search

OpenVPN / openvpn

OpenVPN is an open source VPN daemon
http://openvpn.net
Other
10.75k stars 2.99k forks source link

Unable to connect to CloudConnexa from pfSense using DCO #576

Closed Dercni closed 2 months ago

Dercni commented 2 months ago

I am trying to connect to the CloudConnexa servers with DCO enabled in pfSense Plus. pfSense is running version 24.03-RELEASE (amd64)

The connection works perfectly when DCO is not enabled. When DCO is enabled the connection fails to connect:

Jul 16 21:01:11 | openvpn | 99000 | WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
-- | -- | -- | --
Jul 16 21:01:11 | openvpn | 99000 | NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jul 16 21:01:11 | openvpn | 99000 | Re-using SSL/TLS context
Jul 16 21:01:11 | openvpn | 99000 | Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Jul 16 21:01:11 | openvpn | 99000 | Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Jul 16 21:01:11 | openvpn | 99000 | Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
Jul 16 21:01:11 | openvpn | 99000 | Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
Jul 16 21:01:11 | openvpn | 99000 | TCP/UDP: Preserving recently used remote address: [AF_INET]173.234.106.101:1194
Jul 16 21:01:11 | openvpn | 99000 | Socket Buffers: R=[42080->42080] S=[57344->57344]
Jul 16 21:01:11 | openvpn | 99000 | UDPv4 link local (bound): [AF_INET]59.X.X.38:0
Jul 16 21:01:11 | openvpn | 99000 | UDPv4 link remote: [AF_INET]173.234.106.101:1194
Jul 16 21:01:11 | openvpn | 99000 | UDPv4 WRITE [54] to [AF_INET]173.234.106.101:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ 1268492250 1649898915 4075051282 1874193282 3242567448 1889232595 4220369513 3817361408 358 2522019584 0 ]
Jul 16 21:01:11 | openvpn | 99000 | UDPv4 READ [66] from [AF_INET]173.234.106.101:1194: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ 39146113 2541220123 3554893429 1027107661 2821769804 2305103065 1159721791 2945902848 358 2522019585 0 130865627 3288277866 0 ]
Jul 16 21:01:11 | openvpn | 99000 | TLS: Initial packet from [AF_INET]173.234.106.101:1194, sid=a471f0ee fab89af8
Jul 16 21:01:11 | openvpn | 99000 | UDPv4 WRITE [343] to [AF_INET]173.234.106.101:1194: P_CONTROL_V1 kid=0 [ 634908851 3884451479 3299037363 2377496622 1865023210 1204977109 2137889383 2558719744 614 2522019585 0 2758930670 4206402296 1 369295617 268500993 201524096 2122090686 1620077129 4095828740 2181543610 2882729085 2052573716 3450278201
Jul 16 21:01:11 | openvpn | 99000 | UDPv4 READ [1316] from [AF_INET]173.234.106.101:1194: P_CONTROL_V1 kid=0 [ 2062226292 1482231767 1080159268 2757261716 164122511 1817404547 678524921 1874668544 614 2522019585 1 130865627 3288277866 1 369296128 2046951424 1979908936 1707589413 3827332141 952371576 1633869336 1652734518 805493228 1054498072 5
Jul 16 21:01:11 | openvpn | 99000 | UDPv4 WRITE [66] to [AF_INET]173.234.106.101:1194: P_ACK_V1 kid=0 [ 2586290168 2902853272 2023478097 621755340 1161975820 1537894127 1037632762 3781436416 870 2522019586 1 0 2758930670 4206402296 ] DATA len=0
Jul 16 21:01:11 | openvpn | 99000 | UDPv4 READ [1221] from [AF_INET]173.234.106.101:1194: P_CONTROL_V1 kid=0 [ 138666119 738045229 2862844487 2149357529 886864917 2350426263 2350963853 4063978496 870 2522019585 1 130865627 3288277866 2 1748973563 291912160 1155417838 4186846173 688820567 704012276 3641400781 3239923551 3364431037 3222684348 17
