OpenVPN and DCO

frodet

When activating DCO Offloading on my OpenVPN server i get these warnings in the client log:

Wed Aug 03 23:34:55 2022 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1569', remote='link-mtu 1549'
Wed Aug 03 23:34:55 2022 WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher AES-256-GCM'
Wed Aug 03 23:34:55 2022 WARNING: 'auth' is used inconsistently, local='auth SHA256', remote='auth [null-digest]'

I have a Netgate SG-1100. The connection works like intended. VPN speed is at least five fold with DCO Offload enabled and SafeXcel activated.

Should I worry about these warnings?

frodet

So, no one has any idea about this?

JeGr

@frodet You have to fix your client configuration if you switch your server to use DCO.

DCO automatically comes with a few drawbacks from the OpenVPN team (that are stated in the blog post Netgate published to DCO and the docu). E.g. AES-GCM is the only supported cipher (besides CHACHA20), compression is not available and mtu/mssfix/fragmentation settings aren't available.

As your client sends AES-CBC that won't work, the other lines are most likely follow ups of the wrong cipher setting.

Cheers