Adding address failed

[gznail]

https://swupdate.openvpn.net/beta-downloads/win-dco/openvpn-install-dco-preview-Win10.exe I see this exe is compiled from this repo,I ran it and added options： windows-driver ovpn-dco-win tun-mtu 1428

but it will give an error TUN: adding address failed using service，[status=1168 if_index=28] TUN: setting IPv4 mtu using service failed:， [status=1168 if_index=28] Does this exe not work?

client.ovpn

proto udp
dev tun
nobind
;windows-driver wintun
windows-driver ovpn-dco-win
tun-mtu 1428
remote 10.10.18.105 1194 
auth-nocache
resolv-retry 20
keepalive 10 60
mute-replay-warnings
remote-cert-tls server
persist-key
;persist-tun
explicit-exit-notify 1
auth-user-pass
cipher AES-128-GCM
reneg-sec 0
ca ca.crt
cert client1.crt
key client1.key
tls-auth ta.key 1
verb 3```

[gznail]

@schwabe Is there a new installation package now?

[schwabe]

Your errors are probably duplicate IP addresses on a different interface or something similar.

[gznail]

No duplicate ip was found. Very strange, the openvpn link is successful, but the client OpenVPN Data Channel Offload virtual adapter ip is not set successfully, ip: 169.254.43.76. But I use wintun is normal.

Is there anything I should pay attention to when using dco, I am curious about the performance.

Your errors are probably duplicate IP addresses on a different interface or something similar.

[schwabe]

The Ips might still be on the tap/wintun Adapter and windows refuses to set them on the other adapter too

[gznail]

I uninstalled the tap/wintun Adapter, but it doesn't work, what should I do, please help

The Ips might still be on the tap/wintun Adapter and windows refuses to set them on the other adapter too

[schwabe]

Can you post a full log?

[gznail]

client1.log I set verb 5

[schwabe]

2022-01-19 18:12:49 us=911653 TUN: adding address failed using service: ÕÒ²»µ½ÔªËØ¡£   [status=1168 if_index=18]
2022-01-19 18:12:49 us=911653 TUN: setting IPv4 mtu using service failed: ÕÒ²»µ½ÔªËØ¡£   [status=1168 if_index=18]
2022-01-19 18:12:49 us=911653 DCO peer init: Need a peer VPN addresss to setup IPv4 (set --route-gateway)

Can you make your server push a route-gateway or manually add that to the config? Something like route-gateway 172.16.0.33

[gznail]

my server.conf Added push "route-gateway 172.168.0.4"

mode server
tls-server
proto udp
dev tun
tun-mtu 1428
port 1196

;server 172.16.0.0 255.255.255.0

ifconfig 172.16.0.4 255.255.255.0
push "topology subnet"
topology subnet
push "route-gateway 172.168.0.4"

ifconfig-pool 172.16.0.20 172.16.0.253 255.255.255.0
ifconfig-pool-persist ipp.txt

keepalive 10 60
persist-key
persist-tun
user root
group root
max-clients 500
;daemon
reneg-sec 0
client-config-dir ccd
;auth-user-pass-verify checkpsw.sh via-env
;username-as-common-name
;script-security 3

cipher AES-128-GCM
ca ca.crt
cert server.crt
key server.key
dh dh.pem
tls-auth ta.key 0
;duplicate-cn
status openvpn-status-1194.log
log /var/log/openvpn.log
log-append /var/log/openvpn.log
verb 4
;explicit-exit-notify 1

[gznail]

