You might have noticed our bug reports regarding capabilities && 2.6rc2. The whole point of it all was to test 2.6.x's DCO in our openvpn infrastructure :)
Upgrades were made, kernel module were being compiled and modprobed, the gateway's filesystem is cluttered with source packages and hotfixed scripts all over the place -- and ultimately 2.6rc2 would be working ok on the server side of things. YAY! But once we enabled DCO on the server side, things started to go awry - again. 2.5.x was not able to connect. So I thought: "Meh, maybe I should use 2.6rc on both cient and server". Said and done. Now the server complains: ========================= Jan 18 17:16:35 localhost openvpn-udp[50313]: 10.31.123.139:39440 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication Jan 18 17:16:35 localhost openvpn-udp[50313]: 10.31.123.139:39440 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication Jan 18 17:16:35 localhost openvpn-udp[50313]: 10.31.123.139:39440 VERIFY SCRIPT OK: depth=1, C=DE, ST=Berlin, L=Berlin, O=Charite-VPN, OU=GB-IT, CN=Charite-VPN CA, name=EasyRSA, emailAddress=v...@charite.de Jan 18 17:16:35 localhost openvpn-udp[50313]: 10.31.123.139:39440 VERIFY OK: depth=1, C=DE, ST=Berlin, L=Berlin, O=Charite-VPN, OU=GB-IT, CN=Charite-VPN CA, name=EasyRSA, emailAddress=v...@charite.de Jan 18 17:16:35 localhost openvpn-udp[50313]: 10.31.123.139:39440 Validating certificate extended key usage Jan 18 17:16:35 localhost openvpn-udp[50313]: 10.31.123.139:39440 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication Jan 18 17:16:35 localhost openvpn-udp[50313]: 10.31.123.139:39440 VERIFY EKU OK Jan 18 17:16:35 localhost openvpn-udp[50313]: 10.31.123.139:39440 VERIFY SCRIPT OK: depth=0, C=DE, ST=Berlin, L=Berlin, O=Charite-VPN, OU=GB-IT, CN=hildeb, emailAddress=v...@charite.de Jan 18 17:16:35 localhost openvpn-udp[50313]: 10.31.123.139:39440 VERIFY OK: depth=0, C=DE, ST=Berlin, L=Berlin, O=Charite-VPN, OU=GB-IT, CN=hildeb, emailAddress=v...@charite.de Jan 18 17:16:35 localhost openvpn-udp[50313]: 10.31.123.139:39440 peer info: IV_VER=2.6_rc2 Jan 18 17:16:35 localhost openvpn-udp[50313]: 10.31.123.139:39440 peer info: IV_PLAT=linux Jan 18 17:16:35 localhost openvpn-udp[50313]: 10.31.123.139:39440 peer info: IV_TCPNL=1 Jan 18 17:16:35 localhost openvpn-udp[50313]: 10.31.123.139:39440 peer info: IV_MTU=1600 Jan 18 17:16:35 localhost openvpn-udp[50313]: 10.31.123.139:39440 peer info: IV_CIPHERS=AES-256-GCM Jan 18 17:16:35 localhost openvpn-udp[50313]: 10.31.123.139:39440 peer info: IV_PROTO=478 Jan 18 17:16:35 localhost openvpn-udp[50313]: 10.31.123.139:39440 peer info: IV_LZO_STUB=1 Jan 18 17:16:35 localhost openvpn-udp[50313]: 10.31.123.139:39440 peer info: IV_COMP_STUB=1 Jan 18 17:16:35 localhost openvpn-udp[50313]: 10.31.123.139:39440 peer info: IV_COMP_STUBv2=1 Jan 18 17:16:35 localhost openvpn-udp[50313]: 10.31.123.139:39440 TLS: Username/Password authentication succeeded for username 'hildeb' Jan 18 17:16:35 localhost openvpn-udp[50313]: 10.31.123.139:39440 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1 Jan 18 17:16:35 localhost openvpn-udp[50313]: 10.31.123.139:39440 TLS: tls_multi_process: initial untrusted session promoted to trusted Jan 18 17:16:36 localhost openvpn-udp[50313]: 10.31.123.139:39440 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256 Jan 18 17:16:36 localhost openvpn-udp[50313]: 10.31.123.139:39440 [hildeb] Peer Connection Initiated with [AF_INET6]::ffff:10.31.123.139:39440 Jan 18 17:16:36 localhost openvpn-udp[50313]: hildeb/10.31.123.139:39440 MULTI_sva: pool returned IPv4=172.29.0.2, IPv6=(Not enabled) Jan 18 17:16:36 localhost openVPN-clientConnect: {"user": "hildeb", "common_name": "hildeb", "platform": "linux", "version": "2.6_rc2", "gui_version": ""} Jan 18 17:16:36 localhost openvpn-udp[50313]: hildeb/10.31.123.139:39440 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_59804ac825fbf6a474bade0a88233ff0.tmp Jan 18 17:16:36 localhost openvpn-udp[50313]: hildeb/10.31.123.139:39440 Note: '--allow-compression' is not set to 'no', disabling data channel offload. Jan 18 17:16:36 localhost openvpn-udp[50313]: hildeb/10.31.123.139:39440 Consider using the '--compress migrate' option. Jan 18 17:16:36 localhost openvpn-udp[50313]: hildeb/10.31.123.139:39440 MULTI: client has been rejected due to incompatible DCO options Jan 18 17:16:37 localhost openvpn-udp[50313]: hildeb/10.31.123.139:39440 PUSH: Received control message: 'PUSH_REQUEST' Jan 18 17:16:37 localhost openvpn-udp[50313]: hildeb/10.31.123.139:39440 Delayed exit in 5 seconds Jan 18 17:16:37 localhost openvpn-udp[50313]: hildeb/10.31.123.139:39440 SENT CONTROL [hildeb]: 'AUTH_FAILED' (status=1) Jan 18 17:16:42 localhost openvpn-udp[50313]: hildeb/10.31.123.139:39440 SIGTERM[soft,delayed-exit] received, client-instance