Is OpenVPN DCO mode compatible with Suricata Inline mode ?
-
The issue:
Steps:
- Have Suricata in Inline mode enabled on WAN.
- Enable DCO mode on OpenVPN sever
- Connect to the server with a mobile client.
- Try to access a local computer, or a normal HTTPS page like netgate.com
Actual results:
If DCO mode is enabled and Suricata is enabled in Inline mode on WAN, after a client connects, the client cannot communicate with the resources on the network, and after about 1 minute, the WAN interface will go offline.
Workaround: Disable Suricata on WAN interface and DCO mode can be used normally
Note: OpenVPN DCO mode also works with Suricata in Legacy mode, so there is no rule blocking something.Tested on pfSense+ versions: 23.01 and 23.05 RC.
Hardware: I have this board https://www.supermicro.com/en/products/motherboard/A2SDi-4C-HLN4F which have the same Nics as the Netgate's 4100 AFAIK.Kindly ask anyone with a Netgate 4100 or with the same hardware to test the above scenario, to ascertain if this is in fact an issue or not.
Thank you
-
Hello @bmeeks can you share your opinion about the above?
Thank you
-
I highly suspect that netmap and DCO mode are incompatible with each other. I'm not familiar with the inner working of OpenVPN DCO, but a quick Google search on the technology leads me to suspect netmap and DCO will not play well together.
Inline IPS Mode uses the netmap kernel device. That device inserts itself directly into the network path between NIC and the kernel network stack. When other technologies are trying to do the same thing (such as DCO), then you very well are going to have problems.
This is why VLANs and netmap do not play well together, and neither does traffic limiting/shaping play well with netmap.
If you want to use DCO, then stick with Legacy Mode Blocking. But also remember that Suricata is nearly 100% useless when inspecting encrypted traffic anyway.
-
@bmeeks I considered this also. I think at least this should be mentioned in a documentation somewhere as a limitation. Thank you
-
@stephenw10 can you also take a look please. Thank you