MultipathTCP and OpenWrt

This page discusses the MultipathTCP support in OpenWrt.

this is not part of the trunk yet

Clone the multipath TCP capable kernel from https://github.com/xedp3x/openwrt if you like.

Multipath TCP (MPTCP) is an effort towards enabling the simultaneous use of several IP-addresses/interfaces by a modification of TCP that presents a regular TCP interface to applications, while in fact spreading data across several subflows. Benefits of this include better resource utilization, better throughput and smoother reaction to failures.

You have to install the patched kernel on both devices that are involved in a Multipath TCP connection. If these devices are PC's more info can be found at http://multipath-tcp.org

If your PC and Server have an ordinary TCP-connection, your router cannot use the MPTCP-protocol by default. To make it work, you have two possible solutions:

• Use a proxy on the router
• Use a VPN to an endpoint with faster network. In this way, you can use all uplinks for all traffic, even trafic to a non-MPTCP-server.

MP-TCP works with a patched kernel. See build for a better manual on how to compile your own version of OpenWrt.

- clone the repo

- load the feeds

- make menuconfig

1. select your device
2. select the 'mptcp' package
3. It is useful to also compile OpenVPN and it's dependencies and possible other packages that you plan to use in this step.

- make kernel_menuconfig

1. on the top the kernel version is shown. Only version 3.10.x and 3.14.x are supported.
2. activate mptcp

- make

MPTCP is running without any configuration. But if you want to use it with multiple interfaces on your device you have to configure these interfaces.

To enable the scripts call

uci set network.globals.multipath=enable

the interface you set by:

uci set network.<name>.multipath=<option>

Here you can choose one of the following options:

Save your changes with:

• uci commit
• /etc/init.d/network restart

The script generates multiple default routes in different tables and rules. These may make problems with other packages. I'm sure that it will not work with multiwan

you can see all current connections by using:

multipath -c

If you have installed the patched net-tools on your pc you can see MPTCP's behaviour in a better way by using

netstat -m

The patched version of netstat is not yet ported to this repo yet.

This is an example for a VPN over 2 WAN connections. It routes the entire network to the VPN endpoint and sends the data to the internet there, consequently it needs a back route from there which is why you should (also) implement NAT on the remote side of the VPN tunnel.

The following configuration has no encryption on the VPN link. This is faster but it is not secure. The configuration also updates the MAC address to prevent problems in case you have 2 ISP clients but the same address.

network.globals.multipath=enable

network.wan1=interface
network.wan1.proto=dhcp
network.wan1.ifname=eth0.1
network.wan1.macaddr=XX:XX:XX:XX:XX:01
network.wan1.multipath=master

network.wan2=interface
network.wan2.proto=dhcp
network.wan2.ifname=eth0.2
network.wan2.macaddr=XX:XX:XX:XX:XX:02
network.wan2.multipath=on

network.tap1337=interface
network.tap1337.proto=none
network.tap1337.ifname=tap1337


firewall.@zone[1].name=wan
firewall.@zone[1].network=wan1 wan2

firewall.@zone[2]=zone
firewall.@zone[2].name=vpn
firewall.@zone[2].input=ACCEPT
firewall.@zone[2].output=ACCEPT
firewall.@zone[2].network=tap1337
firewall.@zone[2].forward=ACCEPT

firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].dest=vpn
firewall.@forwarding[0].src=lan
firewall.@forwarding[2]=forwarding
firewall.@forwarding[2].dest=lan
firewall.@forwarding[2].src=vpn


openvpn.mptcp=openvpn
openvpn.mptcp.enabled=1
openvpn.mptcp.client=1
openvpn.mptcp.dev=tap1337
openvpn.mptcp.proto=tcp
openvpn.mptcp.remote=X.X.X.X 1194
openvpn.mptcp.resolv_retry=infinite
openvpn.mptcp.nobind=1
openvpn.mptcp.persist_key=1
openvpn.mptcp.persist_tun=1
openvpn.mptcp.ca=/etc/openvpn/ca.crt
openvpn.mptcp.cert=/etc/openvpn/client.crt
openvpn.mptcp.key=/etc/openvpn/client.key
openvpn.mptcp.cipher=none
openvpn.mptcp.verb=3
openvpn.mptcp.link_mtu=1480
openvpn.mptcp.script_security=2
openvpn.mptcp.up=/etc/openvpn/up.sh
openvpn.mptcp.down=/etc/openvpn/down.sh

/etc/openvpn/up.sh

#!/bin/sh
# ^ must be the first line
# set the execution bit by 'chmod +x /etc/openvpn/up.sh'

# Route the traffic from the bridged interface "lan" via table 1
# multipath-tcp will use the table 2 and up
ip rule add iif br-lan table 1
# set the default route via vpn (only table 1)
ip route add 10.9.8.0/24 via 10.9.8.1 dev $1 table 1
ip route add default via 10.9.8.1 dev $1 table 1
# refresh the routes
ip route flush cache

/etc/openvpn/down.sh

#!/bin/sh

ip rule del table 1
ip route flush table 1
ip route flush cache

Server Configuration

OpenVPN

port 1194
proto tcp
dev tap

ca      /etc/openvpn/keys/ca.crt    # generated keys
cert    /etc/openvpn/keys/server.crt
key     /etc/openvpn/keys/server.key  # keep secret
dh      /etc/openvpn/keys/dh1024.pem

server 10.9.8.0 255.255.255.0  # internal tun0 connection IP
ifconfig-pool-persist ipp.txt
keepalive 10 120

#comp-lzo         # Compression - must be turned on at both ends
persist-key
persist-tun
cipher none       # < No encryption!!!
status /var/log/openvpn-status.log
verb 3
client-to-client
link-mtu 1480 
script-security 2
up /etc/openvpn/up.sh  # < Set the back route in this script.

Example of the server up.sh (replace 192.168.1.0 with your own value).

#!/bin/sh
#The client IPs are fixed in the ipp.txt
ip route add 192.168.1.0/24 via 10.9.8.2 dev $1

Don't forget to implement NAT at the Server. (for examples, browse “debian nat”)