Add additional configuration information

I included the repository and was able to successfully build the ovpn-dco-dev and openvpn-dco-dev packages. Unfortunately, the documentation is a bit poor. What do I have to configure in /etc/config/openvpn so that this works? I am not a OpenVPN expert. If I am using this configuration by disabling openvnpn dco my vpn does work as expected with following configuration and OpenVPN versions. But it does not work with dco enabled on the client.

Info: If I add disable_dco to openvpn.options and writing this option to /etc/config/openvpn into the client config, then the VPN tunnel starts without dco and so works as expected.

Client configuration for openvpn witch dco (OpenVPN version openvpn-dco-dev-2.6.git-036517d5e06, OpenWRT branch openwrt-21.02):

config openvpn 'client'
        option enabled '1'
        option dev 'tun1'
        option ifconfig '10.0.0.2 10.0.0.1'
        option secret '/etc/upload/shared-secret.key'
        option keepalive '10 600'
        option verb '3'
        option log '/tmp/openvpn.log'
        option route '192.168.151.0 255.255.255.0'
        option nobind '1'
        option remote '172.16.2.211 1194'
        list data_ciphers 'AES-256-GCM'
#        option disable_dco '1'

Server configuration for openvpn without dco (OpenVPN version 2.5.3, OpenWRT branch openwrt-21.02):

config openvpn 'server'
        option enabled '1'
        option dev 'tun1'
        option ifconfig '10.0.0.1 10.0.0.2'
        option secret '/etc/upload/shared-secret.key'
        option keepalive '10 60'
        option verb '3'
        option log '/tmp/openvpn.log'
        list route '192.168.0.0 255.255.255.0'
        list data_ciphers 'AES-256-GCM'

As I understand it, the connection to the server is established. But I can't get any data through it. I see the following messages in logs:

Kernel log form OpenVPN (client) with dco enabled:

Tue Nov  8 14:40:39 2022 kern.debug kernel: [12771.581800] tun1 (uninitialized): ovpn_newlink: setting device (tun1) mode: 0
Tue Nov  8 14:40:39 2022 kern.debug kernel: [12771.590230] tun1: ovpn_netlink_register_packet: registering userspace at 2403367519
Tue Nov  8 14:40:39 2022 kern.debug kernel: [12771.599284] tun1: no peer to send data to
Tue Nov  8 14:40:39 2022 kern.debug kernel: [12771.606857] tun1: no peer to send data to
Tue Nov  8 14:40:39 2022 kern.debug kernel: [12772.234760] tun1: no peer to send data to
Tue Nov  8 14:40:39 2022 kern.debug kernel: [12772.490757] tun1: no peer to send data to

OpenVPN log from OpeVPN (client) with dco enabled:

2022-11-08 13:49:30 Attempting to send data packet while data channel offload is in use. Dropping packet
2022-11-08 13:49:40 Attempting to send data packet while data channel offload is in use. Dropping packet
2022-11-08 13:49:50 Attempting to send data packet while data channel offload is in use. Dropping packet
2022-11-08 13:50:00 Attempting to send data packet while data channel offload is in use. Dropping packet
2022-11-08 13:50:10 Attempting to send data packet while data channel offload is in use. Dropping packet
2022-11-08 13:50:20 Attempting to send data packet while data channel offload is in use. Dropping packet
2022-11-08 13:50:31 Attempting to send data packet while data channel offload is in use. Dropping packet
2022-11-08 13:50:41 Attempting to send data packet while data channel offload is in use. Dropping packet
2022-11-08 13:50:51 Attempting to send data packet while data channel offload is in use. Dropping packet
2022-11-08 13:51:01 Attempting to send data packet while data channel offload is in use. Dropping packet
2022-11-08 13:51:11 Attempting to send data packet while data channel offload is in use. Dropping packet

What have I not understood or what am I doing wrong or where do I still have to adjust something?

Hi @feckert and thanks a lot for reporting this issue! This dev feed has been used mostly by a few people, therefore there might still be glitches around. Regarding the configuration, it just assumes the same syntax as the standard OpenVPN package.

