DCO unable to connect (unsolvable)

McMurphy

I labelled this as unsolvable as OpenVPN support have been unable to get this working.

NetGate support have taken a look and advised it needs a higher level of paid support which makes the whole pfSense project too expensive after the upgrades to Plus.

OpenVPN have a commercial server that supports DCO. I can connect to this server with DCO enabled using:

1. Windows OpenVPN Connect Client
2. Linux openvpn client

I am unable to get pfSense to connect. I have upgraded to Plus and still no success.

pfSense can successfully connect to the server only when DCO is disabled.

When connecting the logs show:

Jul 15 18:06:29	openvpn	10388	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jul 15 18:06:29	openvpn	10388	Re-using SSL/TLS context
Jul 15 18:06:29	openvpn	10388	Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Jul 15 18:06:29	openvpn	10388	Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Jul 15 18:06:29	openvpn	10388	Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
Jul 15 18:06:29	openvpn	10388	Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
Jul 15 18:06:29	openvpn	10388	TCP/UDP: Preserving recently used remote address: [AF_INET]217.79.246.87:1194
Jul 15 18:06:29	openvpn	10388	Socket Buffers: R=[42080->42080] S=[57344->57344]
Jul 15 18:06:29	openvpn	10388	UDPv4 link local (bound): [AF_INET]59.X.X.38:0
Jul 15 18:06:29	openvpn	10388	UDPv4 link remote: [AF_INET]217.79.246.87:1194
Jul 15 18:06:29	openvpn	10388	UDPv4 WRITE [54] to [AF_INET]217.79.246.87:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ 3271706817 163681661 448585414 1189600341 1328648225 230946846 1238771091 3346107648 358 2497217792 0 ]
Jul 15 18:06:29	openvpn	10388	UDPv4 READ [66] from [AF_INET]217.79.246.87:1194: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ 602216835 1536806634 505354015 84517982 3189720618 584947517 565733715 3460801536 358 2497217793 0 3078965380 2744275520 0 ]
Jul 15 18:06:29	openvpn	10388	TLS: Initial packet from [AF_INET]217.79.246.87:1194, sid=745a67fd 11474265
Jul 15 18:06:29	openvpn	10388	UDPv4 WRITE [343] to [AF_INET]217.79.246.87:1194: P_CONTROL_V1 kid=0 [ 2046057050 1835633095 2149535230 4154592283 2741112754 1007729188 3493566608 1329765632 614 2497217793 0 1952081917 289882725 1 369295617 268500993 201524169 2743033102 2946575512 1656269453 690549378 1512021624 1526343704 1361805304
Jul 15 18:06:29	openvpn	10388	UDPv4 READ [1316] from [AF_INET]217.79.246.87:1194: P_CONTROL_V1 kid=0 [ 639665794 3608902208 684368300 754031561 241876855 3796598949 1380272558 1947329792 614 2497217793 1 3078965380 2744275520 1 369296128 2046951424 1979909033 2655092133 85544478 2661151404 3932064512 2692711802 1814882742 1701723033 42
Jul 15 18:06:29	openvpn	10388	UDPv4 WRITE [66] to [AF_INET]217.79.246.87:1194: P_ACK_V1 kid=0 [ 2649727339 2374804982 3294694399 3726374217 3136333194 1568250625 1891230971 4075406592 870 2497217794 1 0 1952081917 289882725 ] DATA len=0
Jul 15 18:06:29	openvpn	10388	UDPv4 READ [1221] from [AF_INET]217.79.246.87:1194: P_CONTROL_V1 kid=0 [ 2740298411 2278532280 3853108063 1986698339 3796630867 3651098957 767890291 26151936 870 2497217793 1 3078965380 2744275520 2 74609651 3080420293 503431491 424372453 2670296463 2180756825 508192279 314949362 3931236717 1967514348 3876
