Closed Dercni closed 2 months ago
For some reason CloudConnexa is not pushing the peer-id and thus the OpenVPN client thinks that it cannot use DATA_V2 format (which is mandatory when using DCO).
I'd suggest to reach out to OpenVPN Inc. through their support platform at https://support.openvpn.net since this is clearly related to their product and not the open source project.
Connexa does not even push --cipher. This is really weird. Do you have a a config that you are using and what data channel ciphers you are allowing?
So after an internal discussion from a colleguage it seems that you have data-ciphers AES-256-GCM
and therefore the client does not send IV_NCP=2
which Connexa requires. So until Connexa implements modern cipher negotiation you need to have at least AES-128-GCM and AES-256-GCM in the data-ciphers setting (or not use data-ciphers at all, they are in there by default).
Connexa basically behaves like a OpenVPN 2.4 server: https://github.com/OpenVPN/openvpn/blob/master/doc/man-sections/cipher-negotiation.rst#openvpn-24-server
Thank you. I added the 2nd cipher as suggested above and now I am able to connect with DCO enabled. Unfortunately there is no improvement in performance with DCO. I see my hardware supports IPSec-MB however this is inactive and I am not sure if this is related. Intel(R) Core(TM) i5-3320M CPU @ 2.60GHz 4 CPUs : 1 package(s) x 2 core(s) x 2 hardware threads AES-NI CPU Crypto: Yes (active) IPsec-MB Crypto: Yes (inactive) QAT Crypto: No
Whether or not DCO on one side(!) brings a performance benefit depends on where the performance limit is.
What you should see is a big reduction in CPU usage of the OpenVPN process when doing large transfers.
OK, so if the OVPN server was not CPU bound to start with then DCO will make little/no difference to throughput speeds? At no time have I seen the CPU usage exceed 5% so I guess DCO is not the solution to my problem. I cannot understand why IPSec can get speeds of 95Mbps and OVPN is sub 50Mbps.
understanding performance limits is tricky. OpenVPN with DCO can easily give >1Gbps throughput, but it needs DCO on both sides(!) to be effective.
Also, depending on what you measure, latency might get in the way - so IPSEC on a short path vs. OpenVPN on a longer path will give different results, even if the "crypto part" would be all the same.
I am trying to connect to the CloudConnexa servers with DCO enabled in pfSense Plus. pfSense is running version 24.03-RELEASE (amd64)
The connection works perfectly when DCO is not enabled. When DCO is enabled the connection fails to connect: