functional, supports 3x3 MIMO, and indeed, it works well, I would not want to change it.
Since it is now customary to do 10-megabyte Internet pages, write desktop applications on node.js and pack them into a 100-megabyte file, increase computing capacity instead of optimization, we will do something awful - we will transfer the VPN connection to the productive single-board Orange computer Pi One, which we install into the router case, without taking up the existing network and USB ports, for only $ 9.99 *!
_{* + shipping, + taxes, + beer, + microSD.}

Openvpn

You can’t call the router processor completely weak - it can encrypt and hash data with the AES-128-CBC-SHA1 algorithm with a speed of 50 Mb / s, which is much faster than OpenVPN, and the modern stream cipher CHACHA20 with the POLY1305 hash does 130 megabits per second! Why is the speed of the VPN tunnel so low? It’s all about context switching between user space and kernel space: OpenVPN encrypts traffic and communicates with the outside world in the context of the user, and in the context of the kernel, routing happens. The operating system has to constantly switch back and forth, here, to each received or transmitted packet, but this operation is not fast. This problem is inherent in all VPN applications running through the TUN / TAP driver, and it cannot be said that the problem of low speed is caused by poor OpenVPN optimization (although, of course, there are places that need to be redone). Not a single userspace VPN client issues even a gigabit with encryption disabled on my laptop, let alone a system with a weak processor.

Orange pi one

Xunlong's Orange Pi One odnoplatnik is the best deal in terms of performance / price at the moment. For $ 9.99 *, you get a good quad-core ARM Cortex-A7 processor (stably) operating at a frequency of 1008 MHz, and obviously more productive than the neighbors Raspberry Pi Zero and Next Thing CHIP by price category. This pluses end. The Xunlong company pays exactly zero attention to its motherboard software, and at the time One was launched, it didn’t even offer a board configuration file, let alone ready-made images. Allwinner - the manufacturer of SoC - is also not particularly sensitive to the support of its product. They are only interested in the minimum performance in the OS Android 4.4.4, which means that we are forced to use the kernel version 3.4 with Android patches. Fortunately, there are enthusiasts who compile distributions, rule the kernel, write code to support boards in the mainline core, i.e. actually do the work for the manufacturer, forcing this shit acceptable work. For my purposes, I chose the Armbian distribution, it is often conveniently updated (new kernels are installed directly through the batch manager, not by copying files to a special partition, as is usually the case with Allwinner), and most peripherals are supported, unlike the others.

Router

In order not to load the weak processor of the router with encryption and speed up our VPN connection, we can shift this task onto the shoulders of a more productive Orange Pi processor by connecting it to the router in any way. A connection comes to mind either via Ethernet or USB - both of these standards are supported by both devices, but I didn’t want to occupy already existing ports. Fortunately, there is a way out.

The GL850G USB hub chip used in the router supports 4 USB ports, two of which are not soldered. It is unclear why the manufacturer did not unplug them, I suppose, to prevent users from connecting 4 devices with high current consumption (for example, hard drives), since The standard power supply of the router is not designed for such a load. In any case, it is in our favor.

In order to get another USB port, it is enough to solder two wires to 8 (D-) and 9 (D +) or 11 (D-) and 12 (D +) pins.



However, it is not enough just to connect two USB devices and hope that everything will work by itself, as it would have happened with Ethernet. First, we need to make one of them work in the USB Client mode, not the USB Host, and second, we need to decide how the devices will determine each other. There are many drivers of so-called USB Gadgets (after the name of the Linux kernel subsystem), which allow you to emulate various types of USB devices: network adapter, audio card, keyboard and mouse, USB flash drive, camera, console through the serial port. Since our device will work with the network, we are best suited to emulate an Ethernet adapter.