Jul 16 21:01:11 | openvpn | 99000 | VERIFY WARNING: depth=0, unable to get certificate CRL: CN=au-syd-dc2-g1.cloud.openvpn.net
Jul 16 21:01:11 | openvpn | 99000 | VERIFY WARNING: depth=1, unable to get certificate CRL: CN=CloudVPN Prod CA
Jul 16 21:01:11 | openvpn | 99000 | VERIFY OK: depth=1, CN=CloudVPN Prod CA
Jul 16 21:01:11 | openvpn | 99000 | VERIFY OK: depth=0, CN=au-syd-dc2-g1.cloud.openvpn.net
Jul 16 21:01:11 | openvpn | 99000 | UDPv4 WRITE [1222] to [AF_INET]173.234.106.101:1194: P_CONTROL_V1 kid=0 [ 833359342 537116653 2857002496 2583741357 1475402570 4068518167 719698700 3939697152 1126 2522019587 2 1 0 2758930670 4206402296 2 335741696 16848643 50774885 2280702954 3781889353 485129308 1963136581 1978801533 2616836450 3628294614
Jul 16 21:01:11 | openvpn | 99000 | UDPv4 WRITE [1222] to [AF_INET]173.234.106.101:1194: P_CONTROL_V1 kid=0 [ 2373485489 1170539019 2039556855 3983463881 3814286609 1875455921 1086382544 2941429248 1382 2522019587 2 1 0 2758930670 4206402296 3 1048031281 1275698311 1464041960 1437610725 3580481864 4060909173 142966823 1408414842 2025593920 23
Jul 16 21:01:11 | openvpn | 99000 | UDPv4 WRITE [476] to [AF_INET]173.234.106.101:1194: P_CONTROL_V1 kid=0 [ 3392686797 ] pid=2705440046 DATA len=450
Jul 16 21:01:11 | openvpn | 99000 | UDPv4 READ [66] from [AF_INET]173.234.106.101:1194: P_ACK_V1 kid=0 [ 2515887679 3517123878 2673606180 2765179134 679603897 564312532 3750045314 1052308480 1126 2522019586 1 2 130865627 3288277866 ] DATA len=0
Jul 16 21:01:11 | openvpn | 99000 | UDPv4 READ [232] from [AF_INET]173.234.106.101:1194: P_CONTROL_V1 kid=0 [ 931527168 1955217192 3733308340 772324956 1528235151 4119990459 265369762 1274599168 1382 2522019587 1 2 3 130865627 3288277866 3 386073344 1248143189 760828139 20920675 2930813777 3744298603 3141405869 344722690 2697719277 893955774
Jul 16 21:01:11 | openvpn | 99000 | UDPv4 WRITE [74] to [AF_INET]173.234.106.101:1194: P_ACK_V1 kid=0 [ 1214691680 2245732074 951907806 4247892159 1271832860 2207197965 3942047842 3406856704 1894 2522019588 3 2 1 0 2758930670 4206402296 ] DATA len=0
Jul 16 21:01:11 | openvpn | 99000 | UDPv4 READ [311] from [AF_INET]173.234.106.101:1194: P_CONTROL_V1 kid=0 [ 1470159093 388883627 1832452800 521642677 1870219339 3821204988 2732007559 226918400 1638 2522019588 1 2 3 4 130865627 3288277866 4 386073344 3835841832 811041009 2658469475 2151398873 2135580870 3821737069 2076230248 2035476556 23575
Jul 16 21:01:11 | openvpn | 99000 | Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bits RSA, signature: RSA-SHA256, peer temporary key: 253 bits X25519
Jul 16 21:01:11 | openvpn | 99000 | [au-syd-dc2-g1.cloud.openvpn.net] Peer Connection Initiated with [AF_INET]173.234.106.101:1194
Jul 16 21:01:11 | openvpn | 99000 | TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
Jul 16 21:01:11 | openvpn | 99000 | TLS: tls_multi_process: initial untrusted session promoted to trusted
Jul 16 21:01:11 | openvpn | 99000 | UDPv4 WRITE [78] to [AF_INET]173.234.106.101:1194: P_ACK_V1 kid=0 [ 2432247585 3037430543 75072379 2806424337 2316271707 2221821688 1643312755 5632000 2150 2522019589 4 3 2 1 0 2758930670 4206402296 ] DATA len=0
Jul 16 21:01:12 | openvpn | 99000 | SENT CONTROL [au-syd-dc2-g1.cloud.openvpn.net]: 'PUSH_REQUEST' (status=1)
Jul 16 21:01:12 | openvpn | 99000 | UDPv4 WRITE [113] to [AF_INET]173.234.106.101:1194: P_CONTROL_V1 kid=0 [ 1607228822 2020145984 1235858740 698984432 4116296106 2480591531 3453658137 867261440 2406 2522019588 4 3 2 ] pid=4206402296 DATA len=39
