OpenVPN with DCO - understanding the limitations
-
I have read Netgate's documentation on this feature. I have some questions, just to ensure that I understand the limitations.
From the documentation, my understanding is that 1) Client Specific Overrides on the server side do not work and 2) you would really need to define a separate server for each site to site link. IE, if I had a hub and spoke arrangement with one hub and six spokes, the hub would need six separate servers defined for each spoke.
Do I understand this correctly?
-
Yes, that is correct, though hopefully that won't be an ongoing limitation in the future as development of DCO on FreeBSD and OpenVPN continues.
-
@jimp said in OpenVPN with DCO - understanding the limitations:
Yes, that is correct, though hopefully that won't be an ongoing limitation in the future as development of DCO on FreeBSD and OpenVPN continues.
It's not a huge problem either. IPSEC works sort of like this, in that you need a P1 for each link between the hub and a spoke.
Can we distribute routes with FRR/BGP like we would with IPSEC tunnels?
-
I've had some success with using FRR on DCO, but I haven't tried it long term. The way the DCO interfaces are made they use kernel routing instead of OpenVPN internal routing. So the reason that overrides don't work with DCO also allows FRR to function, which depending on your use case, may be a great benefit instead of a drawback.