Jul 15 18:06:29	openvpn	10388	VERIFY WARNING: depth=0, unable to get certificate CRL: CN=au-syd-dc1-g1.cloud.openvpn.net
Jul 15 18:06:29	openvpn	10388	VERIFY WARNING: depth=1, unable to get certificate CRL: CN=CloudVPN Prod CA
Jul 15 18:06:29	openvpn	10388	VERIFY OK: depth=1, CN=CloudVPN Prod CA
Jul 15 18:06:29	openvpn	10388	VERIFY KU OK
Jul 15 18:06:29	openvpn	10388	Validating certificate extended key usage
Jul 15 18:06:29	openvpn	10388	++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Jul 15 18:06:29	openvpn	10388	VERIFY EKU OK
Jul 15 18:06:29	openvpn	10388	VERIFY OK: depth=0, CN=au-syd-dc1-g1.cloud.openvpn.net
Jul 15 18:06:29	openvpn	10388	UDPv4 WRITE [1222] to [AF_INET]217.79.246.87:1194: P_CONTROL_V1 kid=0 [ 1277589364 2909044950 1383717250 2619481010 390930294 214899426 821692837 2960280320 1126 2497217795 2 1 0 1952081917 289882725 2 335741696 16848643 50774977 1606278240 1109139349 1031630411 577341079 754951971 1551728405 1666316873 2
Jul 15 18:06:29	openvpn	10388	UDPv4 WRITE [1222] to [AF_INET]217.79.246.87:1194: P_CONTROL_V1 kid=0 [ 2063638536 1491074508 3619849320 3991465294 3166827868 350836862 238172678 2007068672 1382 2497217795 2 1 0 1952081917 289882725 3 2733235437 1540021768 1460789566 2452037163 298507316 4090994762 2013337209 1596240125 3289633226 10042
Jul 15 18:06:29	openvpn	10388	UDPv4 WRITE [476] to [AF_INET]217.79.246.87:1194: P_CONTROL_V1 kid=0 [ 3079122067 3591097406 2580266985 1528351229 979459254 2677091582 1088655703 659418624 1638 2497217795 2 1 0 1952081917 289882725 4 3873016031 3397801380 317171169 2856334794 1660658235 1962450063 1390168575 2890971837 1712276135 42754
Jul 15 18:06:29	openvpn	10388	UDPv4 READ [66] from [AF_INET]217.79.246.87:1194: P_ACK_V1 kid=0 [ 3630216415 1303087030 2783441238 3106735677 3738604247 2008823103 2180959439 900946944 1126 2497217794 1 2 3078965380 2744275520 ] DATA len=0
Jul 15 18:06:29	openvpn	10388	UDPv4 READ [232] from [AF_INET]217.79.246.87:1194: P_CONTROL_V1 kid=0 [ 3428508013 3176650425 3202963728 2951137159 4158798474 3905002673 135940960 1177910784 1382 2497217795 1 2 3 3078965380 2744275520 3 386073344 1257119321 3790448602 1162219707 2884110330 2606048067 1956472171 4237057642 2385064503 977
Jul 15 18:06:29	openvpn	10388	UDPv4 WRITE [74] to [AF_INET]217.79.246.87:1194: P_ACK_V1 kid=0 [ 2502739718 3638745475 4030763835 1698636283 2787477690 2518424133 1932529287 3700357120 1894 2497217796 3 2 1 0 1952081917 289882725 ] DATA len=0
Jul 15 18:06:29	openvpn	10388	UDPv4 READ [311] from [AF_INET]217.79.246.87:1194: P_CONTROL_V1 kid=0 [ 2084293099 3313678705 2066164763 1276107439 889770240 2553300487 3258836716 3530962944 1638 2497217796 1 2 3 4 3078965380 2744275520 4 386073344 3832117239 596138148 298700336 3191277019 1782657312 3519762578 757474373 620844026 10034
Jul 15 18:06:29	openvpn	10388	Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bits RSA, signature: RSA-SHA256, peer temporary key: 253 bits X25519
Jul 15 18:06:29	openvpn	10388	[au-syd-dc1-g1.cloud.openvpn.net] Peer Connection Initiated with [AF_INET]217.79.246.87:1194
Jul 15 18:06:29	openvpn	10388	TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
Jul 15 18:06:29	openvpn	10388	TLS: tls_multi_process: initial untrusted session promoted to trusted
