Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OPENVPN DCO pfsense 25.07.1

    Scheduled Pinned Locked Moved OpenVPN
    9 Posts 3 Posters 301 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      Antibiotic
      last edited by Antibiotic

      Please confirmed somebody, DCO working with OpenVPN. Because from my side after transferring to 25.07.1 looks like DCO not working. Before has internet speed almost 1 gb with DCO, now not more than 200 mb. The same provider, the same servers?
      !

      pfSense plus 25.07.1 on Topton mini PC
      CPU: Intel N100
      NIC: Intel i-226v 4 pcs
      RAM : 16 GB DDR5
      Disk: 128 GB NVMe
      Brgds, Archi

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG Offline
        Gertjan @Antibiotic
        last edited by

        @Antibiotic

        If found many lines, one for every connection, in the OpenVPN server log :

        1d1432d5-a3dc-4334-ae3f-f68978112d35-image.png

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        A 1 Reply Last reply Reply Quote 0
        • A Offline
          Antibiotic @Gertjan
          last edited by

          @Gertjan Hello, I mean DCO in use but looks like doesn't help all.

          pfSense plus 25.07.1 on Topton mini PC
          CPU: Intel N100
          NIC: Intel i-226v 4 pcs
          RAM : 16 GB DDR5
          Disk: 128 GB NVMe
          Brgds, Archi

          yon 0Y 1 Reply Last reply Reply Quote 0
          • yon 0Y Offline
            yon 0 @Antibiotic
            last edited by

            How do your configure DCO? I can't start pfsense successfully. Ubuntu shows success, but pfsense cannot establish an interface.

            A 1 Reply Last reply Reply Quote 0
            • A Offline
              Antibiotic @yon 0
              last edited by

              @yon-0 What do you mean?

              pfSense plus 25.07.1 on Topton mini PC
              CPU: Intel N100
              NIC: Intel i-226v 4 pcs
              RAM : 16 GB DDR5
              Disk: 128 GB NVMe
              Brgds, Archi

              yon 0Y 1 Reply Last reply Reply Quote 0
              • yon 0Y Offline
                yon 0 @Antibiotic
                last edited by

                @Antibiotic

                Aug 21 04:07:48 openvpn 60812 Data Channel Offload doesn't support DATA_V1 packets. Upgrade your server to 2.4.5 or newer. 
 Aug 21 04:07:34 openvpn 60812 peer info: IV_PROTO=746 Aug 21 04:07:34 openvpn 60812 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305 Aug 21 04:07:33 openvpn 60812 UDPv6 link remote: [AF_INET6]2602:::1:51758 
Aug 21 04:07:33 openvpn 60812 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 
Aug 21 04:07:32 openvpn 60812 SIGUSR1[soft,process-push-msg-failed] received, process restarting 
Aug 21 04:07:32 openvpn 60812 Failed to open tun/tap interface 
Aug 21 04:07:32 openvpn 60812 ERROR: Failed to apply push options
 Aug 21 04:07:32 openvpn 60812 OPTIONS ERROR: pushed options are incompatible with data channel offload. Use --disable-dco to connect to this server 
Aug 21 04:07:32 openvpn 60812 OPTIONS IMPORT: Server did not request DATA_V2 packet format required for data channel offload
 Aug 21 04:07:31 openvpn 60812 [server] Peer Connection Initiated with [AF_INET6]2602::1:51758 Aug 21 04:07:31 openvpn 60812 peer info: IV_PROTO=746 Aug 21 04:07:31 openvpn 60812 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305 
 Aug 21 04:07:30 openvpn 60763 DCO version: FreeBSD 15.0-CURRENT #0 plus-RELENG_25_07_1-n256513-49844af35a5d: Fri Aug 15 19:21:04 UTC 2025 root@freebsd:/var/jenkins/workspace/pfSense-Plus-snapshots-25_07_1-main/obj/amd64/DZizCvOj/var/jenkins/workspace/pfSense-Plus-snapshots-25_07_1-main/sources Aug 21 04:07:30 openvpn 60763 library versions: OpenSSL 3.0.16 11 Feb 2025, LZO 2.10 Aug 21 04:07:30 openvpn 60763 OpenVPN 2.6.14 amd64-portbld-freebsd15.0 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] [DCO] Aug 21 04:07:30 openvpn 60763 Note: ignoring --dev-node as it has no effect when using data channel offload
                A 1 Reply Last reply Reply Quote 0
                • A Offline
                  Antibiotic @yon 0
                  last edited by Antibiotic

                  @yon-0 In OpenVPN, DATA_V1 refers to the original format used for encrypted data packets exchanged between client and server. This format was standard in OpenVPN versions 2.4.0 to 2.4.4.
                  However, with the introduction of DCO — which offloads encryption and packet handling to the kernel for performance gains — the older DATA_V1 format becomes problematic. The DCO driver doesn’t understand it, so packets sent in this format are essentially ignored or dropped silently. If you're running:
                  • OpenVPN server 2.4.0–2.4.4
                  • And a DCO-enabled client (e.g., OpenVPN GUI 2.6.x)
                  You’ll likely hit a wall: the server sends DATA_V1 packets, but the client’s DCO driver expects DATA_V2, introduced in OpenVPN 2.4.5+. Result? No data flow, broken tunnel.
                  How to Fix It
                  You’ve got two options:

                  1. Upgrade the Server
                    • Move to OpenVPN 2.4.5 or newer, which uses DATA_V2 format compatible with DCO.
                  2. Disable DCO on the Client

                  Pro Tip
                  If you're using pfSense or FreeBSD with OpenVPN DCO, make sure:
                  • Your server supports DATA_V2
                  • Your tunnel uses TLS-based encryption (required for DCO)
                  • You're using AES-GCM or ChaCha20-Poly1305 ciphers (DCO limitation)

                  pfSense plus 25.07.1 on Topton mini PC
                  CPU: Intel N100
                  NIC: Intel i-226v 4 pcs
                  RAM : 16 GB DDR5
                  Disk: 128 GB NVMe
                  Brgds, Archi

                  yon 0Y 1 Reply Last reply Reply Quote 0
                  • yon 0Y Offline
                    yon 0 @Antibiotic
                    last edited by

                    @Antibiotic

                    I using :
                    OpenVPN 2.6.14 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
                    library versions: OpenSSL 3.4.1 11 Feb 2025, LZO 2.10

                    pfsense plus 25.0.7.1

                    mode p2p

                    How do DATA_V2 format ?

                    A 1 Reply Last reply Reply Quote 0
                    • A Offline
                      Antibiotic @yon 0
                      last edited by Antibiotic

                      @yon-0 f you ever connect to older OpenVPN servers (e.g., 2.4.0–2.4.4), you’ll need to disable DCO on your client to fall back to DATA_V1:
                      The DATA_V2 format in OpenVPN is a streamlined, secure packet structure designed for use with AEAD ciphers (like AES-GCM or ChaCha20-Poly1305) and Data Channel Offload (DCO). It replaces the older DATA_V1 format and is required for kernel-level acceleration and modern encryption.
                      When OpenVPN prepares a DATA_V2 packet:

                      • It selects an AEAD cipher
                      • Generates a Packet ID (used as part of the nonce)
                      • Encrypts the payload and attaches the Auth Tag
                      • Sends the packet with Opcode, Peer-ID, and encrypted content
                        No IV or HMAC is needed — AEAD handles it all internally.

                      pfSense plus 25.07.1 on Topton mini PC
                      CPU: Intel N100
                      NIC: Intel i-226v 4 pcs
                      RAM : 16 GB DDR5
                      Disk: 128 GB NVMe
                      Brgds, Archi

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.