Regarding this log:

OpenVPN log from OpeVPN (client) with dco enabled:

2022-11-08 13:49:30 Attempting to send data packet while data channel offload is in use. Dropping packet
2022-11-08 13:49:40 Attempting to send data packet while data channel offload is in use. Dropping packet
2022-11-08 13:49:50 Attempting to send data packet while data channel offload is in use. Dropping packet
2022-11-08 13:50:00 Attempting to send data packet while data channel offload is in use. Dropping packet
2022-11-08 13:50:10 Attempting to send data packet while data channel offload is in use. Dropping packet
2022-11-08 13:50:20 Attempting to send data packet while data channel offload is in use. Dropping packet
2022-11-08 13:50:31 Attempting to send data packet while data channel offload is in use. Dropping packet
2022-11-08 13:50:41 Attempting to send data packet while data channel offload is in use. Dropping packet
2022-11-08 13:50:51 Attempting to send data packet while data channel offload is in use. Dropping packet
2022-11-08 13:51:01 Attempting to send data packet while data channel offload is in use. Dropping packet
2022-11-08 13:51:11 Attempting to send data packet while data channel offload is in use. Dropping packet

this is definitely interesting...something is off. I am not sure I am able to replicate this behaviour. Can you please paste the full log with "verb 4"? We may be able to see what went wrong during the setup.

After trying it back and forth. I have now managed to get him to use the dco. This are my configurations. It only works if I am using certs. The tunnel is using AES-256-GCM. Syslogoutput (client):

Wed Nov  9 12:10:33 2022 kern.debug kernel: [ 1892.081119] tun0: ovpn_netlink_new_peer: adding peer with endpoint=172.16.2.211:1194/UDP id=0 VPN-IPv4=0.0.0.0 VPN-IPv6=::
Wed Nov  9 12:10:33 2022 kern.debug kernel: [ 1892.114618] ********* Cipher gcm(aes) (encrypt)
Wed Nov  9 12:10:33 2022 kern.debug kernel: [ 1892.114638] *** IV size=12
Wed Nov  9 12:10:33 2022 kern.debug kernel: [ 1892.114647] *** req size=412
Wed Nov  9 12:10:33 2022 kern.debug kernel: [ 1892.114654] *** block size=1
Wed Nov  9 12:10:33 2022 kern.debug kernel: [ 1892.114661] *** auth size=16
Wed Nov  9 12:10:33 2022 kern.debug kernel: [ 1892.114668] *** alignmask=0x0
Wed Nov  9 12:10:33 2022 kern.debug kernel: [ 1892.114794] ********* Cipher gcm(aes) (decrypt)
Wed Nov  9 12:10:33 2022 kern.debug kernel: [ 1892.114807] *** IV size=12
Wed Nov  9 12:10:33 2022 kern.debug kernel: [ 1892.114815] *** req size=412
Wed Nov  9 12:10:33 2022 kern.debug kernel: [ 1892.114822] *** block size=1
Wed Nov  9 12:10:33 2022 kern.debug kernel: [ 1892.114828] *** auth size=16
Wed Nov  9 12:10:33 2022 kern.debug kernel: [ 1892.114834] *** alignmask=0x0
Wed Nov  9 12:10:33 2022 kern.debug kernel: [ 1892.115007] tun0: ovpn_netlink_new_key: new key installed (id=0) for peer 0
Wed Nov  9 12:10:33 2022 kern.debug kernel: [ 1892.134581] tun0: ovpn_peer_keepalive_set: scheduling keepalive for peer 0:

ServerOpenVPN config:

config openvpn 'routed_vpn'
        option enabled '1'
        option verb '3'
        option proto 'udp'
        option port '1194'
        option dev 'tun0'
        option log '/tmp/openvpn.log'
        option server '10.0.0.0 255.255.255.0'
        list push 'route 192.168.151.0 255.255.255.0'
        option ca '/etc/openvpn/certs/ca-root.pem'
        option cert '/etc/openvpn/certs/server.pem'
        option key '/etc/openvpn/certs/server.key'
        option dh '/etc/openvpn/certs/dh.pem'