Jul 15 18:06:29	openvpn	10388	UDPv4 WRITE [78] to [AF_INET]217.79.246.87:1194: P_ACK_V1 kid=0 [ 3248587709 3625700871 1157535337 3938136153 1310346412 914630358 2500750799 3990174976 2150 2497217797 4 3 2 1 0 1952081917 289882725 ] DATA len=0
Jul 15 18:06:30	openvpn	10388	SENT CONTROL [au-syd-dc1-g1.cloud.openvpn.net]: 'PUSH_REQUEST' (status=1)
Jul 15 18:06:30	openvpn	10388	UDPv4 WRITE [113] to [AF_INET]217.79.246.87:1194: P_CONTROL_V1 kid=0 [ 441420791 3471552601 1354595709 2552893734 2052982207 966294088 530683088 4005103616 2406 2497217796 4 3 2 1 1952081917 289882725 5 386073344 516821556 2550504285 1106332806 3180867454 3476826972 1937080555 4037055843 ]
Jul 15 18:06:30	openvpn	10388	UDPv4 READ [74] from [AF_INET]217.79.246.87:1194: P_ACK_V1 kid=0 [ 2903027641 3129723400 4094134490 1813922887 596697076 1486243771 3464266979 946606848 1894 2497217796 2 3 4 5 3078965380 2744275520 ] DATA len=0
Jul 15 18:06:30	openvpn	10388	UDPv4 READ [869] from [AF_INET]217.79.246.87:1194: P_CONTROL_V1 kid=0 [ 2649987715 339388761 2471731341 93891697 2736112724 882742394 325345776 1923569408 2150 2497217796 2 3 4 5 3078965380 2744275520 5 386073347 309768745 1902296830 1268598362 3914296469 3305084448 1655808328 39490497 4216255579 29230172
Jul 15 18:06:30	openvpn	10388	PUSH: Received control message: 'PUSH_REPLY,route-gateway 100.32.50.1,ifconfig 100.32.50.6 255.255.255.240,ifconfig-ipv6 fd:0:0:8103::a/64 fd:0:0:8103::1,client-ip 59.X.X.38,ping 8,ping-restart 40,reneg-sec 3600,key-derivation tls-ekm,topology subnet,explicit-exit-notify,remote-cache-lifetime 86400,block-outside-dns,route 100.32.50.0 255.255.255.0,route-ipv6 fd:0:0:8000::/49,route 100.80.0.0 255.240.0.0,route-ipv6 fd:0:0:4000::/50,route 10.27.50.0 255.255.255.0,route 192.168.1.0 255.255.255.0,dhcp-option DNS 100.32.50.1,auth-tokenSESS_ID,auth-token-user bmVhbHN0bWMtY29tLWF1L2Nvbm5lY3Rvci84NTlhNGJnNi1mMDRlLTQ3OGItOWFlNi1lNzFjZGMyOTVmZWRfOTI2OTU5OTUtMzM3NC00MjIwLWJlYmItNzZiOTQ1MmE0YjU0'
Jul 15 18:06:30	openvpn	10388	Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:4: client-ip (2.6.8)
Jul 15 18:06:30	openvpn	10388	Options error: option 'reneg-sec' cannot be used in this context ([PUSH-OPTIONS])
Jul 15 18:06:30	openvpn	10388	Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:11: remote-cache-lifetime (2.6.8)
Jul 15 18:06:30	openvpn	10388	Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:12: block-outside-dns (2.6.8)
Jul 15 18:06:30	openvpn	10388	OPTIONS IMPORT: --ifconfig/up options modified
Jul 15 18:06:30	openvpn	10388	OPTIONS IMPORT: route options modified
Jul 15 18:06:30	openvpn	10388	OPTIONS IMPORT: route-related options modified
Jul 15 18:06:30	openvpn	10388	OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Jul 15 18:06:30	openvpn	10388	OPTIONS IMPORT: Server did not request DATA_V2 packet format required for data channel offload
Jul 15 18:06:30	openvpn	10388	OPTIONS ERROR: pushed options are incompatible with data channel offload. Use --disable-dco to connect to this server
Jul 15 18:06:30	openvpn	10388	ERROR: Failed to apply push options
Jul 15 18:06:30	openvpn	10388	Failed to open tun/tap interface
Jul 15 18:06:30	openvpn	10388	TCP/UDP: Closing socket
Jul 15 18:06:30	openvpn	10388	SIGUSR1[soft,process-push-msg-failed] received, process restarting
Jul 15 18:06:30	openvpn	10388	Restart pause, 32 second(s)

