Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Questions about OpenVPN DCO limitations

    OpenVPN
    2
    3
    787
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      steve10240
      last edited by steve10240

      I was reading over the PFSense OpenVPN DCO documentation here and I am having trouble understanding these two points together:

      DCO is not yet able to utilize internal routing in OpenVPN (iroute). This means that although remote access use cases work, and site-to-site setups with one client per server work, it does not yet function with multiple site-to-site clients on a single server which require LAN-to-LAN routing.

      and

      Using a /30 or smaller tunnel network for peer-to-peer tunnels (one server with one client) is not compatible with DCO. There are problems with the code for this mode in OpenVPN which can lead to failed connections and instability.

      Currently, I have a P2P SSL/TLS VPN with a single server and a single client configured with a /30 tunnel network and no client overrides specified.

      If OpenVPN DCO isn't compatible with either a /30 or client override, how do I configure the OpenVPN DCO server so it can still route to my single client on a /24 tunnel network?

      S 1 Reply Last reply Reply Quote 0
      • S
        sandie @steve10240
        last edited by

        I have similar question. I mean for "Peer to Peer" (Site To Site) tunnel I am normally using:
        IPv4 Tunnel Network = class/30
        Concurrent connections = 1
        Inter-client communication = No
        Duplicate Connection = No
        and I am told by GUI that I can not enable DCO.
        Should I use class/29 as tunnel network and then enable DCO? How to enable DCO for "Peer To Peer" OpenVPN Tunnels? Sometimes I have some heavy traffic on the tunnel. I guess DCO would help a bit (?).

        S 1 Reply Last reply Reply Quote 0
        • S
          steve10240 @sandie
          last edited by

          @sandie Switching to /29 sounds like it should work. Recently, I realized that there was already a solution to my question in the documentation link and I missed it somehow. In PFSense version 2.7, we can use a static route assignment and that should get the routing to work.

          DCO and Routing

          DCO does not currently honor internal routes from client-specific overrides (i.e. iroute) for multiple site-to-site clients on a single server, but it does honor kernel route destinations that would normally be ignored by non-DCO OpenVPN.

          Assign clients static addresses in overrides (after patching #13274) and then setup custom routes in OpenVPN custom options with complete destinations defined or even setup FRR and exchange routes via BGP.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.