Bug #13664
closedGUI allows configuring OpenVPN DCO with incompatible options (TCP, compression, TAP, net30)
100%
Description
When DCO mode is enabled for OpenVPN, the GUI allows configuring options which are currently incompatible with OpenVPN DCO.
So far the ones we have noted are:
- Compression -- should be forced to "no" sp so it gets disabled. GUI options can be hidden. Backend code should force compression off at all times.
- Protocol selection allows choosing TCP, but DCO is only compatible with UDP encapsulation. GUI should suppress the TCP options when DCO is enabled. Backend code should refuse to start, since changing protocols automatically could be problematic for the user in various ways.
Updated by Jim Pingle about 2 years ago
- Status changed from In Progress to Feedback
- % Done changed from 0 to 100
Done: https://gitlab.netgate.com/pfSense/factory/-/commit/966988801d2684e2d31d24040ab9641b0390d61a
When DCO is enabled, disable and hide compression options.
Also remove TCP options when DCO is enabled.
If an existing instance has DCO+TCP enabled, log a useful error and don't try to start.
If an existing instance has compression enabled, disabled compression forcefully.
Updated by Danilo Zrenjanin almost 2 years ago
Tested against:
23.01-DEVELOPMENT (amd64) built on Fri Dec 02 06:04:48 UTC 2022 FreeBSD 14.0-CURRENT
When DCO is enabled, disable and hide compression options.
It works as expected !
Also remove TCP options when DCO is enabled.
It works as expected !
If an existing instance has DCO+TCP enabled, log a useful error and don't try to start.
I imported a config where the protocol was set to TCP, plus DCO was enabled. The OpenVPN service didn't start. Merely resaving the OpenVPN server config automatically reverted the protocol to UDP, and the service started successfully.
If an existing instance has compression enabled, disabled compression forcefully.
I imported a config where the compression was enabled + DCO enabled. It was automatically reverted to Refuse any non-stub compression (Most Secure).
There are more incompatible options that should be suppressed.
TAP mode (L2)
topologies other than subnet
That's all I found. Maybe there is something else.
https://community.openvpn.net/openvpn/wiki/DataChannelOffload
Updated by Jim Pingle almost 2 years ago
- Status changed from Feedback to In Progress
- % Done changed from 100 to 80
OK, I'll open this back up and work up similar changes to disable and force the TUN/TAP setting to always be 'tun', and to disable the option for topology and force it to subnet.
Updated by Jim Pingle almost 2 years ago
- Status changed from In Progress to Feedback
- % Done changed from 80 to 100
GUI now hides dev mode and topology choices when DCO is enabled, both front and backend code force the use of tun dev mode and subnet topology.
https://gitlab.netgate.com/pfSense/factory/-/commit/a4b5b343d7fbc2695efde70749e15cb0a15518d2
Updated by Jim Pingle almost 2 years ago
- Subject changed from GUI allows configuring OpenVPN DCO with incompatible options (TCP, compression) to GUI allows configuring OpenVPN DCO with incompatible options (TCP, compression, TAP, net30)
Updated by Danilo Zrenjanin almost 2 years ago
Testes against the following release:
23.01-DEVELOPMENT (amd64) built on Thu Dec 08 06:08:06 UTC 2022 FreeBSD 14.0-CURRENT
It hides dev mode and topology choices when DCO is enabled, as expected.
The ticket can be resolved.
Updated by Jim Pingle almost 2 years ago
- Status changed from Feedback to Resolved