Client OpenVPN config:

config openvpn 'client'
        option enabled '1'
        option dev 'tun0'
        option proto 'udp'
        option ca '/etc/openvpn/certs/ca-root.pem'
        option key '/etc/openvpn/certs/client.key'
        option cert '/etc/openvpn/certs/client.pem'
        option client '1'
        option remote '172.16.2.211 1194'
        option keepalive '10 1200'
        option nobind '1'
        option ns_cert_type 'server'
        option verb '3'
        option log '/tmp/openvpn.log'
#       option disable_dco '1'

I have now started an iperf3 between the server and the client. This is not a forwarded traffic, but a locally generated traffic with Iperf3. Output of Iperf3 on the server without dco and AES-256-GCM chipers:

Accepted connection from 10.0.0.6, port 37564
[  5] local 10.0.0.1 port 5201 connected to 10.0.0.6 port 37572
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec   391 KBytes  3.20 Mbits/sec    0   44.8 KBytes
[  5]   1.00-2.00   sec   269 KBytes  2.20 Mbits/sec    2   36.9 KBytes
[  5]   2.00-3.00   sec   424 KBytes  3.48 Mbits/sec    7   32.9 KBytes
[  5]   3.00-4.00   sec   773 KBytes  6.34 Mbits/sec    0   47.4 KBytes
[  5]   4.00-5.00   sec   610 KBytes  5.00 Mbits/sec    0   55.3 KBytes
[  5]   5.00-6.00   sec   570 KBytes  4.67 Mbits/sec    0   63.2 KBytes
[  5]   6.00-7.00   sec   663 KBytes  5.43 Mbits/sec    0   69.8 KBytes
[  5]   7.00-8.00   sec   537 KBytes  4.40 Mbits/sec    0   75.1 KBytes
[  5]   8.00-9.00   sec   569 KBytes  4.66 Mbits/sec    5   60.6 KBytes
[  5]   9.00-10.00  sec   632 KBytes  5.18 Mbits/sec    0   72.5 KBytes
[  5]  10.00-10.14  sec   126 KBytes  7.34 Mbits/sec    0   73.8 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.14  sec  5.44 MBytes  4.50 Mbits/sec   14             sender

Output of Iperf3 on the server with dco enabled on the client and AES-256-GCM chipers:

Accepted connection from 10.0.0.6, port 33592
[  5] local 10.0.0.1 port 5201 connected to 10.0.0.6 port 33600
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec  1.41 MBytes  11.8 Mbits/sec    0   84.3 KBytes
[  5]   1.00-2.00   sec  1.24 MBytes  10.4 Mbits/sec    0    140 KBytes
[  5]   2.00-3.00   sec  1.05 MBytes  8.81 Mbits/sec    0    192 KBytes
[  5]   3.00-4.00   sec  1.36 MBytes  11.4 Mbits/sec    0    248 KBytes
[  5]   4.00-5.00   sec  1012 KBytes  8.29 Mbits/sec    0    300 KBytes
[  5]   5.00-6.00   sec  1.17 MBytes  9.84 Mbits/sec    0    350 KBytes
[  5]   6.00-7.00   sec  1.36 MBytes  11.4 Mbits/sec    0    402 KBytes
[  5]   7.00-8.00   sec  1012 KBytes  8.29 Mbits/sec    0    454 KBytes
[  5]   8.00-9.00   sec  1.11 MBytes  9.32 Mbits/sec    0    482 KBytes
[  5]   9.00-10.00  sec  1.11 MBytes  9.33 Mbits/sec    0    482 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.02  sec  11.8 MBytes  9.86 Mbits/sec    0             sender

To get even better performance out of my router with OpenVPN (arch: mips_24kc name: lantiq_xrx200) I wanted to try the CHACHA20_POLY1305. But unfortunately this does not work. Maybe you have a hint how I have to adjust the configuration. It also seems to me that the dco only works with a certificates setup.

Hi, DCO works with certificates, but also with any other authentication methods. Which method were you using before? Without seeing the full client log I am unable to give you any advice.

