• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

openvpn DCO mode Failed to open tun/tap interface

Scheduled Pinned Locked Moved OpenVPN
6 Posts 2 Posters 475 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • Y
    yon 0
    last edited by Nov 19, 2024, 8:54 AM

    https://redmine.pfsense.org/issues/15851

    openvpn can't create interface when I use DCO mode. p2p tunnel,For privacy reasons, the IP has been changed

    Nov 19 11:40:30 openvpn 33936 SIGUSR1[soft,process-push-msg-failed] received, process restarting
    Nov 19 11:40:30 openvpn 33936 Failed to open tun/tap interface
    Nov 19 11:40:30 openvpn 33936 ERROR: Failed to apply push options
    Nov 19 11:40:30 openvpn 33936 OPTIONS ERROR: pushed options are incompatible with data channel offload. Use --disable-dco to connect to this server
    Nov 19 11:40:30 openvpn 33936 OPTIONS IMPORT: Server did not request DATA_V2 packet format required for data channel offload
    Nov 19 11:40:28 openvpn 33936 [tv189.com] Peer Connection Initiated with [AF_INET6]2a04:e8c0:18:71a::1:51758
    Nov 19 11:40:28 openvpn 33936 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 256 bits ED25519, signature: ED25519, peer temporary key: 253 bits X25519
    Nov 19 11:40:28 openvpn 33936 peer info: IV_PROTO=746
    Nov 19 11:40:28 openvpn 33936 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM
    Nov 19 11:40:28 openvpn 33936 VERIFY OK: depth=0, CN=tv1.com
    Nov 19 11:40:28 openvpn 33936 VERIFY EKU OK
    Nov 19 11:40:28 openvpn 33936 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
    Nov 19 11:40:28 openvpn 33936 Validating certificate extended key usage
    Nov 19 11:40:28 openvpn 33936 VERIFY KU OK
    Nov 19 11:40:28 openvpn 33936 VERIFY OK: depth=1, CN=Liuxyon
    Nov 19 11:40:28 openvpn 33936 UDPv6 link remote: [AF_INET6]2a04:e0c0:18:71a::1:51958
    Nov 19 11:40:28 openvpn 33936 UDPv6 link local (bound): [AF_INET6]2409:8290:404:c46a::
    Nov 19 11:40:28 openvpn 33936 setsockopt(IPV6_V6ONLY=0)
    Nov 19 11:40:28 openvpn 33936 TCP/UDP: Preserving recently used remote address: [AF_INET6]2a04:e8c0:18:71a::1:51758
    Nov 19 11:40:28 openvpn 33936 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

    dev ovpnc8
    verb 2
    dev-type tun
    dev-node /dev/tun8
    writepid /var/run/openvpn_client8.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp6
    auth SHA3-256
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 2409:8290:404:c46a:::4394
    tls-client
    lport 0
    management /var/etc/openvpn/client8/sock unix
    remote 2a04:e0c0:18:71a::1 51958 udp6
    pull
    remote-cert-tls server
    capath /var/etc/openvpn/client8/ca
    cert /var/etc/openvpn/client8/cert
    key /var/etc/openvpn/client8/key
    data-ciphers AES-256-GCM:AES-128-GCM
    data-ciphers-fallback AES-256-GCM
    allow-compression no
    resolv-retry infinite
    tls-crypt-v2 /root/v2crypt-client-1.key
    ifconfig 10.11.3.2 10.11.3.1
    ifconfig-ipv6 2a0d:2408:513🅰:3/124 2a0d:2408:513🅰:2
    topology p2p
    route-nopull

    I am setting up a new dco openvpn tunnel.The same configuration works fine on Ubuntu 24.04. So I think the problem is with pfsense. I have restarted the system and nothing helps.

    T 1 Reply Last reply Nov 19, 2024, 5:05 PM Reply Quote 0
    • T
      The Party of Hell No @yon 0
      last edited by Nov 19, 2024, 5:05 PM

      @yon-0 said in openvpn DCO mode Failed to open tun/tap interface:

      OPTIONS ERROR: pushed options are incompatible with data channel offload

      "OPTIONS ERROR: pushed options are incompatible with data channel offload"

      What pushed options are being pushed?

      Y 1 Reply Last reply Nov 20, 2024, 12:16 AM Reply Quote 0
      • Y
        yon 0 @The Party of Hell No
        last edited by Nov 20, 2024, 12:16 AM

        @The-Party-of-Hell-No

        resolv-retry infinite
        tls-crypt-v2 /root/v2crypt-client-1.key
        ifconfig 10.11.3.2 10.11.3.1
        ifconfig-ipv6 2a0d:2408:513🅰:3/124 2a0d:2408:513🅰:2
        topology p2p
        route-nopull

        Y 1 Reply Last reply Nov 20, 2024, 12:44 AM Reply Quote 0
        • Y
          yon 0 @yon 0
          last edited by Nov 20, 2024, 12:44 AM

          https://www.freshports.org/security/openvpn/

          pfsense should upgrade to new version 2.6.12

          openvpn --version
          OpenVPN 2.6.8 amd64-portbld-freebsd15.0 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] [DCO]
          library versions: OpenSSL 3.0.13 24 Oct 2023, LZO 2.10
          DCO version: FreeBSD 15.0-CURRENT #0 plus-RELENG_24_03-n256311-e71f834dd81: Fri Apr 19 00:28:14 UTC 2024 root@freebsd:/var/jenkins/workspace/pfSense-Plus-snapshots-24_03-main/obj/amd64/Y4MAEJ2R/var/jenkins/workspace/pfSense-Plus-snapshots-24_03-main/sources/FreeBS
          Originally developed by James Yonan
          Copyright (C) 2002-2023 OpenVPN Inc sales@openvpn.net
          Compile time defines: enable_async_push=yes enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_dco=yes enable_dco_arg=yes enable_debug=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_pam_dlopen=no enable_pedantic=no enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=yes enable_strict_options=no enable_systemd=no enable_unit_tests=no enable_werror=no enable_win32_dll=yes enable_wolfssl_options_h=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_openssl_engine=auto with_sysroot=no

          Y 1 Reply Last reply Nov 20, 2024, 1:17 AM Reply Quote 0
          • Y
            yon 0 @yon 0
            last edited by Nov 20, 2024, 1:17 AM

            I don't think I have misconfigured it, because the same configuration works fine on Ubuntu. So it should be a problem with pfsense. Does anyone have successful experience using DCO on pfsense?

            Y 1 Reply Last reply Nov 20, 2024, 1:39 AM Reply Quote 0
            • Y
              yon 0 @yon 0
              last edited by Nov 20, 2024, 1:39 AM

              This post is deleted!
              1 Reply Last reply Reply Quote 0
              6 out of 6
              • First post
                6/6
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received