There are three standards for Ethernet-over-USB:

• Remote NDIS (RNDIS) . Outdated standard from Microsoft, used primarily in the days of Windows XP.
• Ethernet Control Model (ECM) . A simple standard that encapsulates Ethernet frames into USB packets. Great for wired modems with USB-connection, where it is convenient to transfer frames without processing, but because of its simplicity and limitations of USB-bus does not work too fast.
• Ethernet Emulation Model (EEM) . A smarter protocol that takes into account the limitations of USB and optimally aggregates several frames into one, thus increasing throughput.
• Network Control Model (NCM) . The newest protocol. It has the advantages of EEM and further optimizes work with the bus.

To make any of these protocols work on our board, as always, we will have to face some difficulties. Due to the fact that Allwinner is only interested in the Android part of the kernel, only Android Gadget works fine - the code that implements communication with adb, exporting the device using the MTP protocol and emulating a flash drive on Android devices. Android Gadget itself supports the RNDIS protocol, but it is broken in the Allwinner core. If you try to compile the kernel with any other USB Gadget, the device simply does not appear in the system, no matter what you do.
To solve the problem, in an amicable way, you need to find a place for initializing the USB controller in the Android-gadget-modified Android gadget code android.c, but there is also a workaround to make at least Ethernet emulation via USB:

--- sun8i/drivers/usb/sunxi_usb/udc/sunxi_udc.c 2016-04-16 15:01:40.427088792 +0300 +++ sun8i/drivers/usb/sunxi_usb/udc/sunxi_udc.c 2016-04-16 15:01:45.339088792 +0300 @@ -57,7 +57,7 @@ static sunxi_udc_io_t g_sunxi_udc_io; static u32 usb_connect = 0; static u32 is_controller_alive = 0; -static u8 is_udc_enable = 0; /* is udc enable by gadget? */ +static u8 is_udc_enable = 1; /* is udc enable by gadget? */ #ifdef CONFIG_USB_SUNXI_USB0_OTG static struct platform_device *g_udc_pdev = NULL; 

This patch forcibly turns on the USB client mode, which allows you to use ordinary USB Gadgets from Linux.
Now you should rebuild the kernel with this patch and the necessary gadget. I chose EEM because according to test results, it turned out to be more productive than NCM.
The Armbian team provides a very simple and convenient build system for all supported boards in the distribution. Just download it, put our patch in userpatches/kernel/sun8i-default/otg.patch , edit compile.sh and choose the gadget you need:



The kernel will be assembled into a deb-package, which is not difficult to install on the board through dpkg .
It remains only to connect the board via USB and configure our new network adapter to receive the address via DHCP. To do this, add something like the following in /etc/network/interfaces :

 auto usb0 iface usb0 inet dhcp hwaddress ether c2:46:98:49:3e:9d pre-up /bin/sh -c 'echo 2 > /sys/bus/platform/devices/sunxi_usb_udc/otg_role' 

It is better to set the MAC address manually, since it will be random with each reboot of the device, which is inconvenient and troublesome.
We connect the microUSB cable to the OTG connector, connect the power from the router (it can be fed to 2 and 3 pins of the comb, and not just to the power connector).

It remains to configure the router. Just install the package with the EEM driver and add our new USB network device to the bridge of the local firewall zone:

 opkg install kmod-usb-net-cdc-eem 

To route all traffic to the VPN tunnel, you must either add a SNAT rule to the board's IP address on the router side, or distribute the board address via dnsmasq as the gateway address. The latter is done by adding the following line to /etc/dnsmasq.conf :

 dhcp-option = tag:lan, option:router, 192.168.1.100 

where 192.168.1.100 is the IP address of your board. Do not forget to register the router address in the network settings on the board itself!

To isolate the contacts of the board from the contacts of the router, a melamine sponge was used. It turned out something like this:

Conclusion

The network works via USB surprisingly fast: 100-120 Mb / s, I expected less. OpenVPN passes about 70 Mb / s of encrypted traffic through itself, which is also not very much, but enough for my needs. The cover of the router does not close tightly, leaving a small gap. The aesthetes can drop out Ethernet and USB Host connectors at the board, which will allow the lid to close completely, and there is still room.
And it is better not to engage in such pornography and buy a Turris Omnia .