openvpn client dco connectivity issues @ 20250518113006_20250726122025
-
After upgrading from previous beta, lan clients can't connect via vpn.
However ping works as expected.Disabling dco restores functionality.
Mode: Peer to Peer ( SSL/TLS )
Data Ciphers: AES-256-GCM, CHACHA20-POLY1305, AES-128-GCM
Digest: SHA256I don't see anything strange in the configuration. (but then I have no hints on what changed/ where to look)
-
Can you give us more details here? You're connecting from a host on one side of the tunnel to another host on the other side, neither is the tunnel end device directly?
How exactly are you testing that?
The ping that works is between the same hosts?
-
@stephenw10
This issue was also combined with the pfblockermg issue, and it might be related
(although I can't find a relation with dco)For starters the test doesn't involve any tunnel end devices.
Just hosts on both sites.
If its not pfblockerng, then someone else might also report it here.Any plans for the next beta, with the pfblocker php fix included?
Or maybe a patch. (even though I could fix it manually too) -
Ah, yes that fix is in now. It should be in the next version.
It shouldn't be related to DCO though. If the traffic works with DCO disabled any pfBlocker rules would still be applied.
-
@stephenw10 I agree.
I had to revert to previous version. Sometimes "test" environments do some work :)
Perhaps what is a bit rare is that I'm using dco as a client connecting to another pf, NOT as server. (other pf doesn't have dco enabled too).
In any case, what do we need to debug this?
-
I'll try to replicate it here....
-
Just updated to latest beta.
Pfblockerng is fixed. openvpn issue remains
With dco, only ping.
Without dco , I get everything -
This is getting worse.
Further testing reveals it is also virtualisation related.
This is a kvm bridged setup.
It is working great up to previous released beta than 25.11.b.20251111.2016Symptoms.
Dco doesn't work but only to physical lan connections.
All physical lan connections can ping anything via the openvpn.
Bridged connections to lan on the same virtual host work fine over openvpn with dco enabled.(Red Hat Enterprise Linux 9.7 (Plow) x86_64) Emulated machine pc-q35-rhel9.4.0 with uefi boot)
BUT
pfsense has 3 wan connections
two are ethernet talking to a local cpe
the third is doing pppoe via a bridged cpe ftth device.all connections can ping everywhere too.
any connection NOT inside the box CAN'T use the pppoe connection.
But they can use any other just fine, with top speeds as expected, tested via speedtestI have checked mtu settings.
I have also tried pinging with large packet size. No issues.
I've also tried changing pppoe kernel mode. No difference.This is a router on a stick config. Everything goes in/out from the same physical 10g Melanox interface. So it can't be physical layer issues.
I have also disabled any limiters.Again, reverting to 25.07.1 everything just works.
Any chances newer beta also took a newer bsd bug ?
-
@netblues said in openvpn client dco connectivity issues @ 20250518113006_20250726122025:
Any connection NOT inside the box CAN'T use the pppoe connection.
Can you expand on that; do you mean LAN side policy routed devices don't work?
-
@stephenw10
kvm creates a bridge making the physical lan card available to pfsense, other virtual machines, and the kvm host.
Since this is a bridge to lan, other stations are also connected via physical ethernetSo whatever is on physical network and is policy routed to ppp connection doesn't work. (but can ping)
It works great if policy routed to dhcp/static wan connections.The policy is unanimous. all lan connected networks to ppp wan.
Whatever comes from physical doesn't work. whatever comes from virtual machines bridged to the same vlan as pf lan interface works.
as for dco, virtual machines connect via openvpn with dco enabled work fine, physicaly connected machines can only ping remote stations.
all vlan configuration is done at the kvm and management switch level.
pfsense is presented with different virtio interfaces.I have thought that it could be a mtu issue, however pinging with df flags reveals no issues too. (and dco can't be mtu too)
Disabling dco, allows all machines to connect via the vpn (but doesn't solve the ppp wan issue)
