-
Notifications
You must be signed in to change notification settings - Fork 743
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenVPN client instance : process startup fails if "fragment size" option is set #7989
Comments
Thank you for creating an issue. For more information about the policies for this repository, The easiest option to gain traction is to close this ticket and open a new one using one of our templates. |
Basically OpenVPN daemon decides to switch from DCO to TUN/TAP fallback due to the feature use which doesn’t work if we predefine the interface as DCO. |
Thanks for your reply. When you say "the feature use which doesn’t work if we predefine the interface as DCO", I guess you mean that the "fragment" option doesn't work with a predefined DCO interface. If that's the case do you have any idea why ? Would that be a configuration mistake I made ? Or maybe not yet implemented since DCO is still experimental ? Or it should work but we're facing a bug here ? |
I honestly don’t know what the reason here is WRT DCO fragment use. If you switch from DCO to TUN it should work fine in that regard. OpenVPN surely has a reason and we‘re missing a validation to prevent the misconfiguration(even though the rules here are arcane). Cheers, |
Also one of the reasons here is that DCO is implicit unless explicitly disabled or implicitly disabled due to incompatible features. Now the other side might also not use DCO then and both sides don‘t even have to agree on DCO as it is compatible with TUN and the other way around. |
WRT ? |
DCO doesn't support fragment : https://community.openvpn.net/openvpn/wiki/DataChannelOffload/Features |
Ok, will add a validation for it. |
Describe the bug
Openvpn client instance process on OPNsense 24.7.6-amd64 won't start if "fragment size" option is set when connecting to a valid server.
I didn't try with any previous opnsense version.
To Reproduce
configure a client instance with these parameters
Make sure the tunnel gets established with a valid server (the issue is not reproducible otherwise). Example of a working openvpn 2.6.12-bookworm0 on debian Bookworm :
/etc/openvpn/ccd/home.acme.com
Check that the tunnel is established and that connectivity through the tunnel is OK
Set "fragment size" to 1220 on both client and server (I read on openvpn forums that they have to be identical on client and server side)
restart openvpn on the client and on the server side
opnsense client instance won't start, it fails :
Expected behavior
openvpn process is started on both the server and client side
Describe alternatives you considered
No alternative :
Relevant log files
/var/log/openvpn/latest.log on the client side
/var/log/openvpn-s2s.log on the server side shows no error
Environment
Software version used and hardware type if relevant, e.g.:
OPNsense 24.7.6-amd64
FreeBSD 14.1-RELEASE-p5
OpenSSL 3.0.15
KVM virtual machine.
The text was updated successfully, but these errors were encountered: