openvpn DCO mode Failed to open tun/tap interface

yon 0 · Nov 19, 2024, 8:54 AM

https://redmine.pfsense.org/issues/15851

openvpn can't create interface when I use DCO mode. p2p tunnel,For privacy reasons, the IP has been changed

Nov 19 11:40:30 openvpn 33936 SIGUSR1[soft,process-push-msg-failed] received, process restarting
Nov 19 11:40:30 openvpn 33936 Failed to open tun/tap interface
Nov 19 11:40:30 openvpn 33936 ERROR: Failed to apply push options
Nov 19 11:40:30 openvpn 33936 OPTIONS ERROR: pushed options are incompatible with data channel offload. Use --disable-dco to connect to this server
Nov 19 11:40:30 openvpn 33936 OPTIONS IMPORT: Server did not request DATA_V2 packet format required for data channel offload
Nov 19 11:40:28 openvpn 33936 [tv189.com] Peer Connection Initiated with [AF_INET6]2a04:e8c0:18:71a::1:51758
Nov 19 11:40:28 openvpn 33936 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 256 bits ED25519, signature: ED25519, peer temporary key: 253 bits X25519
Nov 19 11:40:28 openvpn 33936 peer info: IV_PROTO=746
Nov 19 11:40:28 openvpn 33936 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM
Nov 19 11:40:28 openvpn 33936 VERIFY OK: depth=0, CN=tv1.com
Nov 19 11:40:28 openvpn 33936 VERIFY EKU OK
Nov 19 11:40:28 openvpn 33936 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Nov 19 11:40:28 openvpn 33936 Validating certificate extended key usage
Nov 19 11:40:28 openvpn 33936 VERIFY KU OK
Nov 19 11:40:28 openvpn 33936 VERIFY OK: depth=1, CN=Liuxyon
Nov 19 11:40:28 openvpn 33936 UDPv6 link remote: [AF_INET6]2a04:e0c0:18:71a::1:51958
Nov 19 11:40:28 openvpn 33936 UDPv6 link local (bound): [AF_INET6]2409:8290:404:c46a::
Nov 19 11:40:28 openvpn 33936 setsockopt(IPV6_V6ONLY=0)
Nov 19 11:40:28 openvpn 33936 TCP/UDP: Preserving recently used remote address: [AF_INET6]2a04:e8c0:18:71a::1:51758
Nov 19 11:40:28 openvpn 33936 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

dev ovpnc8
verb 2
dev-type tun
dev-node /dev/tun8
writepid /var/run/openvpn_client8.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp6
auth SHA3-256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 2409:8290:404:c46a:::4394
tls-client
lport 0
management /var/etc/openvpn/client8/sock unix
remote 2a04:e0c0:18:71a::1 51958 udp6
pull
remote-cert-tls server
capath /var/etc/openvpn/client8/ca
cert /var/etc/openvpn/client8/cert
key /var/etc/openvpn/client8/key
data-ciphers AES-256-GCM:AES-128-GCM
data-ciphers-fallback AES-256-GCM
allow-compression no
resolv-retry infinite
tls-crypt-v2 /root/v2crypt-client-1.key
ifconfig 10.11.3.2 10.11.3.1
ifconfig-ipv6 2a0d:2408:513:3/124 2a0d:2408:513:2
topology p2p
route-nopull

I am setting up a new dco openvpn tunnel.The same configuration works fine on Ubuntu 24.04. So I think the problem is with pfsense. I have restarted the system and nothing helps.

The Party of Hell No · Nov 19, 2024, 5:05 PM

@yon-0 said in openvpn DCO mode Failed to open tun/tap interface:

OPTIONS ERROR: pushed options are incompatible with data channel offload

"OPTIONS ERROR: pushed options are incompatible with data channel offload"

What pushed options are being pushed?

yon 0 · Nov 20, 2024, 12:16 AM

@The-Party-of-Hell-No

resolv-retry infinite
tls-crypt-v2 /root/v2crypt-client-1.key
ifconfig 10.11.3.2 10.11.3.1
ifconfig-ipv6 2a0d:2408:513:3/124 2a0d:2408:513:2
topology p2p
route-nopull

yon 0 · Nov 20, 2024, 1:17 AM

https://www.freshports.org/security/openvpn/

pfsense should upgrade to new version 2.6.12

openvpn --version
OpenVPN 2.6.8 amd64-portbld-freebsd15.0 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] [DCO]
library versions: OpenSSL 3.0.13 24 Oct 2023, LZO 2.10
DCO version: FreeBSD 15.0-CURRENT #0 plus-RELENG_24_03-n256311-e71f834dd81: Fri Apr 19 00:28:14 UTC 2024 root@freebsd:/var/jenkins/workspace/pfSense-Plus-snapshots-24_03-main/obj/amd64/Y4MAEJ2R/var/jenkins/workspace/pfSense-Plus-snapshots-24_03-main/sources/FreeBS
Originally developed by James Yonan
Copyright (C) 2002-2023 OpenVPN Inc sales@openvpn.net
Compile time defines: enable_async_push=yes enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_dco=yes enable_dco_arg=yes enable_debug=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_pam_dlopen=no enable_pedantic=no enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=yes enable_strict_options=no enable_systemd=no enable_unit_tests=no enable_werror=no enable_win32_dll=yes enable_wolfssl_options_h=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_openssl_engine=auto with_sysroot=no

yon 0 · Nov 20, 2024, 1:17 AM

I don't think I have misconfigured it, because the same configuration works fine on Ubuntu. So it should be a problem with pfsense. Does anyone have successful experience using DCO on pfsense?

yon 0 · Nov 20, 2024, 1:39 AM

This post is deleted!