When you say that with chachapoly "it does not work", what do you mean exactly? Nothing works? or OpenVPN still goes onto AES-GCM?

Thanks!

Hi,

On Wed, Nov 09, 2022 at 04:32:49AM -0800, Antonio Quartulli wrote:

Hi, DCO works with certificates, but also with any other authentication methods. Which method were you using before? Without seeing the full client log I am unable to give you any advice.

You need to have TLS, not --secret tunnels. I think that's "using certs".

When you say that with chachapoly "it does not work", what do you mean exactly? Nothing works? or OpenVPN still goes onto AES-GCM?

Maybe this is just a question on "how to make it".

It should be sufficient to add "data-ciphers CHACHA20-POLY1305" to the client config...

gert

-- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany @.***

Oh @cron2 is obviously right :) Your original config was using --secret, which is discouraged in any case and not supported by DCO. However, OpenVPN should still work, but should also disable DCO automatically (the log should say something about it)

And yes, the option you need to tweak the cipher is "data-ciphers".

Thank you for looking at this. Attached is the requested openvpn.log from server with server start and client connecting attemped and the openvpn.log from client connctiong attemped. I have also added the kernel.log from the client.

Server uci config for CHACHA20-POLIY1305:

config openvpn 'server'
        option enabled '1'
        option verb '3'
        option proto 'udp'
        option port '1194'
        option dev 'tun0'
        option log '/tmp/openvpn.log'
        option server '10.0.0.0 255.255.255.0'
        list push 'route 192.168.151.0 255.255.255.0'
        option ca '/etc/openvpn/certs/ca-root.pem'
        option cert '/etc/openvpn/certs/server.pem'
        option key '/etc/openvpn/certs/server.key'
        option dh '/etc/openvpn/certs/dh.pem'
        list data_ciphers 'CHACHA20-POLY1305'
        option data_ciphers_fallback 'CHACHA20-POLY1305'
        option auth 'none'
        option ncp_disable '1'
        option fast_io '1'

Server OpenVPN-Log (server start && client connect):