Critical bugs are not going away

2022-01-19 18:42:04 us=821676 OPTIONS IMPORT: adjusting link_mtu to 1552
2022-01-19 18:42:04 us=821676 OPTIONS IMPORT: data channel crypto options modified
2022-01-19 18:42:04 us=821676 Data Channel: using negotiated cipher 'AES-256-GCM'
2022-01-19 18:42:04 us=821676 Data Channel MTU parms [ L:1480 D:1450 EF:52 EB:394 ET:0 EL:3 ]
2022-01-19 18:42:04 us=821676 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2022-01-19 18:42:04 us=821676 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2022-01-19 18:42:04 us=884089 interactive service msg_channel=688
2022-01-19 18:42:04 us=884089 do_ifconfig, ipv4=1, ipv6=0
2022-01-19 18:42:04 us=884089 MANAGEMENT: >STATE:1642588924,ASSIGN_IP,,172.16.0.33,,,,
2022-01-19 18:42:04 us=884089 INET address service: add 172.16.0.33/24
2022-01-19 18:42:04 us=884089 TUN: adding address failed using service: 找不到元素。   [status=1168 if_index=18]
2022-01-19 18:42:04 us=884089 TUN: setting IPv4 mtu using service failed: 找不到元素。   [status=1168 if_index=18]
2022-01-19 18:42:04 us=884089 Initialization Sequence Completed
2022-01-19 18:42:04 us=884089 MANAGEMENT: >STATE:1642588924,CONNECTED,SUCCESS,172.16.0.33,10.10.20.58,1196,,```

[lstipakov]

Thanks for testing DCO functionality on Windows! Does connection work if you set up IP address manually after you got "Initialization Sequence Completed" message?

[schwabe]

2022-01-19 18:12:49 us=848681 ovpn-dco-win device [本地连接 2] opened

Can you try if renaming your DCO devices to something with only ascii characters like ovpn-dco makes a difference?

[gznail]

I can set the OpenVPN Data Channel Offload ip to be 172.16.0.33/24, but I can't ping the server's 172.16.0.4

Thanks for testing DCO functionality on Windows! Does connection work if you set up IP address manually after you got "Initialization Sequence Completed" message?

[gznail]

I set it to ovpn-dco, but there is still a problem. I also suspected the problem of Chinese garbled characters before, but wintun can display Chinese. Wed Jan 19 18:54:55 2022 ovpn-dco-win device [ovpn-dco] opened Wed Jan 19 18:54:55 2022 TUN: adding address failed using service: ÕҲ۵½ԪËء£ [status=1168 if_index=18] Wed Jan 19 18:54:55 2022 TUN: setting IPv4 mtu using service failed: ÕҲ۵½ԪËء£ [status=1168 if_index=18]

2022-01-19 18:12:49 us=848681 ovpn-dco-win device [���� 2] opened

Can you try if renaming your DCO devices to something with only ascii characters like ovpn-dco makes a difference?

[lstipakov]

After you are connected, could you:

• run netsh interface ipv4 show interfaces
• run netsh interface ip set address 18 static 172.16.0.33 255.255.255.0
• run ipconfig /all

[gznail]

ok thanks, able to run，but still can't ping each other.

