Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    22.05 - DCO and OpenVPN issue

    Scheduled Pinned Locked Moved OpenVPN
    50 Posts 7 Posters 8.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stephenw10S
      stephenw10 Netgate Administrator
      last edited by

      I mean can clients other than .2 ping the server tunnel IP?

      1 Reply Last reply Reply Quote 0
      • jimpJ jimp moved this topic from Plus 22.05 Development Snapshots (Retired) on
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        I've been unable to replicate this so far. Did you test disabling AES-NI?

        JeGrJ 1 Reply Last reply Reply Quote 0
        • JeGrJ
          JeGr LAYER 8 Moderator @stephenw10
          last edited by

          @stephenw10 said in 22.05 - DCO and OpenVPN issue:

          I mean can clients other than .2 ping the server tunnel IP?

          Ah that's what you meant! I just switched DCO back on and tested for you:

          • VPN net: 192.168.45.0/24
          • LAN net: 192.168.40.0/24

          When DCO is on:

          • Client 1 connected as .45.2:

            • ping to .45.1 (VPN GW) -> works
            • ping to 40.1 (FW IP in LAN) -> works
            • ping to 40.x (any other IP then Firewall) -> works
            • can connect to e.g. Server on 192.168.40.10
          • Client 2 connected as .45.3:

            • ping to .45.1 (VPN GW) -> works
            • ping to 40.1 (FW IP in LAN) -> works
            • ping to 40.x (any other IP then Firewall) -> DOESN'T work
            • no connect to any other device on the LAN is working

          As there are IPsec tunnels currently in use I couldn't disable crypto but it is set to QAT - not AES-NI - as it's a 6100 :)

          Cheers

          Don't forget to upvote ๐Ÿ‘ those who kindly offered their time and brainpower to help you!

          If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            Ah, OK I was testing to the LAN IP. Retesting....

            1 Reply Last reply Reply Quote 1
            • stephenw10S
              stephenw10 Netgate Administrator
              last edited by

              Ok, replicated it. Let me see if I can narrow it down....

              S 1 Reply Last reply Reply Quote 2
              • S
                swixo @stephenw10
                last edited by

                @stephenw10 Whew! Glad this was tracked down.

                1 Reply Last reply Reply Quote 0
                • stephenw10S
                  stephenw10 Netgate Administrator
                  last edited by

                  OK, this looks like an internal routing issue. As a workaround applying outbound NAT to traffic leaving the LAN appears to allow it to route replies as expected. If you want to test DCO that is.

                  Steve

                  JeGrJ 1 Reply Last reply Reply Quote 1
                  • JeGrJ
                    JeGr LAYER 8 Moderator @stephenw10
                    last edited by

                    @stephenw10 Would that be subject to a patch via "System Patches" or is the routing issue deeper than the patch system can go and requires a new build/version of some files? Just asking if that'd be hotfix'able.

                    Don't forget to upvote ๐Ÿ‘ those who kindly offered their time and brainpower to help you!

                    If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                    1 Reply Last reply Reply Quote 0
                    • stephenw10S
                      stephenw10 Netgate Administrator
                      last edited by

                      It's probably not something that can be fixed with a run-time patch unfortunately. It looks to be in OpenVPN so something in the binary.

                      Steve

                      JeGrJ 1 Reply Last reply Reply Quote 1
                      • JeGrJ
                        JeGr LAYER 8 Moderator @stephenw10
                        last edited by

                        @stephenw10 said in 22.05 - DCO and OpenVPN issue:

                        It's probably not something that can be fixed with a run-time patch unfortunately. It looks to be in OpenVPN so something in the binary.

                        Steve

                        Thanks for clarifying - thus we know to currently not roll it out enabled per default :)

                        Don't forget to upvote ๐Ÿ‘ those who kindly offered their time and brainpower to help you!

                        If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.