2022-11-09 15:39:57 WARNING: --topology net30 support for server configs with IPv4 pools will be removed in a future release. Please migrate to --topology subnet as soon as possible.
2022-11-09 15:39:57 OpenVPN 2.5.3 x86_64-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2022-11-09 15:39:57 library versions: OpenSSL 1.1.1q  5 Jul 2022, LZO 2.10
2022-11-09 15:39:57 WARNING: --keepalive option is missing from server config
2022-11-09 15:39:57 net_route_v4_best_gw query: dst 0.0.0.0
2022-11-09 15:39:57 net_route_v4_best_gw result: via 172.16.2.254 dev eth0
2022-11-09 15:39:57 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2022-11-09 15:39:57 Diffie-Hellman initialized with 1024 bit key
2022-11-09 15:39:57 net_route_v4_best_gw query: dst 0.0.0.0
2022-11-09 15:39:57 net_route_v4_best_gw result: via 172.16.2.254 dev eth0
2022-11-09 15:39:57 TUN/TAP device tun0 opened
2022-11-09 15:39:57 net_iface_mtu_set: mtu 1500 for tun0
2022-11-09 15:39:57 net_iface_up: set tun0 up
2022-11-09 15:39:57 net_addr_ptp_v4_add: 10.0.0.1 peer 10.0.0.2 dev tun0
2022-11-09 15:39:57 /usr/libexec/openvpn-hotplug up routed_vpn tun0 1500 1621 10.0.0.1 10.0.0.2 init
2022-11-09 15:39:57 net_route_v4_add: 10.0.0.0/24 via 10.0.0.2 dev [NULL] table 0 metric -1
2022-11-09 15:39:57 Could not determine IPv4/IPv6 protocol. Using AF_INET
2022-11-09 15:39:57 Socket Buffers: R=[212992->212992] S=[212992->212992]
2022-11-09 15:39:57 UDPv4 link local (bound): [AF_INET][undef]:1194
2022-11-09 15:39:57 UDPv4 link remote: [AF_UNSPEC]
2022-11-09 15:39:57 MULTI: multi_init called, r=256 v=256
2022-11-09 15:39:57 IFCONFIG POOL IPv4: base=10.0.0.4 size=62
2022-11-09 15:39:57 Initialization Sequence Completed
2022-11-09 15:40:17 172.16.2.173:42435 TLS: Initial packet from [AF_INET]172.16.2.173:42435, sid=15ba990a 676f16e5
2022-11-09 15:40:18 172.16.2.173:42435 VERIFY OK: depth=1, C=DE, ST=landshut, L=landshut, O=tdt, OU=tdt, CN=osedlbauer
2022-11-09 15:40:18 172.16.2.173:42435 VERIFY OK: depth=0, C=DE, ST=Bavaria, L=Landshut, O=TDT, OU=devel, CN=testsystem
2022-11-09 15:40:18 172.16.2.173:42435 peer info: IV_VER=2.6_git
2022-11-09 15:40:18 172.16.2.173:42435 peer info: IV_PLAT=linux
2022-11-09 15:40:18 172.16.2.173:42435 peer info: IV_TCPNL=1
2022-11-09 15:40:18 172.16.2.173:42435 peer info: IV_CIPHERS=CHACHA20-POLY1305
2022-11-09 15:40:18 172.16.2.173:42435 peer info: IV_PROTO=478
2022-11-09 15:40:18 172.16.2.173:42435 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 1024 bit RSA, signature: RSA-SHA256
2022-11-09 15:40:18 172.16.2.173:42435 [testsystem] Peer Connection Initiated with [AF_INET]172.16.2.173:42435
2022-11-09 15:40:18 testsystem/172.16.2.173:42435 MULTI_sva: pool returned IPv4=10.0.0.6, IPv6=(Not enabled)
2022-11-09 15:40:18 testsystem/172.16.2.173:42435 MULTI: Learn: 10.0.0.6 -> testsystem/172.16.2.173:42435
2022-11-09 15:40:18 testsystem/172.16.2.173:42435 MULTI: primary virtual IP for testsystem/172.16.2.173:42435: 10.0.0.6
2022-11-09 15:40:18 testsystem/172.16.2.173:42435 Outgoing Data Channel: Cipher 'CHACHA20-POLY1305' initialized with 256 bit key
2022-11-09 15:40:18 testsystem/172.16.2.173:42435 Incoming Data Channel: Cipher 'CHACHA20-POLY1305' initialized with 256 bit key
2022-11-09 15:40:18 testsystem/172.16.2.173:42435 SENT CONTROL [testsystem]: 'PUSH_REPLY,route 192.168.151.0 255.255.255.0,route 10.0.0.1,topology net30,ifconfig 10.0.0.6 10.0.0.5,peer-id 0,cipher CHACHA20-POLY1305' (status=1)

Client uci config for CHACHA20-POLIY1305 with dco:

config openvpn 'client'
        option enabled '1'
        option dev 'tun0'
        option proto 'udp'
        option ca '/etc/openvpn/certs/ca-root.pem'
        option key '/etc/openvpn/certs/client.key'
        option cert '/etc/openvpn/certs/client.pem'
        list data_ciphers 'CHACHA20-POLY1305'
        option data_ciphers_fallback 'CHACHA20-POLY1305'
        option auth 'none'
        option client '1'
        option remote '172.16.2.211 1194'
        option keepalive '10 1200'
        option nobind '1'
        option ns_cert_type 'server'
        option verb '3'
        option log '/tmp/openvpn.log'
#       option disable_dco '1'
        option fast_io '1'

Client OpenVPN-Log (Client start):

