Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    22.05 - DCO and OpenVPN issue

    Scheduled Pinned Locked Moved OpenVPN
    50 Posts 7 Posters 9.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • PippinP
      Pippin
      last edited by

      Filesize.....

      I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
      Halton Arp

      S 1 Reply Last reply Reply Quote 1
      • M
        maverick_slo
        last edited by

        I have exact same filesize and version as @swixo
        And if I turn ON DCO, traffic stops flowing on my android device.
        Turn DCO OFF all is fine again...

        1 Reply Last reply Reply Quote 1
        • S
          swixo @Pippin
          last edited by

          @pippin Yep - I see that - disregarded initially.

          S 1 Reply Last reply Reply Quote 0
          • S
            swixo @swixo
            last edited by swixo

            @swixo Just reinstalled 22.01. Upgraded to 22.05RC.

            pkg info -s openvpn
            openvpn-2.6.0_8 836KiB

            Client VPN behaved same - DCO=no data flow, no DCO, all ok.

            1 Reply Last reply Reply Quote 0
            • stephenw10S
              stephenw10 Netgate Administrator
              last edited by

              Mmm, I was looking on a 3100 there though. On an amd64 machine it looks good:

              [22.05-RC][admin@4100-2.stevew.lan]/root: pkg info -s openvpn
              openvpn-2.6.0_8                836KiB
              

              I assume the IOS client is still OpenVPN 2.5 based?

              S 1 Reply Last reply Reply Quote 0
              • S
                swixo @stephenw10
                last edited by

                @stephenw10 Yeah - for me all iOS and MacOS have issue.
                My platform for pf is all Netgate 1537 appliances.

                1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  I have seen an occasional glitch on OSX but I'm not sure if it's specific to OSX. The first start after a reboot sometimes it won't ping, but if I restart the server and reconnect the client it can. But since it's so intermittent and doesn't happen every time (and didn't log anything different that I recall), I hadn't been able to nail down anything solid enough to call a problem yet.

                  If you can reproduce it reliably, check the ifconfig output for the interface, the contents of the routing table, and the OpenVPN logs for when it doesn't work, then restart the server and see if you can reconnect the client and pass traffic. If you can, then compare the logs and other output and see if you notice any differences.

                  Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  S 1 Reply Last reply Reply Quote 0
                  • S
                    swixo @jimp
                    last edited by

                    @jimp said in 22.05 - DCO and OpenVPN issue:

                    If you can reproduce it reliably, check the ifconfig output for the interface, the contents of the routing table, and the OpenVPN logs for when it doesn't work, then restart the server and see if you can reconnect the client and pass traffic. If you can, then compare the logs and other output and see if you notice any differences.

                    Ok! I tested and I was able to get traffic to flow ONCE after I closed the tunnel, restarted the server and restarted the tunnel. But subsequent initiations of the tunnel resulted in no data flow.

                    This is the ifconfig for the interface - and it was the same in the fail and non fail condition:

                    utun10: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
                    	inet 192.168.41.2 --> 192.168.41.2 netmask 0xffffff00
                    

                    I didn't see anything error like in the logs. Just the usual stuff.

                    s

                    1 Reply Last reply Reply Quote 0
                    • jimpJ
                      jimp Rebel Alliance Developer Netgate
                      last edited by

                      That looks like the client side, what about differences on the server side when it works vs when it doesn't?

                      Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      S 1 Reply Last reply Reply Quote 0
                      • S
                        swixo @jimp
                        last edited by

                        @jimp I have not been able to 'jiggle' it into working by disconnecting/restarting and reconnecting again. It just fails:

                        This is ifconfig from Server side for each state

                        tunnel disconnected:

                        ovpns2: flags=8011<UP,POINTOPOINT,MULTICAST> metric 0 mtu 1500
                        	options=80000<LINKSTATE>
                        	inet6 fe80::3eec:efff:fe79:f1f2%ovpns2 prefixlen 64 tentative scopeid 0x19
                        	inet 192.168.41.1 --> 192.168.41.2 netmask 0xffffff00
                        	groups: openvpn
                        	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
                        

                        Connected/Failing (No data pass)

                        ovpns2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
                        	options=80000<LINKSTATE>
                        	inet6 fe80::3eec:efff:fe79:f1f2%ovpns2 prefixlen 64 scopeid 0x19
                        	inet 192.168.41.1 --> 192.168.41.2 netmask 0xffffff00
                        	groups: openvpn
                        	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
                        

                        Hope this helps.

                        1 Reply Last reply Reply Quote 0
                        • jimpJ
                          jimp Rebel Alliance Developer Netgate
                          last edited by

                          I think this is what I hit yesterday with multiple clients failing (only the first client, e.g. .2 worked). We got a fix in yesterday afternoon and made a new build. You should be able to update to that and try it.

                          Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                          Need help fast? Netgate Global Support!

                          Do not Chat/PM for help!

                          S 2 Replies Last reply Reply Quote 3
                          • S
                            swixo @jimp
                            last edited by

                            This post is deleted!
                            1 Reply Last reply Reply Quote 1
                            • S
                              swixo @jimp
                              last edited by

                              @jimp I may have spoken too soon -- It worked once - but shortly after - same problem returned.

                              Did a server restart - and its blocking data again w/DCO. Sorry for any false start - just reporting what I'm seeing.

