DCO unable to connect (unsolvable)

Gertjan

This :

@McMurphy said in DCO unable to connect (unsolvable):

Jul 15 18:06:30 openvpn 10388 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:4: client-ip (2.6.8)
Jul 15 18:06:30 openvpn 10388 Options error: option 'reneg-sec' cannot be used in this context ([PUSH-OPTIONS])
Jul 15 18:06:30 openvpn 10388 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:11: remote-cache-lifetime (2.6.8)
Jul 15 18:06:30 openvpn 10388 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:12: block-outside-dns (2.6.8)
Jul 15 18:06:30 openvpn 10388 OPTIONS IMPORT: --ifconfig/up options modified
Jul 15 18:06:30 openvpn 10388 OPTIONS IMPORT: route options modified
Jul 15 18:06:30 openvpn 10388 OPTIONS IMPORT: route-related options modified
Jul 15 18:06:30 openvpn 10388 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Jul 15 18:06:30 openvpn 10388 OPTIONS IMPORT: Server did not request DATA_V2 packet format required for data channel offload
Jul 15 18:06:30 openvpn 10388 OPTIONS ERROR: pushed options are incompatible with data channel offload. Use --disable-dco to connect to this server

tells me that the openvpn server was contacted by a openvpn client that uses a config that doesn't match with the server.
Or : the openVPN client isn't in sync with "2.6.8". I see server ERRORS, so the openvpn admin has some work to do.

Check the OpenVPN client version. is it 2.6.8, or close to that ? You can get one here : https://openvpn.net/client/client-connect-vpn-for-windows/ for free.
And, to be sure, re export the client config using OpenVPN > Client Export Utility and give the new opvn file to the client.

Btw : the fun part is :

I've DCO checked - don't know what it is and my openvpn client (a iOS Apple app, but its the same client , same source) works just fine. PC : same thing. I don't afaik, push routes etc.

McMurphy

@Gertjan

Thanks. I do not have any access or control of the server services. It is a commercial service provided by openvpn.net called CloudConnexa
https://openvpn.net/

The OpenVPN Client I am using is pfSense

Gertjan

@McMurphy said in DCO unable to connect (unsolvable):

The OpenVPN Client I am using is pfSense

Ah ... ok, didn 't know that.
So, your side is update to date, but the VPN server you use isn't.
Well, in that case, yeah, that's an issue. As downgrading the openvpn client on the pfSEnse side isn't an option.
But you an still make your connection work.
Get the manual of openvpn client, and see what options are you shouldn't use when using an outdated openvpn server.

Btw : DCO is a new thing, add to openvpn by Netgate, and is very recent. Both sides have to support it, and your server side probably doesn't.

@McMurphy said in DCO unable to connect (unsolvable):

openvpn.net called CloudConnexa

Based upon the opvn client file, you can deduce the openvpn server version.

McMurphy

@Gertjan

The server does support it as I can connect successfully using both the Windows Connect client and Linux, both with DCO enabled.

Here is the log from the Windows Connect client which works with DCO

⏎[Jul 15, 2024, 09:30:32] Connected via ovpn-dco-win
⏎[Jul 15, 2024, 09:30:32] EVENT: CONNECTED mysite/connector/859a4bf6-f04e-478b-9ae6-e71cdc295fed_92695995-3374-4220-bebb-76b9452a4b54@au-syd.gw.openvpn.com:1194 (217.79.246.86) via 58.X.X.47/UDP-DCO on ovpn-dco-win/100.32.50.6/fd:0:0:8103::a gw=[100.32.50.1/fd:0:0:8103::1] mtu=(default)⏎

Gertjan

@McMurphy

Ah ! More useful information !
So you have a ovpn config file at your disposal that works.

Use the console or SSH, goto /var/etc/openvpn/ and there you will find a client1 sub folder.
In that folder you will find the client config.ovpn file. This file has been build with the pfSense GUI options you've selected.

Compare this file with the ovpn file you use with the Windows OpenVPN connect client.

Pippin

@Gertjan said in DCO unable to connect (unsolvable):

Btw : DCO is a new thing, add to openvpn by Netgate, and is very recent.

Little correction here, DCO was added to OpenVPN mainly by OpenVPN dev Antonio Quartulli.

McMurphy

@Gertjan

Here is the OVPN file as generated by CloudConnexa. This files works in The Windows OpenVPN connect app and in Linux but not in pfSense.

setenv USERNAME "mycoy-com-au/connector/859a4bf6-f04e-478b-9ae6-e71cdc295fed_92695995-3374-4220-bebb-76b9452a4b54"
# OVPN_WEBAUTH_FRIENDLY_USERNAME=mycoy-com-au/Burb/Name
# OVPN_FRIENDLY_PROFILE_NAME=Burb@mycoy-com-au.openvpn.com [Sydney]
client
dev tun
remote au-syd.gw.openvpn.com 1194 udp
remote au-syd.gw.openvpn.com 1194 udp
remote au-syd.gw.openvpn.com 443 tcp
remote au-syd.gw.openvpn.com 1194 udp
remote au-syd.gw.openvpn.com 1194 udp
remote au-syd.gw.openvpn.com 1194 udp
remote au-syd.gw.openvpn.com 1194 udp
remote au-syd.gw.openvpn.com 1194 udp
remote-cert-tls server
cipher AES-256-CBC
auth SHA256
persist-tun
nobind
verb 3
socket-flags TCP_NODELAY
push-peer-info

Gertjan

@McMurphy

Did you compare this file with the one you've found on pfSense, created by the GUI ?

When I look at your config file show above, I see "cipher AES-256-CBC" : that cypher mode has been abandoned on recent OpenVPN versions.
Also : no TLS ??

And why is the same line

remote au-syd.gw.openvpn.com 1194 udp

listed multiple times ?

kprovost

@Gertjan said in DCO unable to connect (unsolvable):

Btw : DCO is a new thing, add to openvpn by Netgate, and is very recent. Both sides have to support it, and your server side probably doesn't.

That's incorrect. DCO is not a protocol change and there is no need for both sides to support it.

@Pippin said:

Little correction here, DCO was added to OpenVPN mainly by OpenVPN dev Antonio Quartulli.

True for the Linux support. The FreeBSD implementation was done by Netgate. The Windows version mostly by OpenVPN's Lev Stipakov.

McMurphy

@McMurphy

Here's the pfSense generated file that does not connect:

dev ovpnc3
verb 6
dev-type tun
dev-node /dev/tun3
writepid /var/run/openvpn_client3.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 59.154.46.38
tls-client
lport 0
management /var/etc/openvpn/client3/sock unix
remote au-syd.gw.openvpn.com 1194 udp4
pull
capath /var/etc/openvpn/client3/ca
cert /var/etc/openvpn/client3/cert 
key /var/etc/openvpn/client3/key 
tls-auth /var/etc/openvpn/client3/tls-auth 1
data-ciphers AES-256-GCM
data-ciphers-fallback AES-256-GCM
allow-compression no
resolv-retry infinite
explicit-exit-notify 1
route-nopull

viragomann

@McMurphy said in DCO unable to connect (unsolvable):

data-ciphers AES-256-GCM
data-ciphers-fallback AES-256-GCM

This is not really meaningful, and apart from this it differs from the Windows settings, where AES-256-CBC is used.