Jump to content
Not connected, Your IP: 3.135.206.19

Recommended Posts

I have a working OpenVPN connection in pfSense that I setup using the awesome set up guide as well as a WireGuard connection. I currently am using WireGuard for performance reasons but I'd like to utilize OpenVPN with Data Channel Offload that is new to the recent 22.05 release. As I understand it all you need to do is tick the 'Enable Data Channel Offload (DCO) for this instance' box and it should work, but when I enable it my connection stops working. I will see a session listed on the website, but no data is flowing. If anyone has gotten this working I'd appreciate any advice1951263412_Screenshotfrom2022-07-0901-12-13.thumb.png.0940be15bf69a027fc12ae8326999ca9.png

Share this post


Link to post
2 hours ago, OpenSourcerer said:

Logs.

Sure, OpenVPN logs from pfSense:
Jul 9 08:02:55 	openvpn 	53514 	SIGUSR1[soft,server_poll] received, process restarting
Jul 9 08:02:55 	openvpn 	53514 	Server poll timeout, restarting
Jul 9 08:02:45 	openvpn 	53514 	UDPv4 link remote: [AF_INET]184.75.221.197:443
Jul 9 08:02:45 	openvpn 	53514 	UDPv4 link local (bound): [AF_INET]x.x.x.x:0
Jul 9 08:02:45 	openvpn 	53514 	Socket Buffers: R=[42080->42080] S=[57344->57344]
Jul 9 08:02:45 	openvpn 	53514 	TCP/UDP: Preserving recently used remote address: [AF_INET]184.75.221.197:443
Jul 9 08:02:41 	openvpn 	9902 	Initialization Sequence Completed
Jul 9 08:02:41 	openvpn 	9902 	OPTIONS IMPORT: data channel crypto options modified
Jul 9 08:02:41 	openvpn 	9902 	OPTIONS IMPORT: peer-id set
Jul 9 08:02:41 	openvpn 	9902 	OPTIONS IMPORT: route-related options modified
Jul 9 08:02:41 	openvpn 	9902 	OPTIONS IMPORT: --ifconfig/up options modified
Jul 9 08:02:41 	openvpn 	9902 	OPTIONS IMPORT: compression parms modified
Jul 9 08:02:41 	openvpn 	9902 	OPTIONS IMPORT: timers and/or timeouts modified
Jul 9 08:02:41 	openvpn 	9902 	/usr/local/sbin/ovpn-linkup ovpnc3 1500 0 10.31.98.67 255.255.255.0 init
Jul 9 08:02:41 	openvpn 	9902 	/sbin/route add -net 10.31.98.0 10.31.98.1 255.255.255.0
Jul 9 08:02:41 	openvpn 	9902 	/sbin/ifconfig ovpnc3 10.31.98.67 10.31.98.1 mtu 1500 netmask 255.255.255.0 up
Jul 9 08:02:41 	openvpn 	9902 	TUN/TAP device /dev/tun3 opened
Jul 9 08:02:41 	openvpn 	9902 	Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Jul 9 08:02:41 	openvpn 	9902 	Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Jul 9 08:02:41 	openvpn 	9902 	PUSH: Received control message: 'PUSH_REPLY,comp-lzo no,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.31.98.1,route-gateway 10.31.98.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.31.98.67 255.255.255.0,peer-id 4,cipher AES-256-GCM'
Jul 9 08:02:41 	openvpn 	9902 	SENT CONTROL [Tejat]: 'PUSH_REQUEST' (status=1)
Jul 9 08:02:40 	openvpn 	9902 	[Tejat] Peer Connection Initiated with [AF_INET]184.75.221.197:443
Jul 9 08:02:40 	openvpn 	9902 	Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 4096 bit RSA, signature: RSA-SHA512
Jul 9 08:02:40 	openvpn 	9902 	WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Jul 9 08:02:40 	openvpn 	9902 	WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA512'
Jul 9 08:02:40 	openvpn 	9902 	WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1549', remote='link-mtu 1602'
Jul 9 08:02:40 	openvpn 	53514 	Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Jul 9 08:02:40 	openvpn 	53514 	Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Jul 9 08:02:40 	openvpn 	53514 	Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Jul 9 08:02:40 	openvpn 	53514 	Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Jul 9 08:02:40 	openvpn 	53514 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jul 9 08:02:40 	openvpn 	53514 	SIGUSR1[soft,server_poll] received, process restarting