Server log：

2022-01-19 19:10:52 us=952322 10.10.16.123:64634 peer info: IV_VER=2.6_git
2022-01-19 19:10:52 us=952361 10.10.16.123:64634 peer info: IV_PLAT=win
2022-01-19 19:10:52 us=952373 10.10.16.123:64634 peer info: IV_NCP=2
2022-01-19 19:10:52 us=952385 10.10.16.123:64634 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM
2022-01-19 19:10:52 us=952397 10.10.16.123:64634 peer info: IV_PROTO=30
2022-01-19 19:10:52 us=952408 10.10.16.123:64634 peer info: IV_LZO=1
2022-01-19 19:10:52 us=952419 10.10.16.123:64634 peer info: IV_COMP_STUB=1
2022-01-19 19:10:52 us=952430 10.10.16.123:64634 peer info: IV_COMP_STUBv2=1
2022-01-19 19:10:52 us=952442 10.10.16.123:64634 peer info: IV_TCPNL=1
2022-01-19 19:10:52 us=952453 10.10.16.123:64634 peer info: IV_HWADDR=fa:16:3e:64:34:88
2022-01-19 19:10:52 us=952464 10.10.16.123:64634 peer info: IV_SSL=OpenSSL_1.1.0l__10_Sep_2019
2022-01-19 19:10:52 us=952475 10.10.16.123:64634 peer info: IV_PLAT_VER=10.0_64bit
2022-01-19 19:10:52 us=952487 10.10.16.123:64634 peer info: IV_GUI_VER=OpenVPN_GUI_11
2022-01-19 19:10:52 us=953026 10.10.16.123:64634 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2022-01-19 19:10:52 us=953067 10.10.16.123:64634 [client1] Peer Connection Initiated with [AF_INET]10.10.16.123:64634
2022-01-19 19:10:52 us=954064 MULTI: new connection by client 'client1' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
2022-01-19 19:10:52 us=954133 MULTI_sva: pool returned IPv4=172.16.0.20, IPv6=(Not enabled)
2022-01-19 19:10:52 us=954413 OPTIONS IMPORT: reading client specific options from: ccd/client1
2022-01-19 19:10:52 us=954722 MULTI: Learn: 172.16.0.33 -> client1/10.10.16.123:64634
2022-01-19 19:10:52 us=954744 MULTI: primary virtual IP for client1/10.10.16.123:64634: 172.16.0.33
2022-01-19 19:10:52 us=954764 Data Channel: using negotiated cipher 'AES-256-GCM'
2022-01-19 19:10:52 us=954787 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1428 headroom:136 payload:1736 tailroom:268 ET:0 ]
2022-01-19 19:10:52 us=954879 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2022-01-19 19:10:52 us=954896 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2022-01-19 19:10:52 us=955148 SENT CONTROL [client1]: 'PUSH_REPLY,topology subnet,route-gateway 172.16.0.5,ping 10,ping-restart 60,ifconfig 172.16.0.33 255.255.255.0,peer-id 1,cipher AES-256-GCM,key-derivation tls-ekm' (status=1)
2022-01-19 19:10:52 us=955322 Received packet for peer-id unknown to OpenVPN: 0

After you are connected, could you:

• run netsh interface ipv4 show interfaces
• run netsh interface ip set address 18 static 172.16.0.33 255.255.255.0
• run ipconfig /all

[gznail]

There is another problem, when I use kill -9 to kill the openvpn process, the ovpn-dco0 adapter is still there.

[gznail]

@lstipakov @schwabe Is this a common bug, or did I encounter it myself?

[lstipakov]

If you mean inability to set address on adapter - I haven't seen that before and wasn't able to reproduce. Is it possible for you to try it out on another machine?

Regarding ovpn-dco0 adapter is still present after killing process - @ordex could provide more info.

In coming days we'll make a new Windows DCO preview installer.

[gznail]

Thank you, if there is a new preview version installation package, please send me a link, or on GitHub, I can't access the openvpn official website/community here, I can't see a lot of information.

In coming days we'll make a new Windows DCO preview installer.

[ordex]

Regarding ovpn-dco0 adapter is still present after killing process - @ordex could provide more info.

@lstipakov I think it's better to debug this on the latest code because a lot has changed.

[gznail]

@ordex I reinstalled openvpn, using your repo dco branch. 1、Regarding ovpn-dco0 adapter is still present after killing process,The problem still exists. Has the latest version of ovpn-dco been replaced by tun? 2、I am using centos, kernel version 5.4.173-1.el7.elrepo.x86_64,these macros NLM_F_CAPPED/NLM_F_ACK_TLVS and enum nlmsgerr_attrs,need to handle it myself. please handle these bugs.

[schwabe]

Please use something more modern than CentOS7 for the linux side of testing. CentOS7 is really old and we did not actively develop or test on it.

[gznail]

I can use it on centos7, will this affect performance?

Please use something more modern than CentOS7 for the linux side of testing. CentOS7 is really old and we did not actively develop or test on it.