exiting I'm reading this as: The server doesn't like the client based on "incompatible DCO options", obviously due to "allow-compression" not being set to "no" (which is the default, according to the docs) Personally I think this shouldn't prevent the client from connecting, but instead it should not be using DCO. But since we want to test DCO taht's ok for now. On the server config we're using (I modprobed ovpn-dco): --- snip --- syslog openvpn-udp proto udp6 management 127.0.0.1 7505 status /var/log/openvpn-udp-status.log dev tun0 user openvpn group openvpn mssfix 1350 topology subnet mode server tls-server push "topology subnet" ifconfig-pool 172.29.0.2 172.29.7.254 255.255.248.0 push "route-gateway 172.29.0.1" port 1194 duplicate-cn ## Crypto stuff ca /etc/openvpn/certs/ca.crt key /etc/openvpn/certs/openvpn.charite.de.key cert /etc/openvpn/certs/openvpn.charite.de.crt crl-verify /etc/openvpn/certs/crl.pem dh /etc/openvpn/certs/dhparam.pem tls-auth /etc/openvpn/certs/ta.key 0 remote-cert-eku "TLS Web Client Authentication" tls-version-min 1.2 cipher AES-256-GCM data-ciphers AES-256-GCM:AES-128-GCM auth SHA256 auth-user-pass-verify /opt/openvpn/scripts/openVPN-authenticate via-env client-connect /opt/openvpn/scripts/openVPN-clientConnect learn-address /opt/openvpn/scripts/openVPN-learnAddress tls-verify /opt/openvpn/scripts/openVPN-tlsverify.sh script-security 3 push "dhcp-option DNS 141.42.1.1" push "dhcp-option DOMAIN charite.de" keepalive 10 30 persist-key persist-tun verb 3 reneg-sec 86400 mute-replay-warnings fast-io # Neu RHI 18.01.2019 txqueuelen 10000 hand-window 15 allow-compression no --- snip --- So we clearly set "allow-compression" to "no". And no other compression is active (I think). On the client side of things: ============================= 2023-01-18 17:16:35 OpenVPN 2.6_rc2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO] 2023-01-18 17:16:35 library versions: OpenSSL 3.0.5 5 Jul 2022, LZO 2.10 2023-01-18 17:16:35 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 2023-01-18 17:16:35 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication 2023-01-18 17:16:35 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication 2023-01-18 17:16:35 TCP/UDP: Preserving recently used remote address: [AF_INET]193.175.73.170:1194 2023-01-18 17:16:35 Socket Buffers: R=[212992->212992] S=[212992->212992] 2023-01-18 17:16:35 UDPv4 link local: (not bound) 2023-01-18 17:16:35 UDPv4 link remote: [AF_INET]193.175.73.170:1194 2023-01-18 17:16:35 TLS: Initial packet from [AF_INET]193.175.73.170:1194, sid=11c0291f de7a5bdd 2023-01-18 17:16:35 VERIFY OK: depth=1, C=DE, ST=Berlin, L=Berlin, O=Charite-VPN, OU=GB-IT, CN=Charite-VPN CA, name=EasyRSA, emailAddress=v...@charite.de 2023-01-18 17:16:35 VERIFY KU OK 2023-01-18 17:16:35 Validating certificate extended key usage 2023-01-18 17:16:35 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication 2023-01-18 17:16:35 VERIFY EKU OK 2023-01-18 17:16:35 VERIFY X509NAME OK: C=DE, ST=Berlin, L=Berlin, O=Charite-VPN, OU=GB-IT, CN=openvpn.charite.de, emailAddress=v...@charite.de 2023-01-18 17:16:35 VERIFY OK: depth=0, C=DE, ST=Berlin, L=Berlin, O=Charite-VPN, OU=GB-IT, CN=openvpn.charite.de, emailAddress=v...@charite.de 2023-01-18 17:16:36 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256 2023-01-18 17:16:36 [openvpn.charite.de] Peer Connection Initiated with [AF_INET]193.175.73.170:1194 2023-01-18 17:16:36 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1 2023-01-18 17:16:36 TLS: tls_multi_process: initial untrusted session promoted to trusted 2023-01-18 17:16:37 SENT CONTROL [openvpn.charite.de]: 'PUSH_REQUEST' (status=1) 2023-01-18 17:16:37 AUTH: Received control message: AUTH_FAILED 2023-01-18 17:16:37 SIGTERM received, sending exit notification to peer 2023-01-18 17:16:37 Attempting to send data packet while data channel offload is in use. Dropping packet 2023-01-18 17:16:38 SIGTERM[soft,exit-with-notification] received, process exiting With this config (I modprobed ovpn-dco): --- snip --- client dev tun nobind proto udp remote openvpn-gw170-ext.charite.de port 1194 explicit-exit-notify cipher AES-256-GCM data-ciphers AES-256-GCM auth SHA256 remote-cert-tls server verify-x509-name "C=DE, ST=Berlin, L=Berlin, O=Charite-VPN, OU=GB-IT, CN=openvpn.charite.de, emailAddress=v...@charite.de" subject remote-cert-eku "TLS Web Server Authentication" persist-key persist-tun verb 3 reneg-sec 0 auth-user-pass up auth-nocache script-security 2 mute-replay-warnings tls-auth ta.key 1 ca ca.crt remote-random key hildeb.key cert hildeb.crt allow-compression no --- snip --- So what's wrong here? -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.charite.de _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users