• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

22.05 - DCO and OpenVPN issue

Scheduled Pinned Locked Moved OpenVPN
50 Posts 7 Posters 8.9k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    JeGr LAYER 8 Moderator @jimp
    last edited by Jul 14, 2022, 1:51 PM

    @jimp Just to chime in:

    we were rolling out 2 new boxes 6100/4100 to a customer and I set up OpenVPN RAS pretty default with new DCO setting.

    Exactly same problem: .2 client can connect and route/transfer data, all other client IPs don't get ANY data at all sent through the connection. Switching off DCO immediatly works again. No spiffy or special stuff configured, just plain dead simple RAS setup with a single LAN network that gets pushed to the clients.

    Clients are 2x windows boxes with win10, newest OVPN Client 2.5.9/x64 and have no problems whatsoever. Routes are just fine, traffic simply refuses to flow through the server if you're not client #.2 :)

    System is on 22.05 stable

    Cheers
    \jens

    Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

    If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

    1 Reply Last reply Reply Quote 1
    • S
      stephenw10 Netgate Administrator
      last edited by Jul 14, 2022, 2:43 PM

      Hmm, were those supplied with 22.05 or upgraded from 22.01?

      Does that include traffic between IPs in the tunnel subnet directly?

      J 1 Reply Last reply Jul 14, 2022, 3:21 PM Reply Quote 0
      • J
        JeGr LAYER 8 Moderator @stephenw10
        last edited by Jul 14, 2022, 3:21 PM

        @stephenw10 Those were freshly installed with 22.01 and clean upgraded to 22.05 - at least there were no errors or other hiccups in the logs or anywhere to see.

        Besides that it's a simple straightforward RAS style setup:

        • SSL/TLS + User Auth
        • DCO
        • tun L3
        • UDP/1194
        • TLS Key with TLS Auth (not auth+enc), default direction
        • VPN CA, VPN Cert, VPN CRL created
        • ECDH only
        • prime256v1
        • SHA256
        • no HW crypt (but AES-NI enabled kernel module)
        • cert depth 1 (C+S)
        • Strict User-CN Matching
        • Enforce Key usage
        • IP4 tunnel network 192.168.45.0/26 (to leave space to add another VPNs server later with .45.64/26, .45.128/26, etc.)
        • IP4 local network 192.168.40.0/24 (LAN)
        • compression: refuse any non stub (most secure)
        • dynamic IP selected
        • subnet
        • keepalive 5 30
        • DNS default domain set up to the locally used domain
        • DNS server set up to the local MS AD server
        • Gateway v4 only
        • Verb 3

        nothing else set. The RAS clients aren't supposed to talk with each other so no, inter-client comm isn't a thing here :)

        Cheers
        \jens

        Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

        If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

        1 Reply Last reply Reply Quote 0
        • S
          stephenw10 Netgate Administrator
          last edited by Jul 14, 2022, 3:27 PM

          I mean can clients other than .2 ping the server tunnel IP?

          1 Reply Last reply Reply Quote 0
          • J jimp moved this topic from Plus 22.05 Development Snapshots (Retired) on Jul 14, 2022, 5:57 PM
          • S
            stephenw10 Netgate Administrator
            last edited by Jul 14, 2022, 10:50 PM

            I've been unable to replicate this so far. Did you test disabling AES-NI?

            J 1 Reply Last reply Jul 15, 2022, 3:00 PM Reply Quote 0
            • J
              JeGr LAYER 8 Moderator @stephenw10
              last edited by Jul 15, 2022, 3:00 PM

              @stephenw10 said in 22.05 - DCO and OpenVPN issue:

              I mean can clients other than .2 ping the server tunnel IP?

              Ah that's what you meant! I just switched DCO back on and tested for you:

              • VPN net: 192.168.45.0/24
              • LAN net: 192.168.40.0/24

              When DCO is on:

              • Client 1 connected as .45.2:

                • ping to .45.1 (VPN GW) -> works
                • ping to 40.1 (FW IP in LAN) -> works
                • ping to 40.x (any other IP then Firewall) -> works
                • can connect to e.g. Server on 192.168.40.10
              • Client 2 connected as .45.3:

                • ping to .45.1 (VPN GW) -> works
                • ping to 40.1 (FW IP in LAN) -> works
                • ping to 40.x (any other IP then Firewall) -> DOESN'T work
                • no connect to any other device on the LAN is working

              As there are IPsec tunnels currently in use I couldn't disable crypto but it is set to QAT - not AES-NI - as it's a 6100 :)

              Cheers

              Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

              If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

              1 Reply Last reply Reply Quote 0
              • S
                stephenw10 Netgate Administrator
                last edited by Jul 15, 2022, 3:13 PM

                Ah, OK I was testing to the LAN IP. Retesting....

                1 Reply Last reply Reply Quote 1
                • S
                  stephenw10 Netgate Administrator
                  last edited by Jul 15, 2022, 3:30 PM

                  Ok, replicated it. Let me see if I can narrow it down....

                  S 1 Reply Last reply Jul 15, 2022, 3:35 PM Reply Quote 2
                  • S
                    swixo @stephenw10
                    last edited by Jul 15, 2022, 3:35 PM

                    @stephenw10 Whew! Glad this was tracked down.

                    1 Reply Last reply Reply Quote 0
                    • S
                      stephenw10 Netgate Administrator
                      last edited by Jul 15, 2022, 4:15 PM

                      OK, this looks like an internal routing issue. As a workaround applying outbound NAT to traffic leaving the LAN appears to allow it to route replies as expected. If you want to test DCO that is.

                      Steve

                      J 1 Reply Last reply Jul 18, 2022, 7:24 AM Reply Quote 1
                      • J
                        JeGr LAYER 8 Moderator @stephenw10
                        last edited by Jul 18, 2022, 7:24 AM

                        @stephenw10 Would that be subject to a patch via "System Patches" or is the routing issue deeper than the patch system can go and requires a new build/version of some files? Just asking if that'd be hotfix'able.

                        Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

                        If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                        1 Reply Last reply Reply Quote 0
                        • S
                          stephenw10 Netgate Administrator
                          last edited by Jul 21, 2022, 6:26 PM

                          It's probably not something that can be fixed with a run-time patch unfortunately. It looks to be in OpenVPN so something in the binary.

                          Steve

                          J 1 Reply Last reply Jul 26, 2022, 3:27 PM Reply Quote 1
                          • J
                            JeGr LAYER 8 Moderator @stephenw10
                            last edited by Jul 26, 2022, 3:27 PM

                            @stephenw10 said in 22.05 - DCO and OpenVPN issue:

                            It's probably not something that can be fixed with a run-time patch unfortunately. It looks to be in OpenVPN so something in the binary.

                            Steve

                            Thanks for clarifying - thus we know to currently not roll it out enabled per default :)

                            Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

                            If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                            1 Reply Last reply Reply Quote 0
                            47 out of 50
                            • First post
                              47/50
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                              This community forum collects and processes your personal information.
                              consent.not_received