[cron2]

Hi,

On Sun, Jan 23, 2022 at 07:04:17PM -0800, gznail wrote:

@ordex I reinstalled openvpn, using your repo dco branch. 1???Regarding ovpn-dco0 adapter is still present after killing process,The problem still exists.

If you force-kill the OpenVPN process, it has no chance to clean up anything

• so, don't do this. Use kill -INT, never -KIL/-9.

gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany @.***

[schwabe]

@gznail probably. We do not test with CentOS7 ourselves so performance and bugs might be worse than on other platforms. We just cannot say.

[yxungh]

Thank you all for your prompt reply！ First of all, kill -INT is ok, my environment has a lot of restrictions, so I plan to test the performance on centos7.

[schwabe]

@yxungh please be aware that we might drop CentOS7 support as we have no plans for using it with CentOS7. So do you rely on ovpn-dco to be available on CentOS7

[dsommers]

I really fail to see what you will achieve out of this, @yxungh. CentOS 7 ships with a kernel not suitable for ovpn-dco (too old kernel base), you run a side-loaded and unsupported CentOS kernel from ElRepo. And you want to test performance on this setup? This output of this performance test will not give any real value as this is as close to an unsupported Frankenstein distro setup you can achieve.

CentOS/RHEL strives to achieve one crucial feature: Long term stability and support. With your setup, you remove that in a single swipe. I would rather recommend you test on a more recent Fedora release instead, as that will be supported and most likely more stable and secure than your current setup.

If long term stability and support is needed, CentOS 8 Stream or signing up for a Red Hat Developer account and get a proper RHEL-8 install is far better.

But the setup you have now is not giving to produce any real valuable result, as you've changed a stable and solid setup with something completely unsupported without any stability guarantees - other than what the ELRepo community can give you. But this certainly is not a suitable server setup; ElRepo is more targeting desktop use cases.

[gznail]

@lstipakov @schwabe @dsommers @ordex I deployed ovpn-dco on ubuntu and windows, but the result is not what I want. ovpn-dco is not as performant as wintun on my environment .

openvpn environment： client windows: windows 10 21H2 server ubuntu 1804 , Linux 5.4.0-96-generic

Raw : 2.0 Gbits/sec Tap-windows : 140Mbits/sec wintun: 200Mbits/sec ovpn-dco: 170Mbits/sec

---

Tap: tap_client.txt

wintun wintun_client.txt

ovpn-dco-win dco_client.log

There may be discrepancies in the results, but almost .

[lstipakov]

Thanks for testing, indeed this 10-fold drop comparison to raw speed doesn't look right. Could you describe your setup?

[gznail]

I installed win10 on the cloud desktop, and the server and client are under the same VPC. The deployment method under linux is completely based on README.dco.md. The client compiled with schwabe on windows may be a special environment, so the results are not for reference. But I wonder why ovpn-dco performance is not as good as wintun. The test is to use iperf3 -c xx without any parameters.

Raw:

[schwabe]

what is cloud desktop? What specs do the machines have? Basically all your number are very low.

[lstipakov]

Hers is a new Windows installer which includes ovpn-dco and openssl3 support: OpenVPN-2.6git-dco-amd64.zip "Adding address failed" problem should be fixed.

[gznail]

Thanks for providing the new version of the installation package, but I found that its performance is very weak. I tested it with iperf3.

Raw: 410 Mbits/sec OpenVPN-2.6git-dco-amd64 : 244 Mbits/sec openvpn-install-dco-preview-Win10: 340 Mbits/sec

Hers is a new Windows installer which includes ovpn-dco and openssl3 support: OpenVPN-2.6git-dco-amd64.zip "Adding address failed" problem should be fixed.

[schwabe]

@gznail what specs do your machines have? What cloud instances/cloud types do they have? A raw Performance of 410 Mbit/s feels on the low side. But 340 Mbit/s with VPN compared to 410 MBit/s without VPN sounds quite good.

[lstipakov]

Also, was it between Linux and Windows? Upload speed or download speed?