Can anyone suggest why this will not connect?

Unless I can get this working I will need to ditch pfSense.

Gertjan

This :

@McMurphy said in DCO unable to connect (unsolvable):

Jul 15 18:06:30 openvpn 10388 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:4: client-ip (2.6.8)
Jul 15 18:06:30 openvpn 10388 Options error: option 'reneg-sec' cannot be used in this context ([PUSH-OPTIONS])
Jul 15 18:06:30 openvpn 10388 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:11: remote-cache-lifetime (2.6.8)
Jul 15 18:06:30 openvpn 10388 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:12: block-outside-dns (2.6.8)
Jul 15 18:06:30 openvpn 10388 OPTIONS IMPORT: --ifconfig/up options modified
Jul 15 18:06:30 openvpn 10388 OPTIONS IMPORT: route options modified
Jul 15 18:06:30 openvpn 10388 OPTIONS IMPORT: route-related options modified
Jul 15 18:06:30 openvpn 10388 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Jul 15 18:06:30 openvpn 10388 OPTIONS IMPORT: Server did not request DATA_V2 packet format required for data channel offload
Jul 15 18:06:30 openvpn 10388 OPTIONS ERROR: pushed options are incompatible with data channel offload. Use --disable-dco to connect to this server

tells me that the openvpn server was contacted by a openvpn client that uses a config that doesn't match with the server.
Or : the openVPN client isn't in sync with "2.6.8". I see server ERRORS, so the openvpn admin has some work to do.

Check the OpenVPN client version. is it 2.6.8, or close to that ? You can get one here : https://openvpn.net/client/client-connect-vpn-for-windows/ for free.
And, to be sure, re export the client config using OpenVPN > Client Export Utility and give the new opvn file to the client.

Btw : the fun part is :

I've DCO checked - don't know what it is and my openvpn client (a iOS Apple app, but its the same client , same source) works just fine. PC : same thing. I don't afaik, push routes etc.

McMurphy

@Gertjan

Thanks. I do not have any access or control of the server services. It is a commercial service provided by openvpn.net called CloudConnexa
https://openvpn.net/

The OpenVPN Client I am using is pfSense

Gertjan

@McMurphy said in DCO unable to connect (unsolvable):

The OpenVPN Client I am using is pfSense

Ah ... ok, didn 't know that.
So, your side is update to date, but the VPN server you use isn't.
Well, in that case, yeah, that's an issue. As downgrading the openvpn client on the pfSEnse side isn't an option.
But you an still make your connection work.
Get the manual of openvpn client, and see what options are you shouldn't use when using an outdated openvpn server.

Btw : DCO is a new thing, add to openvpn by Netgate, and is very recent. Both sides have to support it, and your server side probably doesn't.

@McMurphy said in DCO unable to connect (unsolvable):

openvpn.net called CloudConnexa

Based upon the opvn client file, you can deduce the openvpn server version.

McMurphy

@Gertjan

The server does support it as I can connect successfully using both the Windows Connect client and Linux, both with DCO enabled.

