search

OpenVPN / openvpn

OpenVPN is an open source VPN daemon
http://openvpn.net
Other
10.99k stars 3.01k forks source link

dco doesn't load, missing "topology subnet" #342

Open thomasschaeferm opened 1 year ago

thomasschaeferm commented 1 year ago

I use openvpn with IPv6-only (transport and payload). I want to use dco, but it complains about "topology subnet". The whole error message is: 

May 25 09:19:17 raspberrypi kernel: OpenVPN data channel offload (ovpn-dco) 0.2.20230426 -- (C) 2020-2023 OpenVPN, Inc.
May 25 09:19:31 raspberrypi openvpn[13706]: Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
May 25 09:19:31 raspberrypi openvpn[13706]: Note: NOT using '--topology subnet' disables data channel offload.
May 25 09:19:31 raspberrypi openvpn[13706]: OpenVPN 2.6.4 armv7l-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] [DCO]
May 25 09:19:31 raspberrypi openvpn[13706]: library versions: OpenSSL 3.0.8 7 Feb 2023, LZO 2.10
May 25 09:19:31 raspberrypi openvpn[13706]: DCO version: 0.2.20230426
May 25 09:19:31 raspberrypi openvpn[13707]: net_route_v4_best_gw query: dst 0.0.0.0
May 25 09:19:31 raspberrypi openvpn[13707]: net_route_v4_best_gw result: via 0.0.0.0 dev
May 25 09:19:31 raspberrypi openvpn[13707]: Diffie-Hellman initialized with 2048 bit key
May 25 09:19:32 raspberrypi openvpn[13707]: TUN/TAP device tun0 opened
May 25 09:19:32 raspberrypi openvpn[13707]: net_iface_mtu_set: mtu 1500 for tun0
May 25 09:19:32 raspberrypi openvpn[13707]: net_iface_up: set tun0 up
May 25 09:19:32 raspberrypi openvpn[13707]: net_addr_v6_add: 2001:a61:XXXX:XXXX::1:2/112 dev tun0
May 25 09:19:32 raspberrypi openvpn[13707]: Socket Buffers: R=[131072->131072] S=[16384->16384]
May 25 09:19:32 raspberrypi openvpn[13707]: setsockopt(IPV6_V6ONLY=0)
May 25 09:19:32 raspberrypi openvpn[13707]: Listening for incoming TCP connection on [AF_INET6][undef]:1194
May 25 09:19:32 raspberrypi openvpn[13707]: TCPv6_SERVER link local (bound): [AF_INET6][undef]:1194
May 25 09:19:32 raspberrypi openvpn[13707]: TCPv6_SERVER link remote: [AF_UNSPEC]
May 25 09:19:32 raspberrypi openvpn[13707]: MULTI: multi_init called, r=256 v=256

topology option should not be necessary for ipv6.

ordex commented 1 year ago

thanks for reporting - indeed the topology should matter only if an IPv4 was configured.

schwabe commented 1 year ago

Interfaces are configured differently depending on the subnet. I.e. broadcast/multicast flags on the tun interface. How much impact that has needs further investigation.

cron2 commented 1 year ago

So, IPv6 always uses subnets, and never p2p mode. But depending on IPv4 topology, the tun interface might still be in p2p mode, confusing DCO (at least on FreeBSD).

So I think the safest approach here would be "if there is no topology in the config and no IPv4 ifconfig either, then just auto-configure topology subnet". And do not annoy IPv6 people with IPv4 archeology.