Jul 16 21:01:12 | openvpn | 99000 | UDPv4 READ [74] from [AF_INET]173.234.106.101:1194: P_ACK_V1 kid=0 [ 2039476375 1937541202 3371922731 1899154908 3745330073 1191876535 3495921701 2012143872 1894 2522019588 2 3 4 5 130865627 3288277866 ] DATA len=0
Jul 16 21:01:12 | openvpn | 99000 | UDPv4 READ [869] from [AF_INET]173.234.106.101:1194: P_CONTROL_V1 kid=0 [ 4104894263 2703427094 2781426135 1953142662 638763423 877013095 3383173006 1046204928 2150 2522019588 2 3 4 5 130865627 3288277866 5 386073347 305834821 1730859126 1050926890 718339254 2749407149 3938485787 1566211819 3250679047 12193
Jul 16 21:01:12 | openvpn | 99000 | PUSH: Received control message: 'PUSH_REPLY,route-gateway 100.32.50.1,ifconfig 100.32.50.6 255.255.255.240,ifconfig-ipv6 fd:0:0:8103::a/64 fd:0:0:8103::1,client-ip 59.X.X.38,ping 8,ping-restart 40,reneg-sec 3600,key-derivation tls-ekm,topology subnet,explicit-exit-notify,remote-cache-lifetime 86400,block-outside-dns,route 100.32.50.0 255.255.255.0,route-ipv6 fd:0:0:8000::/49,route 100.80.0.0 255.240.0.0,route-ipv6 fd:0:0:4000::/50,route 10.27.50.0 255.255.255.0,route 192.168.1.0 255.255.255.0,dhcp-option DNS 100.32.50.1,auth-tokenSESS_ID,auth-token-user bmVhbHN0bWMtY29tLWF1L2Nvbm5lY3Rvci84NTlhNGJmNi1mMDRlLTQ3OGItOWFlNi1lNzFjZGMyOTVmZWRfOTI2OTU5OTUtMzM3NC00MjIwLWJlYmItNzZiOTQ1MmE0YjU0'
Jul 16 21:01:12 | openvpn | 99000 | Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:4: client-ip (2.6.8)
Jul 16 21:01:12 | openvpn | 99000 | Options error: option 'reneg-sec' cannot be used in this context ([PUSH-OPTIONS])
Jul 16 21:01:12 | openvpn | 99000 | Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:11: remote-cache-lifetime (2.6.8)
Jul 16 21:01:12 | openvpn | 99000 | Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:12: block-outside-dns (2.6.8)
Jul 16 21:01:12 | openvpn | 99000 | Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Jul 16 21:01:12 | openvpn | 99000 | Options error: option 'route-ipv6' cannot be used in this context ([PUSH-OPTIONS])
Jul 16 21:01:12 | openvpn | 99000 | Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Jul 16 21:01:12 | openvpn | 99000 | Options error: option 'route-ipv6' cannot be used in this context ([PUSH-OPTIONS])
Jul 16 21:01:12 | openvpn | 99000 | Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Jul 16 21:01:12 | openvpn | 99000 | Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Jul 16 21:01:12 | openvpn | 99000 | Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Jul 16 21:01:12 | openvpn | 99000 | OPTIONS IMPORT: --ifconfig/up options modified
Jul 16 21:01:12 | openvpn | 99000 | OPTIONS IMPORT: route-related options modified
Jul 16 21:01:12 | openvpn | 99000 | OPTIONS IMPORT: Server did not request DATA_V2 packet format required for data channel offload
Jul 16 21:01:12 | openvpn | 99000 | OPTIONS ERROR: pushed options are incompatible with data channel offload. Use --disable-dco to connect to this server
Jul 16 21:01:12 | openvpn | 99000 | ERROR: Failed to apply push options
Jul 16 21:01:12 | openvpn | 99000 | Failed to open tun/tap interface
Jul 16 21:01:12 | openvpn | 99000 | TCP/UDP: Closing socket
Jul 16 21:01:12 | openvpn | 99000 | SIGUSR1[soft,process-push-msg-failed] received, process restarting
Jul 16 21:01:12 | openvpn | 99000 | Restart pause, 1 second(s)
ordex commented 2 months ago

