Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    22.05 - DCO and OpenVPN issue

    Scheduled Pinned Locked Moved OpenVPN
    50 Posts 7 Posters 9.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JeGrJ
      JeGr LAYER 8 Moderator @jimp
      last edited by

      @jimp Just to chime in:

      we were rolling out 2 new boxes 6100/4100 to a customer and I set up OpenVPN RAS pretty default with new DCO setting.

      Exactly same problem: .2 client can connect and route/transfer data, all other client IPs don't get ANY data at all sent through the connection. Switching off DCO immediatly works again. No spiffy or special stuff configured, just plain dead simple RAS setup with a single LAN network that gets pushed to the clients.

      Clients are 2x windows boxes with win10, newest OVPN Client 2.5.9/x64 and have no problems whatsoever. Routes are just fine, traffic simply refuses to flow through the server if you're not client #.2 :)

      System is on 22.05 stable

      Cheers
      \jens

      Don't forget to upvote ๐Ÿ‘ those who kindly offered their time and brainpower to help you!

      If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

      1 Reply Last reply Reply Quote 1
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        Hmm, were those supplied with 22.05 or upgraded from 22.01?

        Does that include traffic between IPs in the tunnel subnet directly?

        JeGrJ 1 Reply Last reply Reply Quote 0
        • JeGrJ
          JeGr LAYER 8 Moderator @stephenw10
          last edited by

          @stephenw10 Those were freshly installed with 22.01 and clean upgraded to 22.05 - at least there were no errors or other hiccups in the logs or anywhere to see.

          Besides that it's a simple straightforward RAS style setup:

          • SSL/TLS + User Auth
          • DCO
          • tun L3
          • UDP/1194
          • TLS Key with TLS Auth (not auth+enc), default direction
          • VPN CA, VPN Cert, VPN CRL created
          • ECDH only
          • prime256v1
          • SHA256
          • no HW crypt (but AES-NI enabled kernel module)
          • cert depth 1 (C+S)
          • Strict User-CN Matching
          • Enforce Key usage
          • IP4 tunnel network 192.168.45.0/26 (to leave space to add another VPNs server later with .45.64/26, .45.128/26, etc.)
          • IP4 local network 192.168.40.0/24 (LAN)
          • compression: refuse any non stub (most secure)
          • dynamic IP selected
          • subnet
          • keepalive 5 30
          • DNS default domain set up to the locally used domain
          • DNS server set up to the local MS AD server
          • Gateway v4 only
          • Verb 3

          nothing else set. The RAS clients aren't supposed to talk with each other so no, inter-client comm isn't a thing here :)

          Cheers
          \jens

          Don't forget to upvote ๐Ÿ‘ those who kindly offered their time and brainpower to help you!

          If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            I mean can clients other than .2 ping the server tunnel IP?

            1 Reply Last reply Reply Quote 0
            • jimpJ jimp moved this topic from Plus 22.05 Development Snapshots (Retired) on
            • stephenw10S
              stephenw10 Netgate Administrator
              last edited by

              I've been unable to replicate this so far. Did you test disabling AES-NI?

              JeGrJ 1 Reply Last reply Reply Quote 0
              • JeGrJ
                JeGr LAYER 8 Moderator @stephenw10
                last edited by

                @stephenw10 said in 22.05 - DCO and OpenVPN issue:

                I mean can clients other than .2 ping the server tunnel IP?

                Ah that's what you meant! I just switched DCO back on and tested for you:

                • VPN net: 192.168.45.0/24
                • LAN net: 192.168.40.0/24

                When DCO is on:

                • Client 1 connected as .45.2:

                  • ping to .45.1 (VPN GW) -> works
                  • ping to 40.1 (FW IP in LAN) -> works
                  • ping to 40.x (any other IP then Firewall) -> works
                  • can connect to e.g. Server on 192.168.40.10
                • Client 2 connected as .45.3:

                  • ping to .45.1 (VPN GW) -> works
                  • ping to 40.1 (FW IP in LAN) -> works
                  • ping to 40.x (any other IP then Firewall) -> DOESN'T work
                  • no connect to any other device on the LAN is working

                As there are IPsec tunnels currently in use I couldn't disable crypto but it is set to QAT - not AES-NI - as it's a 6100 :)

                Cheers

                Don't forget to upvote ๐Ÿ‘ those who kindly offered their time and brainpower to help you!

                If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                1 Reply Last reply Reply Quote 0
                • stephenw10S
                  stephenw10 Netgate Administrator
                  last edited by

                  Ah, OK I was testing to the LAN IP. Retesting....

                  1 Reply Last reply Reply Quote 1
                  • stephenw10S
                    stephenw10 Netgate Administrator
                    last edited by

                    Ok, replicated it. Let me see if I can narrow it down....

                    S 1 Reply Last reply Reply Quote 2
                    • S
                      swixo @stephenw10
                      last edited by

                      @stephenw10 Whew! Glad this was tracked down.

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S
                        stephenw10 Netgate Administrator
                        last edited by

                        OK, this looks like an internal routing issue. As a workaround applying outbound NAT to traffic leaving the LAN appears to allow it to route replies as expected. If you want to test DCO that is.

                        Steve

                        JeGrJ 1 Reply Last reply Reply Quote 1
                        • JeGrJ
                          JeGr LAYER 8 Moderator @stephenw10
                          last edited by

                          @stephenw10 Would that be subject to a patch via "System Patches" or is the routing issue deeper than the patch system can go and requires a new build/version of some files? Just asking if that'd be hotfix'able.

                          Don't forget to upvote ๐Ÿ‘ those who kindly offered their time and brainpower to help you!

                          If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                          1 Reply Last reply Reply Quote 0
                          • stephenw10S
                            stephenw10 Netgate Administrator
                            last edited by

                            It's probably not something that can be fixed with a run-time patch unfortunately. It looks to be in OpenVPN so something in the binary.

                            Steve

                            JeGrJ 1 Reply Last reply Reply Quote 1
                            • JeGrJ
                              JeGr LAYER 8 Moderator @stephenw10
                              last edited by

                              @stephenw10 said in 22.05 - DCO and OpenVPN issue:

                              It's probably not something that can be fixed with a run-time patch unfortunately. It looks to be in OpenVPN so something in the binary.

                              Steve

                              Thanks for clarifying - thus we know to currently not roll it out enabled per default :)

                              Don't forget to upvote ๐Ÿ‘ those who kindly offered their time and brainpower to help you!

                              If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.