DCO unable to connect (unsolvable)
-
Thanks. I do not have any access or control of the server services. It is a commercial service provided by openvpn.net called CloudConnexa
https://openvpn.net/The OpenVPN Client I am using is pfSense
-
@McMurphy said in DCO unable to connect (unsolvable):
The OpenVPN Client I am using is pfSense
Ah ... ok, didn 't know that.
So, your side is update to date, but the VPN server you use isn't.
Well, in that case, yeah, that's an issue. As downgrading the openvpn client on the pfSEnse side isn't an option.
But you an still make your connection work.
Get the manual of openvpn client, and see what options are you shouldn't use when using an outdated openvpn server.Btw : DCO is a new thing, add to openvpn by Netgate, and is very recent. Both sides have to support it, and your server side probably doesn't.
@McMurphy said in DCO unable to connect (unsolvable):
openvpn.net called CloudConnexa
Based upon the opvn client file, you can deduce the openvpn server version.
No "help me" PM's please. Use the forum, the community will thank you.
Edit : and where are the logs ?? -
The server does support it as I can connect successfully using both the Windows Connect client and Linux, both with DCO enabled.
Here is the log from the Windows Connect client which works with DCO
⏎[Jul 15, 2024, 09:30:32] Connected via ovpn-dco-win
⏎[Jul 15, 2024, 09:30:32] EVENT: CONNECTED mysite/connector/859a4bf6-f04e-478b-9ae6-e71cdc295fed_92695995-3374-4220-bebb-76b9452a4b54@au-syd.gw.openvpn.com:1194 (217.79.246.86) via 58.X.X.47/UDP-DCO on ovpn-dco-win/100.32.50.6/fd:0:0:8103::a gw=[100.32.50.1/fd:0:0:8103::1] mtu=(default)⏎ -
Ah ! More useful information !
So you have a ovpn config file at your disposal that works.Use the console or SSH, goto /var/etc/openvpn/ and there you will find a client1 sub folder.
In that folder you will find the client config.ovpn file. This file has been build with the pfSense GUI options you've selected.Compare this file with the ovpn file you use with the Windows OpenVPN connect client.
-
@Gertjan said in DCO unable to connect (unsolvable):
Btw : DCO is a new thing, add to openvpn by Netgate, and is very recent.
Little correction here, DCO was added to OpenVPN mainly by OpenVPN dev Antonio Quartulli.
-
Here is the OVPN file as generated by CloudConnexa. This files works in The Windows OpenVPN connect app and in Linux but not in pfSense.
setenv USERNAME "mycoy-com-au/connector/859a4bf6-f04e-478b-9ae6-e71cdc295fed_92695995-3374-4220-bebb-76b9452a4b54" # OVPN_WEBAUTH_FRIENDLY_USERNAME=mycoy-com-au/Burb/Name # OVPN_FRIENDLY_PROFILE_NAME=Burb@mycoy-com-au.openvpn.com [Sydney] client dev tun remote au-syd.gw.openvpn.com 1194 udp remote au-syd.gw.openvpn.com 1194 udp remote au-syd.gw.openvpn.com 443 tcp remote au-syd.gw.openvpn.com 1194 udp remote au-syd.gw.openvpn.com 1194 udp remote au-syd.gw.openvpn.com 1194 udp remote au-syd.gw.openvpn.com 1194 udp remote au-syd.gw.openvpn.com 1194 udp remote-cert-tls server cipher AES-256-CBC auth SHA256 persist-tun nobind verb 3 socket-flags TCP_NODELAY push-peer-info -
Did you compare this file with the one you've found on pfSense, created by the GUI ?
When I look at your config file show above, I see "cipher AES-256-CBC" : that cypher mode has been abandoned on recent OpenVPN versions.
Also : no TLS ??And why is the same line
remote au-syd.gw.openvpn.com 1194 udplisted multiple times ?
-
@Gertjan said in DCO unable to connect (unsolvable):
Btw : DCO is a new thing, add to openvpn by Netgate, and is very recent. Both sides have to support it, and your server side probably doesn't.
That's incorrect. DCO is not a protocol change and there is no need for both sides to support it.
@Pippin said:
Little correction here, DCO was added to OpenVPN mainly by OpenVPN dev Antonio Quartulli.
True for the Linux support. The FreeBSD implementation was done by Netgate. The Windows version mostly by OpenVPN's Lev Stipakov.
-
Here's the pfSense generated file that does not connect:
dev ovpnc3 verb 6 dev-type tun dev-node /dev/tun3 writepid /var/run/openvpn_client3.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp4 auth SHA256 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local 59.154.46.38 tls-client lport 0 management /var/etc/openvpn/client3/sock unix remote au-syd.gw.openvpn.com 1194 udp4 pull capath /var/etc/openvpn/client3/ca cert /var/etc/openvpn/client3/cert key /var/etc/openvpn/client3/key tls-auth /var/etc/openvpn/client3/tls-auth 1 data-ciphers AES-256-GCM data-ciphers-fallback AES-256-GCM allow-compression no resolv-retry infinite explicit-exit-notify 1 route-nopull -
@McMurphy said in DCO unable to connect (unsolvable):
data-ciphers AES-256-GCM
data-ciphers-fallback AES-256-GCMThis is not really meaningful, and apart from this it differs from the Windows settings, where AES-256-CBC is used.