Here is the log from the Windows Connect client which works with DCO

⏎[Jul 15, 2024, 09:30:32] Connected via ovpn-dco-win
⏎[Jul 15, 2024, 09:30:32] EVENT: CONNECTED mysite/connector/859a4bf6-f04e-478b-9ae6-e71cdc295fed_92695995-3374-4220-bebb-76b9452a4b54@au-syd.gw.openvpn.com:1194 (217.79.246.86) via 58.X.X.47/UDP-DCO on ovpn-dco-win/100.32.50.6/fd:0:0:8103::a gw=[100.32.50.1/fd:0:0:8103::1] mtu=(default)⏎

Gertjan

@McMurphy

Ah ! More useful information !
So you have a ovpn config file at your disposal that works.

Use the console or SSH, goto /var/etc/openvpn/ and there you will find a client1 sub folder.
In that folder you will find the client config.ovpn file. This file has been build with the pfSense GUI options you've selected.

Compare this file with the ovpn file you use with the Windows OpenVPN connect client.

Pippin

@Gertjan said in DCO unable to connect (unsolvable):

Btw : DCO is a new thing, add to openvpn by Netgate, and is very recent.

Little correction here, DCO was added to OpenVPN mainly by OpenVPN dev Antonio Quartulli.

McMurphy

@Gertjan

Here is the OVPN file as generated by CloudConnexa. This files works in The Windows OpenVPN connect app and in Linux but not in pfSense.

setenv USERNAME "mycoy-com-au/connector/859a4bf6-f04e-478b-9ae6-e71cdc295fed_92695995-3374-4220-bebb-76b9452a4b54"
# OVPN_WEBAUTH_FRIENDLY_USERNAME=mycoy-com-au/Burb/Name
# OVPN_FRIENDLY_PROFILE_NAME=Burb@mycoy-com-au.openvpn.com [Sydney]
client
dev tun
remote au-syd.gw.openvpn.com 1194 udp
remote au-syd.gw.openvpn.com 1194 udp
remote au-syd.gw.openvpn.com 443 tcp
remote au-syd.gw.openvpn.com 1194 udp
remote au-syd.gw.openvpn.com 1194 udp
remote au-syd.gw.openvpn.com 1194 udp
remote au-syd.gw.openvpn.com 1194 udp
remote au-syd.gw.openvpn.com 1194 udp
remote-cert-tls server
cipher AES-256-CBC
auth SHA256
persist-tun
nobind
verb 3
socket-flags TCP_NODELAY
push-peer-info

Gertjan

@McMurphy

Did you compare this file with the one you've found on pfSense, created by the GUI ?

When I look at your config file show above, I see "cipher AES-256-CBC" : that cypher mode has been abandoned on recent OpenVPN versions.
Also : no TLS ??

And why is the same line

remote au-syd.gw.openvpn.com 1194 udp

listed multiple times ?

kprovost

@Gertjan said in DCO unable to connect (unsolvable):

Btw : DCO is a new thing, add to openvpn by Netgate, and is very recent. Both sides have to support it, and your server side probably doesn't.

That's incorrect. DCO is not a protocol change and there is no need for both sides to support it.

@Pippin said:

Little correction here, DCO was added to OpenVPN mainly by OpenVPN dev Antonio Quartulli.

True for the Linux support. The FreeBSD implementation was done by Netgate. The Windows version mostly by OpenVPN's Lev Stipakov.

McMurphy

@McMurphy

Here's the pfSense generated file that does not connect:

dev ovpnc3
verb 6
dev-type tun
dev-node /dev/tun3
writepid /var/run/openvpn_client3.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 59.154.46.38
tls-client
lport 0
management /var/etc/openvpn/client3/sock unix
remote au-syd.gw.openvpn.com 1194 udp4
pull
capath /var/etc/openvpn/client3/ca
cert /var/etc/openvpn/client3/cert 
key /var/etc/openvpn/client3/key 
tls-auth /var/etc/openvpn/client3/tls-auth 1
data-ciphers AES-256-GCM
data-ciphers-fallback AES-256-GCM
allow-compression no
resolv-retry infinite
explicit-exit-notify 1
route-nopull

viragomann

@McMurphy said in DCO unable to connect (unsolvable):

data-ciphers AES-256-GCM
data-ciphers-fallback AES-256-GCM

This is not really meaningful, and apart from this it differs from the Windows settings, where AES-256-CBC is used.