[Bug?] DCO in DualStack setup?
-
Hi,
I checked in with both pfSense Plus 23.01 and Plus 23.05 but the behavior is the same and I don't see the culprit for it not working:
- Completely new OpenVPN Server set up
- Openend the OpenVPN DCO guide as to what is NOT supported to avoid setting something up that wouldn't work
- configured the server with "multihome" (as we don't get v4/v6 support otherwise) on port 11940(!)
- SSL/TLS + User Auth (via LDAP)
- new cert CA, CRL and server cert
- DH Param as ECDH only
- ECDH default
- DEA List with DCO compat ciphers (only both GCMs and CHACHA selected)
- Fallback AES-256-GCM
- Auth: SHA256
- No HW Crypto
- Cert Depth: One
- User-CN Match
- Key Usage
- IPv4/6 Tunnel networks set up
- IPv4/6 local networks, too
- Dynamic IP
- Subnet Topology
- Exit notify disabled (as per the documentation) even if the wizard sets it up
- GW Creation both
- Verb 3
Pretty straightforward. Problem is:
- Client connects
- Client establishes connection and gets a green symbol (windows) - all seems OK.
- NO routing whatsoever works, no connection to remote networks are coming up - ping times out
- after about 30s the client throws a red line into its log with "read UDP: Der angegebene Netzwername ist nicht mehr verfügbar (fd=4e0,code=64)
- Client disconnects (yellow state) and reconnects again. Seems fine (green again) but won't work.
The 30s should be the client reconnection timeout (I configured that down with keepalive 5 30 on the client side) as it seems to get no ping back, it does ping-restart.
The moment I disable ONLY the DCO option in that server, everything works just fine out of the box. Everything comes up, client connects and stays connected and can ping devices just fine!
But as soon as I activate DCO even I do not have anything special configured that would interfere with the DCO options, the client has no traffic anymore.
As some have achieved connections with DCO: what am I missing here that interferes with DCO operation? Or is it related to IPv4/v6 dualstack multihome operations?
Thanks & Cheers
\jens -
Hello Jens,
could you perhaps solve this question yourself in the meantime? I am also experiencing a number of inconsistencies with the transition of some of our customers to the OpenVPN Client 2.6, all of which I can attribute to the use of DCO.
I will then open a thread here in the forum about the strangest problem.
Best regards!
-
The problem was solvable after quite a bit of research and testing. Most things stemmed from either the older versions of DCO in previous pfSense Plus version, but a few remained and were able to be debugged to being a problem in the implementation of OpenVPN, DCO and pf in FreeBSD itself. The quintessence is that OpenVPN multihome CAN'T work properly with DCO and PF in FreeBSD right now. Switching that to UDP on localhost and working with inbound redirection rules made it work in no time. It's not as elegant as we need to redirect v6 traffic, too , it's resulting in 2 OpenVPN servers instead of just 1 for my case, but at least it's working that way and doesn't have a problem.
Cheers
