Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Is OpenVPN DCO mode compatible with Suricata Inline mode ?

    Scheduled Pinned Locked Moved OpenVPN
    5 Posts 2 Posters 598 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      NRgia
      last edited by NRgia

      The issue:

      Steps:

      1. Have Suricata in Inline mode enabled on WAN.
      2. Enable DCO mode on OpenVPN sever
      3. Connect to the server with a mobile client.
      4. Try to access a local computer, or a normal HTTPS page like netgate.com

      Actual results:

      If DCO mode is enabled and Suricata is enabled in Inline mode on WAN, after a client connects, the client cannot communicate with the resources on the network, and after about 1 minute, the WAN interface will go offline.

      Workaround: Disable Suricata on WAN interface and DCO mode can be used normally
      Note: OpenVPN DCO mode also works with Suricata in Legacy mode, so there is no rule blocking something.

      Tested on pfSense+ versions: 23.01 and 23.05 RC.
      Hardware: I have this board https://www.supermicro.com/en/products/motherboard/A2SDi-4C-HLN4F which have the same Nics as the Netgate's 4100 AFAIK.

      Kindly ask anyone with a Netgate 4100 or with the same hardware to test the above scenario, to ascertain if this is in fact an issue or not.

      Thank you

      N 1 Reply Last reply Reply Quote 0
      • N
        NRgia @NRgia
        last edited by NRgia

        Hello @bmeeks can you share your opinion about the above?

        Thank you

        1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks
          last edited by bmeeks

          I highly suspect that netmap and DCO mode are incompatible with each other. I'm not familiar with the inner working of OpenVPN DCO, but a quick Google search on the technology leads me to suspect netmap and DCO will not play well together.

          Inline IPS Mode uses the netmap kernel device. That device inserts itself directly into the network path between NIC and the kernel network stack. When other technologies are trying to do the same thing (such as DCO), then you very well are going to have problems.

          This is why VLANs and netmap do not play well together, and neither does traffic limiting/shaping play well with netmap.

          If you want to use DCO, then stick with Legacy Mode Blocking. But also remember that Suricata is nearly 100% useless when inspecting encrypted traffic anyway.

          N 1 Reply Last reply Reply Quote 1
          • N
            NRgia @bmeeks
            last edited by NRgia

            @bmeeks I considered this also. I think at least this should be mentioned in a documentation somewhere as a limitation. Thank you

            N 1 Reply Last reply Reply Quote 0
            • N
              NRgia @NRgia
              last edited by NRgia

              @stephenw10 can you also take a look please. Thank you

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.