2022-11-09 15:40:17 OpenVPN 2.6_git mips-openwrt-linux-gnu [SSL (OpenSSL)] [EPOLL] [MH/PKTINFO] [AEAD] [DCO]
2022-11-09 15:40:17 library versions: OpenSSL 1.1.1q  5 Jul 2022
2022-11-09 15:40:17 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2022-11-09 15:40:17 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2022-11-09 15:40:17 TCP/UDP: Preserving recently used remote address: [AF_INET]172.16.2.211:1194
2022-11-09 15:40:17 Socket Buffers: R=[180224->180224] S=[180224->180224]
2022-11-09 15:40:17 UDPv4 link local: (not bound)
2022-11-09 15:40:17 UDPv4 link remote: [AF_INET]172.16.2.211:1194
2022-11-09 15:40:17 TLS: Initial packet from [AF_INET]172.16.2.211:1194, sid=5428ec08 b266fbd3
2022-11-09 15:40:17 VERIFY OK: depth=1, C=DE, ST=landshut, L=landshut, O=tdt, OU=tdt, CN=osedlbauer
2022-11-09 15:40:17 VERIFY OK: depth=0, C=DE, ST=Bavaria, L=Landshut, O=TDT, OU=DEVEL, CN=testsystem
2022-11-09 15:40:18 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2022-11-09 15:40:18 [testsystem] Peer Connection Initiated with [AF_INET]172.16.2.211:1194
2022-11-09 15:40:18 PUSH: Received control message: 'PUSH_REPLY,route 192.168.151.0 255.255.255.0,route 10.0.0.1,topology net30,ifconfig 10.0.0.6 10.0.0.5,peer-id 0,cipher CHACHA20-POLY1305'
2022-11-09 15:40:18 OPTIONS IMPORT: --ifconfig/up options modified
2022-11-09 15:40:18 OPTIONS IMPORT: route options modified
2022-11-09 15:40:18 OPTIONS IMPORT: peer-id set
2022-11-09 15:40:18 OPTIONS IMPORT: data channel crypto options modified
2022-11-09 15:40:18 net_route_v4_best_gw query: dst 0.0.0.0
2022-11-09 15:40:18 net_route_v4_best_gw result: via 192.168.1.2 dev br-wan
2022-11-09 15:40:18 net_iface_new: add tun0 type ovpn-dco
2022-11-09 15:40:18 DCO device tun0 opened
2022-11-09 15:40:18 net_iface_mtu_set: mtu 1500 for tun0
2022-11-09 15:40:18 net_iface_up: set tun0 up
2022-11-09 15:40:18 net_addr_ptp_v4_add: 10.0.0.6 peer 10.0.0.5 dev tun0
2022-11-09 15:40:18 /usr/libexec/openvpn-hotplug up client tun0 1500 0 10.0.0.6 10.0.0.5 init
2022-11-09 15:40:18 net_route_v4_add: 192.168.151.0/24 via 10.0.0.5 dev [NULL] table 0 metric 200
2022-11-09 15:40:18 net_route_v4_add: 10.0.0.1/32 via 10.0.0.5 dev [NULL] table 0 metric 200
2022-11-09 15:40:18 dco_new_key: netlink reports object not found, ovpn-dco unloaded?
2022-11-09 15:40:18 dco_new_key: failed to send netlink message: No such file or directory (-2)
2022-11-09 15:40:18 Impossible to install key material in DCO: No such file or directory
2022-11-09 15:40:18 Exiting due to fatal error
2022-11-09 15:40:18 net_route_v4_del: 192.168.151.0/24 via 10.0.0.5 dev [NULL] table 0 metric 200
2022-11-09 15:40:18 net_route_v4_del: 10.0.0.1/32 via 10.0.0.5 dev [NULL] table 0 metric 200
2022-11-09 15:40:18 Closing DCO interface
2022-11-09 15:40:18 net_addr_ptp_v4_del: 10.0.0.6 dev tun0
2022-11-09 15:40:18 net_iface_del: delete tun0
2022-11-09 15:40:19 /usr/libexec/openvpn-hotplug down client tun0 1500 0 10.0.0.6 10.0.0.5 init

Client Kernel-Log:

