Re: [Openvpn-users] openvpn can not detect kernel dco module

Antonio Quartulli Wed, 24 Apr 2024 02:14:49 -0700

Hi,

On 24/04/2024 11:03, d tbsky wrote:

Hi:


Antonio Quartulli <a...@unstable.cc>


Yes, 2.6.10 requires ovpn-dco-v2.


ok. so I can not downgrade.

wireguard uses chacha20poly1305, therefore it'd be essential to test
with this algorithm in order to make a full comparison.

Do you have a full log to provide regarding the error "dco_new_key:
netlink reports object not found, ovpn-dco unloaded?" ?


yes. I put my hope to chacha20 but it is sad that openvpn crash when
connect. I will try to compile openwrt snapshot version with newer
kernel to see if there is difference.

Unfortunately there will be no difference as this is an issue betweenopenvpn and ovpn-dco.

without dco, chcha20 can run about "31Mbit/28Mbit upload/download
speed at the device. dco would at least double the speed I think.
the chaha20 connect error message like below:

root@OpenWrt:~# openvpn --verb 4 --tls-client --dev tun100
--data-ciphers  CHACHA20-POLY1305 --ifconfig 172.31.22.2 172.31.22.1
--cert /tmp/client.crt --key /tmp/client.key --remote 172
.18.1.253  --peer-fingerprint
25:22:D9:1D:9C:2C:69:87:18:0F:E8:47:13:DB:E7:B6:BA:DD:97:69:55:A7:3E:F3:BE:6D:77:3D:F1:DB:E5:FE
2024-04-24 09:02:34 us=251216 Using certificate fingerprint to verify
peer (no CA option set).
2024-04-24 09:02:34 us=276861 OpenVPN 2.6.10 mipsel-openwrt-linux-gnu
[SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] [DCO]
2024-04-24 09:02:34 us=277161 library versions: OpenSSL 3.0.13 30 Jan
2024, LZO 2.10
2024-04-24 09:02:34 us=277612 DCO version: 2.0.0
2024-04-24 09:02:34 us=278286 WARNING: No server certificate
verification method has been enabled.  See
http://openvpn.net/howto.html#mitm for more info.
2024-04-24 09:02:34 us=313725 Control Channel MTU parms [ mss_fix:0
max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600
tailroom:126 ET:0 ]
2024-04-24 09:02:34 us=315646 net_iface_new: add tun100 type ovpn-dco
2024-04-24 09:02:34 us=320517 DCO device tun100 opened
2024-04-24 09:02:34 us=321061 do_ifconfig, ipv4=1, ipv6=0
2024-04-24 09:02:34 us=321788 net_iface_mtu_set: mtu 1500 for tun100
2024-04-24 09:02:34 us=323677 net_iface_up: set tun100 up
2024-04-24 09:02:34 us=325645 net_addr_ptp_v4_add: 172.31.22.2 peer
172.31.22.1 dev tun100
2024-04-24 09:02:34 us=327154 Data Channel MTU parms [ mss_fix:0
max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768
tailroom:562 ET:0 ]
2024-04-24 09:02:34 us=330289 TCP/UDP: Preserving recently used remote
address: [AF_INET]172.18.1.253:1194
2024-04-24 09:02:34 us=330810 Socket Buffers: R=[180224->180224]
S=[180224->180224]
2024-04-24 09:02:34 us=331505 UDPv4 link local (bound): [AF_INET][undef]:1194
2024-04-24 09:02:34 us=332491 UDPv4 link remote: [AF_INET]172.18.1.253:1194
2024-04-24 09:02:34 us=337756 TLS: Initial packet from
[AF_INET]172.18.1.253:1194, sid=266fb55b 137b9c2a
2024-04-24 09:02:34 us=368371 VERIFY OK: depth=0, CN=server
2024-04-24 09:02:34 us=371187 VERIFY OK: depth=0, CN=server
2024-04-24 09:02:34 us=501819 peer info: IV_CIPHERS=CHACHA20-POLY1305
2024-04-24 09:02:34 us=502506 peer info: IV_PROTO=746
2024-04-24 09:02:34 us=503743 P2P mode NCP negotiation result:
TLS_export=1, DATA_v2=1, peer-id 12315992, cipher=CHACHA20-POLY1305
2024-04-24 09:02:34 us=504501 Control Channel: TLSv1.3, cipher TLSv1.3
TLS_AES_256_GCM_SHA384, peer certificate: 2048 bits RSA, signature:
RSA-SHA256, peer temporary key: 253 bits X25519
2024-04-24 09:02:34 us=505083 [server] Peer Connection Initiated with
[AF_INET]172.18.1.253:1194
2024-04-24 09:02:34 us=506083 TLS: move_session: dest=TM_ACTIVE
src=TM_INITIAL reinit_src=1
2024-04-24 09:02:34 us=507294 TLS: tls_multi_process: initial
untrusted session promoted to trusted
2024-04-24 09:02:35 us=676840 Data Channel MTU parms [ mss_fix:1400
max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768
tailroom:562 ET:0 ]
2024-04-24 09:02:35 us=678505 Outgoing dynamic tls-crypt: Cipher
'AES-256-CTR' initialized with 256 bit key
2024-04-24 09:02:35 us=679264 Outgoing dynamic tls-crypt: Using 256
bit message hash 'SHA256' for HMAC authentication
2024-04-24 09:02:35 us=679901 Incoming dynamic tls-crypt: Cipher
'AES-256-CTR' initialized with 256 bit key
2024-04-24 09:02:35 us=680663 Incoming dynamic tls-crypt: Using 256
bit message hash 'SHA256' for HMAC authentication
2024-04-24 09:02:35 us=741773 dco_new_key: netlink reports object not
found, ovpn-dco unloaded?
2024-04-24 09:02:35 us=742534 dco_new_key: failed to send netlink
message: No such file or directory (-2)
2024-04-24 09:02:35 us=743093 Impossible to install key material in
DCO: No such file or directory
2024-04-24 09:02:35 us=743413 Exiting due to fatal error
2024-04-24 09:02:35 us=743989 Closing DCO interface
2024-04-24 09:02:35 us=744455 net_addr_ptp_v4_del: 172.31.22.2 dev tun100
2024-04-24 09:02:35 us=746278 net_iface_del: delete tun100

Could you please re-run with --verb 6 ? That will include DCO specificdebug messages.


Thanks a lot!

Regards,

--
Antonio Quartulli


_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] openvpn can not detect kernel dco module

Reply via email to