For some reason CloudConnexa is not pushing the peer-id and thus the OpenVPN client thinks that it cannot use DATA_V2 format (which is mandatory when using DCO).

I'd suggest to reach out to OpenVPN Inc. through their support platform at https://support.openvpn.net since this is clearly related to their product and not the open source project.

schwabe commented 2 months ago

Connexa does not even push --cipher. This is really weird. Do you have a a config that you are using and what data channel ciphers you are allowing?

schwabe commented 2 months ago

So after an internal discussion from a colleguage it seems that you have data-ciphers AES-256-GCM and therefore the client does not send IV_NCP=2 which Connexa requires. So until Connexa implements modern cipher negotiation you need to have at least AES-128-GCM and AES-256-GCM in the data-ciphers setting (or not use data-ciphers at all, they are in there by default).

Connexa basically behaves like a OpenVPN 2.4 server: https://github.com/OpenVPN/openvpn/blob/master/doc/man-sections/cipher-negotiation.rst#openvpn-24-server

Dercni commented 2 months ago

Thank you. I added the 2nd cipher as suggested above and now I am able to connect with DCO enabled. Unfortunately there is no improvement in performance with DCO. I see my hardware supports IPSec-MB however this is inactive and I am not sure if this is related. Intel(R) Core(TM) i5-3320M CPU @ 2.60GHz 4 CPUs : 1 package(s) x 2 core(s) x 2 hardware threads AES-NI CPU Crypto: Yes (active) IPsec-MB Crypto: Yes (inactive) QAT Crypto: No

cron2 commented 2 months ago

Whether or not DCO on one side(!) brings a performance benefit depends on where the performance limit is.

What you should see is a big reduction in CPU usage of the OpenVPN process when doing large transfers.

Dercni commented 2 months ago

OK, so if the OVPN server was not CPU bound to start with then DCO will make little/no difference to throughput speeds? At no time have I seen the CPU usage exceed 5% so I guess DCO is not the solution to my problem. I cannot understand why IPSec can get speeds of 95Mbps and OVPN is sub 50Mbps.

cron2 commented 2 months ago

understanding performance limits is tricky. OpenVPN with DCO can easily give >1Gbps throughput, but it needs DCO on both sides(!) to be effective.

Also, depending on what you measure, latency might get in the way - so IPSEC on a short path vs. OpenVPN on a longer path will give different results, even if the "crypto part" would be all the same.