Jul 9 08:02:40 	openvpn 	53514 	Server poll timeout, restarting
Jul 9 08:02:40 	openvpn 	9902 	VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=Tejat, emailAddress=info@airvpn.org
Jul 9 08:02:40 	openvpn 	9902 	VERIFY EKU OK
Jul 9 08:02:40 	openvpn 	9902 	++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Jul 9 08:02:40 	openvpn 	9902 	Validating certificate extended key usage
Jul 9 08:02:40 	openvpn 	9902 	VERIFY KU OK
Jul 9 08:02:40 	openvpn 	9902 	VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org
Jul 9 08:02:40 	openvpn 	9902 	VERIFY WARNING: depth=1, unable to get certificate CRL: C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org
Jul 9 08:02:40 	openvpn 	9902 	VERIFY WARNING: depth=0, unable to get certificate CRL: C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=Tejat, emailAddress=info@airvpn.org
Jul 9 08:02:40 	openvpn 	9902 	TLS: Initial packet from [AF_INET]184.75.221.197:443, sid=127fe5b2 f3ded40c
Jul 9 08:02:40 	openvpn 	9902 	UDPv4 link remote: [AF_INET]184.75.221.197:443
Jul 9 08:02:40 	openvpn 	9902 	UDPv4 link local (bound): [AF_INET]x.x.x.x:0
Jul 9 08:02:40 	openvpn 	9902 	Socket Buffers: R=[42080->42080] S=[57344->57344]
Jul 9 08:02:40 	openvpn 	9902 	TCP/UDP: Preserving recently used remote address: [AF_INET]184.75.221.197:443
Jul 9 08:02:40 	openvpn 	9902 	Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Jul 9 08:02:40 	openvpn 	9902 	Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Jul 9 08:02:40 	openvpn 	9902 	Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Jul 9 08:02:40 	openvpn 	9902 	Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Jul 9 08:02:40 	openvpn 	9902 	WARNING: experimental option --capath /var/etc/openvpn/client3/ca
Jul 9 08:02:40 	openvpn 	9902 	Initializing OpenSSL support for engine 'rdrand'
Jul 9 08:02:40 	openvpn 	9902 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jul 9 08:02:40 	openvpn 	9902 	mlockall call succeeded
Jul 9 08:02:40 	openvpn 	9902 	mlock: MEMLOCK limit: soft=131072 KB, hard=131072 KB
Jul 9 08:02:40 	openvpn 	9902 	MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client3/sock
Jul 9 08:02:40 	openvpn 	9846 	library versions: OpenSSL 1.1.1n-freebsd 15 Mar 2022, LZO 2.10
Jul 9 08:02:40 	openvpn 	9846 	OpenVPN 2.6_git amd64-portbld-freebsd12.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] [DCO] built on Jun 4 2022 

Some hopefully relevant documentation I've stumbled upon, especially the limitations part which I'm thinking might require toggling a setting or two:
https://github.com/OpenVPN/ovpn-dco
https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/dco.html

Share this post


Link to post

It's only supported on OpenVPN 2.6.0 which is not released yet, and is not in use by AirVPN.

Says under limitations on the second link you posted:

  • DCO support is only present in OpenVPN 2.6.0 which is still in development.

Share this post


Link to post

In addition to that, the logs outline a server poll timeout, possibly hinting at something the client tries to negotiate which the server doesn't support.


NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

If you have fifechan compiled, its looks like it isn't set up within your PATH correctly.

Kili

Edit: What tutorial you are talking about?

Share this post


Link to post

There’s a redmine issue described on pfSense forums I was reading last night, TL;DR it will require a patch/update to resolve the issue. 

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...