[gznail]

@schwabe Cloud desktop is a cloud desktop service based on cloud computing and virtualization technology, which migrates computing and storage to the cloud through transmission protocols, so that the cloud and the local are connected to realize resource sharing. The technology used by my resource pool should be openstack. Windows desktop: Intel Xeon Processor (Skylake, IBRS) 2.30 GHz, 8 cores 16G, Windows Server 2022 Standard, 21H2. Ubuntu: 4 cores, the kernel version is 5.4.0-96-generic

The original bandwidth refers to the situation without VPN stress test: about 410M. I use the installation package you compiled before, and there will be an error that the ovpn-dco-win adapter cannot set the IP, but when using wintun, the performance is very good and can reach about 347M.

But I use the installation package compiled by lstipakov, and there is no error when using ovpn-dco-win, but the performance is not very good. The performance of ovpn-dco-win is not even as good as wintun, about 230M. The server is the latest git:dco/0762e72bf29d0165.

These are some data I tested, hope it helps.

openvpn-install-dco-preview-Win10：

OpenVPN-2.6git-dco-amd64：

[lstipakov]

I assume 172.16 is the VPN IP. Could you measure download speed (iperf3 -R) ?

[lstipakov]

Also, could you try with TCP transport?

[gznail]

172 is the VPN ip, I use iperf3 -R:

1、The old installation package can only use wintun [ ID] Interval Transfer Bandwidth Retr [ 4] 0.00-10.00 sec 453 MBytes 380 Mbits/sec 398 sender [ 4] 0.00-10.00 sec 452 MBytes 380 Mbits/sec receiver

2、The new preview installation package can use wintun and onpn-dco-win wintun： [ ID] Interval Transfer Bandwidth Retr [ 4] 0.00-10.00 sec 333 MBytes 279 Mbits/sec 749 sender [ 4] 0.00-10.00 sec 333 MBytes 279 Mbits/sec receiver

ovpn-dco-win： [ ID] Interval Transfer Bandwidth Retr [ 4] 0.00-10.00 sec 383 MBytes 321 Mbits/sec 741 sender [ 4] 0.00-10.00 sec 382 MBytes 320 Mbits/sec receiver

[schwabe]

@gznail honestely what do you expect for DCO? Your theoretical maximum in your setup is just 410 MBit/s

[ordex]

1、The old installation package can only use wintun [ ID] Interval Transfer Bandwidth Retr [ 4] 0.00-10.00 sec 453 MBytes 380 Mbits/sec 398 sender [ 4] 0.00-10.00 sec 452 MBytes 380 Mbits/sec receiver

2、The new preview installation package can use wintun and onpn-dco-win wintun： [ ID] Interval Transfer Bandwidth Retr [ 4] 0.00-10.00 sec 333 MBytes 279 Mbits/sec 749 sender [ 4] 0.00-10.00 sec 333 MBytes 279 Mbits/sec receiver

@gznail any clue why these tests provide different results? Wintun is the same in both packages. Maybe there is something else going on in your environment at the same time of your tests?

[gznail]

I just want better performance, according to the test results you gave, DCO is better than wintun. I just give feedback now that the new installation package is not as good as the old one.

And it is indeed the same environment. My operation is to uninstall one and install the other. I don't know why so give me feedback.

[schwabe]

@gznail according to your results you have 380 Mbit/s with DCO and 280 MBit/s with wintun. That are much better values with DCO.

[gznail]

There is one more problem. At present, the openvpn 2.6_git version is found, and the traffic cannot be counted.

[dsommers]

@gznail ... So this issue started with "Adding address failed", which was resolved. Then the discussion shifted over to to performance issues via distro related questions. And now a missing feature in the ovpn-dco implementation. And this ticket has been already closed for a long while.

This isn't a forum. It's an issue ticket tracker. Let's close this discussion now. Instead re-open a new ticket on your new finding instead. This ticket is now done.