Wed Nov  9 15:40:18 2022 kern.debug kernel: [14476.824048] tun0: ovpn_netlink_new_peer: adding peer with endpoint=172.16.2.211:1194/UDP id=0 VPN-IPv4=0.0.0.0 VPN-IPv6=::
Wed Nov  9 15:40:18 2022 kern.info kernel: [14477.136490] ovpn_encrypt_one: error while retrieving primary key slot
Wed Nov  9 15:40:18 2022 kern.info kernel: [14477.520601] ovpn_encrypt_one: error while retrieving primary key slot
Wed Nov  9 15:40:18 2022 kern.err kernel: [14477.538591] encrypt crypto_alloc_aead failed, err=-2
Wed Nov  9 15:40:18 2022 kern.debug kernel: [14477.538622] tun0: ovpn_netlink_new_key: cannot install new key for peer 0
Wed Nov  9 15:40:18 2022 kern.info kernel: [14477.559231] tun0: tun0: deleting peer with id 0, reason 0
Wed Nov  9 15:40:18 2022 daemon.notice netifd: Network device 'tun0' link is down
Wed Nov  9 15:40:18 2022 daemon.notice netifd: Interface 'tun' has link connectivity loss
Wed Nov  9 15:40:18 2022 daemon.notice netifd: Interface 'tun' is now down
Wed Nov  9 15:40:20 2022 daemon.notice netifd: Interface 'tun' is disabled

Hi,

On Wed, Nov 09, 2022 at 06:46:48AM -0800, Florian Eckert wrote:

2022-11-09 15:40:18 testsystem/172.16.2.173:42435 SENT CONTROL [testsystem]: 'PUSH_REPLY,route 192.168.151.0 255.255.255.0,route 10.0.0.1,topology net30,ifconfig 10.0.0.6 10.0.0.5,peer-id 0,cipher CHACHA20-POLY1305' (status=1)

This means "client and server are happy with your choice of ciphers, and agree to use CHACHA-POLY".

But...

Wed Nov 9 15:40:18 2022 kern.err kernel: [14477.538591] encrypt crypto_alloc_aead failed, err=-2

... that reads like "there is no chacha poly crypto module in kernel".

Reading kernel Makefiles sounds like it should be buildable as a module, resulting in a file "chacha20poly1305.o" - maybe this needs to be installed on the WRT first, or maybe just loaded.

On my ubuntu box I use for DCO testing, chacha20poly1305 is built into the kernel - in /proc/crypto I can find

name : rfc7539(chacha20,poly1305) driver : rfc7539(chacha20-simd,poly1305-simd) module : chacha20poly1305 priority : 300 refcnt : 1 selftest : passed internal : no type : aead

gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany @.***

The ovpn-dco Makefile in the OpenWRT feed should automatically pull in the right kernel config:

31         CONFIG_CRYPTO_CHACHA20POLY1305=y \
32         CONFIG_CRYPTO_AES=y

@feckert are you sure you are installing ovpn-dco fromthe feed? the package name should be "ovpn-dco-dev" and not the "ovpn-dco" package that is already somehow in another OpenWRT feed?

Thanks for your feedback: @cron2 I have the following poly1305 in /proc/crypto

cat /proc/crypto
...
name         : poly1305
driver       : poly1305-mips
module       : poly1305_mips
priority     : 200
refcnt       : 1
selftest     : passed
internal     : no
type         : shash
blocksize    : 16
digestsize   : 16
...

I have also the following poly1305 kernel modules loaded.

root@VR2-103954 ~ # opkg list | grep chacha
kmod-crypto-lib-chacha20 - 5.4.215-1
kmod-crypto-lib-chacha20poly1305 - 5.4.215-1
root@VR2-103954 ~ # opkg files kmod-crypto-lib-chacha20
Package kmod-crypto-lib-chacha20 (5.4.215-1) is installed on root and has the following files:
/lib/modules/5.4.215/chacha-mips.ko
root@VR2-103954 ~ # opkg files kmod-crypto-lib-chacha20poly1305
Package kmod-crypto-lib-chacha20poly1305 (5.4.215-1) is installed on root and has the following files:
/lib/modules/5.4.215/libchacha20poly1305.ko
root@VR2-103954 ~ # lsmod | grep chacha
chacha_mips             5915  1 libchacha20poly1305
libchacha20poly1305     4646  1 wireguard
poly1305_mips           3727  1 libchacha20poly1305

