Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    22.05 - DCO and OpenVPN issue

    Scheduled Pinned Locked Moved OpenVPN
    50 Posts 7 Posters 9.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stephenw10S
      stephenw10 Netgate Administrator
      last edited by

      Hmm, were those supplied with 22.05 or upgraded from 22.01?

      Does that include traffic between IPs in the tunnel subnet directly?

      JeGrJ 1 Reply Last reply Reply Quote 0
      • JeGrJ
        JeGr LAYER 8 Moderator @stephenw10
        last edited by

        @stephenw10 Those were freshly installed with 22.01 and clean upgraded to 22.05 - at least there were no errors or other hiccups in the logs or anywhere to see.

        Besides that it's a simple straightforward RAS style setup:

        • SSL/TLS + User Auth
        • DCO
        • tun L3
        • UDP/1194
        • TLS Key with TLS Auth (not auth+enc), default direction
        • VPN CA, VPN Cert, VPN CRL created
        • ECDH only
        • prime256v1
        • SHA256
        • no HW crypt (but AES-NI enabled kernel module)
        • cert depth 1 (C+S)
        • Strict User-CN Matching
        • Enforce Key usage
        • IP4 tunnel network 192.168.45.0/26 (to leave space to add another VPNs server later with .45.64/26, .45.128/26, etc.)
        • IP4 local network 192.168.40.0/24 (LAN)
        • compression: refuse any non stub (most secure)
        • dynamic IP selected
        • subnet
        • keepalive 5 30
        • DNS default domain set up to the locally used domain
        • DNS server set up to the local MS AD server
        • Gateway v4 only
        • Verb 3

        nothing else set. The RAS clients aren't supposed to talk with each other so no, inter-client comm isn't a thing here :)

        Cheers
        \jens

        Don't forget to upvote ๐Ÿ‘ those who kindly offered their time and brainpower to help you!

        If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

        1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          I mean can clients other than .2 ping the server tunnel IP?

          1 Reply Last reply Reply Quote 0
          • jimpJ jimp moved this topic from Plus 22.05 Development Snapshots (Retired) on
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            I've been unable to replicate this so far. Did you test disabling AES-NI?

            JeGrJ 1 Reply Last reply Reply Quote 0
            • JeGrJ
              JeGr LAYER 8 Moderator @stephenw10
              last edited by

              @stephenw10 said in 22.05 - DCO and OpenVPN issue:

              I mean can clients other than .2 ping the server tunnel IP?

              Ah that's what you meant! I just switched DCO back on and tested for you:

              • VPN net: 192.168.45.0/24
              • LAN net: 192.168.40.0/24

              When DCO is on:

              • Client 1 connected as .45.2:

                • ping to .45.1 (VPN GW) -> works
                • ping to 40.1 (FW IP in LAN) -> works
                • ping to 40.x (any other IP then Firewall) -> works
                • can connect to e.g. Server on 192.168.40.10
              • Client 2 connected as .45.3:

                • ping to .45.1 (VPN GW) -> works
                • ping to 40.1 (FW IP in LAN) -> works
                • ping to 40.x (any other IP then Firewall) -> DOESN'T work
                • no connect to any other device on the LAN is working

              As there are IPsec tunnels currently in use I couldn't disable crypto but it is set to QAT - not AES-NI - as it's a 6100 :)

              Cheers

              Don't forget to upvote ๐Ÿ‘ those who kindly offered their time and brainpower to help you!

              If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                Ah, OK I was testing to the LAN IP. Retesting....

                1 Reply Last reply Reply Quote 1
                • stephenw10S
                  stephenw10 Netgate Administrator
                  last edited by

                  Ok, replicated it. Let me see if I can narrow it down....

                  S 1 Reply Last reply Reply Quote 2
                  • S
                    swixo @stephenw10
                    last edited by

                    @stephenw10 Whew! Glad this was tracked down.

                    1 Reply Last reply Reply Quote 0
                    • stephenw10S
                      stephenw10 Netgate Administrator
                      last edited by

                      OK, this looks like an internal routing issue. As a workaround applying outbound NAT to traffic leaving the LAN appears to allow it to route replies as expected. If you want to test DCO that is.

                      Steve

                      JeGrJ 1 Reply Last reply Reply Quote 1
                      • JeGrJ
                        JeGr LAYER 8 Moderator @stephenw10
                        last edited by

                        @stephenw10 Would that be subject to a patch via "System Patches" or is the routing issue deeper than the patch system can go and requires a new build/version of some files? Just asking if that'd be hotfix'able.

                        Don't forget to upvote ๐Ÿ‘ those who kindly offered their time and brainpower to help you!

                        If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                        1 Reply Last reply Reply Quote 0
                        • stephenw10S
                          stephenw10 Netgate Administrator
                          last edited by

                          It's probably not something that can be fixed with a run-time patch unfortunately. It looks to be in OpenVPN so something in the binary.

                          Steve

                          JeGrJ 1 Reply Last reply Reply Quote 1
                          • JeGrJ
                            JeGr LAYER 8 Moderator @stephenw10
                            last edited by

                            @stephenw10 said in 22.05 - DCO and OpenVPN issue:

                            It's probably not something that can be fixed with a run-time patch unfortunately. It looks to be in OpenVPN so something in the binary.

                            Steve

                            Thanks for clarifying - thus we know to currently not roll it out enabled per default :)

                            Don't forget to upvote ๐Ÿ‘ those who kindly offered their time and brainpower to help you!

                            If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.