                              1 Reply Last reply Reply Quote 0
                              • jimpJ
                                jimp Rebel Alliance Developer Netgate
                                last edited by

                                Odd. I can't reproduce any problem now, and I could before. I've restarted the server and clients multiple times. Not just reboots but daemon restarts.

                                Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                                Need help fast? Netgate Global Support!

                                Do not Chat/PM for help!

                                S 1 Reply Last reply Reply Quote 0
                                • S
                                  swixo @jimp
                                  last edited by

                                  @jimp So I tried again with MacOS - working with DCO. No erros in logs. Connected with iOS - nothing. And as soon as I connected with iOS, the MacOS connection stopped working too.

                                  Log errors at time of failure:

                                  Jun 15 10:48:35	openvpn	2705	192.168.1.212:54428 TLS Error: tls-crypt unwrapping failed from [AF_INET]192.168.1.212:54428 (via [AF_INET]192.168.1.1%)
                                  Jun 15 10:48:35	openvpn	2705	192.168.1.212:54428 tls-crypt unwrap error: packet replay
                                  Jun 15 10:48:35	openvpn	2705	192.168.1.212:54428 tls-crypt unwrap error: bad packet ID (may be a replay): [ #9 / time = (1655315314) 2022-06-15 10:48:34 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
                                  Jun 15 10:48:35	openvpn	2705	192.168.1.212:54428 TLS Error: tls-crypt unwrapping failed from [AF_INET]192.168.1.212:54428 (via [AF_INET]192.168.1.1%)
                                  Jun 15 10:48:35	openvpn	2705	192.168.1.212:54428 tls-crypt unwrap error: packet replay
                                  Jun 15 10:48:35	openvpn	2705	192.168.1.212:54428 tls-crypt unwrap error: bad packet ID (may be a replay): [ #8 / time = (1655315314) 2022-06-15 10:48:34 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
                                  
                                  jimpJ 1 Reply Last reply Reply Quote 0
                                  • M
                                    maverick_slo
                                    last edited by

                                    For me, Android now works OK.
                                    But I had to disable DCO, because it`s like 40% slower than without it...

                                    jimpJ M 2 Replies Last reply Reply Quote 0
                                    • jimpJ
                                      jimp Rebel Alliance Developer Netgate @maverick_slo
                                      last edited by

                                      @maverick_slo said in 22.05 - DCO and OpenVPN issue:

                                      For me, Android now works OK.
                                      But I had to disable DCO, because it`s like 40% slower than without it...

                                      If your hardware supports AES-NI, make sure the AES-NI kernel module is loaded (System > Advanced, Misc tab).

                                      The only time we've seen DCO be slower is when the hardware supports crypto acceleration but it's not enabled in the kernel/modules. DCO is in the kernel so it can't just latch onto AES-NI via OpenSSL like non-DCO OpenVPN can.

                                      Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                                      Need help fast? Netgate Global Support!

                                      Do not Chat/PM for help!

                                      1 Reply Last reply Reply Quote 1
                                      • jimpJ
                                        jimp Rebel Alliance Developer Netgate @swixo
                                        last edited by

                                        @swixo said in 22.05 - DCO and OpenVPN issue:

                                        @jimp So I tried again with MacOS - working with DCO. No erros in logs. Connected with iOS - nothing. And as soon as I connected with iOS, the MacOS connection stopped working too.

                                        Log errors at time of failure:

                                        Jun 15 10:48:35	openvpn	2705	192.168.1.212:54428 TLS Error: tls-crypt unwrapping failed from [AF_INET]192.168.1.212:54428 (via [AF_INET]192.168.1.1%)
                                        Jun 15 10:48:35	openvpn	2705	192.168.1.212:54428 tls-crypt unwrap error: packet replay
                                        Jun 15 10:48:35	openvpn	2705	192.168.1.212:54428 tls-crypt unwrap error: bad packet ID (may be a replay): [ #9 / time = (1655315314) 2022-06-15 10:48:34 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
                                        Jun 15 10:48:35	openvpn	2705	192.168.1.212:54428 TLS Error: tls-crypt unwrapping failed from [AF_INET]192.168.1.212:54428 (via [AF_INET]192.168.1.1%)
                                        Jun 15 10:48:35	openvpn	2705	192.168.1.212:54428 tls-crypt unwrap error: packet replay
                                        Jun 15 10:48:35	openvpn	2705	192.168.1.212:54428 tls-crypt unwrap error: bad packet ID (may be a replay): [ #8 / time = (1655315314) 2022-06-15 10:48:34 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
                                        

                                        I still can't reproduce any problems here. Replay errors suggest it's a network-level problem with packets arriving out of order, though.

                                        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                                        Need help fast? Netgate Global Support!

                                        Do not Chat/PM for help!

                                        S 1 Reply Last reply Reply Quote 0
                                        • S
                                          swixo @jimp
                                          last edited by

                                          @jimp Updated to 22.05.r.20220617.0613 this AM.

                                          Similar situation - First client to connect - its good. Second client to connect - Both lose data flow.

                                          1 Reply Last reply Reply Quote 0
                                          • M
                                            maverick_slo @maverick_slo
                                            last edited by

                                            It7s loaded...
                                            AES-NI CPU Crypto: Yes (active)

                                            But still it is really slower...

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.