The ovpn-dco module is also loaded.

root@VR2-103954 ~ # opkg list | grep dco
kmod-ovpn-dco-dev - 5.4.215-0.git-d1d53564e17d-2
openvpn-dco-dev-openssl - 2.6.git-036517d5e06c-3
root@VR2-103954 ~ # opkg files kmod-ovpn-dco-dev
Package kmod-ovpn-dco-dev (5.4.215-0.git-d1d53564e17d-2) is installed on root and has the following files:
/etc/modules.d/30-ovpn-dco-dev
/lib/modules/5.4.215/ovpn-dco.ko
root@VR2-103954 ~ # lsmod |grep dco
ip6_udp_tunnel          1850  3 wireguard,l2tp_core,ovpn_dco
ovpn_dco               45977  0
udp_tunnel              2969  3 wireguard,l2tp_core,ovpn_dco

@ordex I have also checked the checksum of the ovpn-dco module The checksum matches. So this is the correct kernel module.

Buildsystem:

feckert@feckert01 /home/feckert/openwrt/build_dir/target-mips_24kc_musl/linux-lantiq_xrx200/ovpn-dco-dev-0.git-d1d53564e17d: sha256sum ipkg-mips_24kc/kmod-ovpn-dco-dev/lib/modules/5.4.215/ovpn-dco.ko
84b61d95bef72b555f118a31e9936ccae829a7343b410295144c67713c20d57b  ipkg-mips_24kc/kmod-ovpn-dco-dev/lib/modules/5.4.215/ovpn-dco.ko

Client:

root@VR2-103954 /lib/modules/5.4.215 # sha256sum ovpn-dco.ko
84b61d95bef72b555f118a31e9936ccae829a7343b410295144c67713c20d57b  ovpn-dco.ko

Hi,

On Wed, Nov 09, 2022 at 08:01:06AM -0800, Florian Eckert wrote:

Thanks for your feedback: @cron2 I have the following poly1305 in /proc/crypto
cat /proc/crypto
...
name         : poly1305

That is not the right one - this is "pure poly1305", not chacha-poly.

@. ~ # opkg files kmod-crypto-lib-chacha20poly1305 Package kmod-crypto-lib-chacha20poly1305 (5.4.215-1) is installed on root and has the following files: /lib/modules/5.4.215/libchacha20poly1305.ko @. ~ # lsmod | grep chacha chacha_mips 5915 1 libchacha20poly1305 libchacha20poly1305 4646 1 wireguard poly1305_mips 3727 1 libchacha20poly1305

This looks good. So it should work (and if it works for wireguard, the relevant modules are all there).

No idea then why ovpn-dco is not liking it - deferring to Antonio (and maybe it's something else totally).

Gert Doering - Munich, Germany @.***

libchacha20poly1305 is another library implementing a different interface used by wireguard (not part of the traditional crypto API), but it is not the one used by ovpn-dco.

I need to double check my buildroot in order to grasp the exact package/module. Bear with me..I need some time to dig this out as I was not working on OpenWrt in the past days.

So the symbol you are missing in the kernel is CONFIG_CRYPTO_CHACHA20POLY1305 You could enable it manually via "make kernel_menuconfig".

However, it should be selected automatically by the ovpn-dco-dev package. I am investigating why that's not the case...

@feckert I just compiled my OpenWRT from scratch and selected ovpn-dco-dev. If I check the .config of the kernel in the build_dir I can see the symbol being selected:

$ grep CONFIG_CRYPTO_CHACHA20POLY1305 build_dir/target-aarch64_generic_musl/linux-rockchip_armv8/linux-5.10.103/.config
CONFIG_CRYPTO_CHACHA20POLY1305=y

Isn't it the case for you as well? was the kernel rebuilt and reinstalled after adding the feed and compiling ovpn-dco-dev?

My colleague has now tried this in the master branch of Openwrt. And it worked there. I will now check it out again and compile it. For now I would say the problem is solved, but thanks for your help. And sorry for the noise!

OpenVPN / openvpn-dev-openwrt

Add additional configuration information #1