Project

General

Profile

Actions

Bug #13664

closed

GUI allows configuring OpenVPN DCO with incompatible options (TCP, compression, TAP, net30)

Added by Jim Pingle 3 months ago. Updated about 2 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
OpenVPN
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Release Notes:
Default
Affected Plus Version:
Affected Architecture:

Description

When DCO mode is enabled for OpenVPN, the GUI allows configuring options which are currently incompatible with OpenVPN DCO.

So far the ones we have noted are:

  • Compression -- should be forced to "no" sp so it gets disabled. GUI options can be hidden. Backend code should force compression off at all times.
  • Protocol selection allows choosing TCP, but DCO is only compatible with UDP encapsulation. GUI should suppress the TCP options when DCO is enabled. Backend code should refuse to start, since changing protocols automatically could be problematic for the user in various ways.
Actions #1

Updated by Jim Pingle 3 months ago

  • Status changed from New to In Progress
Actions #2

Updated by Jim Pingle 3 months ago

  • Status changed from In Progress to Feedback
  • % Done changed from 0 to 100

Done: https://gitlab.netgate.com/pfSense/factory/-/commit/966988801d2684e2d31d24040ab9641b0390d61a

When DCO is enabled, disable and hide compression options.

Also remove TCP options when DCO is enabled.

If an existing instance has DCO+TCP enabled, log a useful error and don't try to start.

If an existing instance has compression enabled, disabled compression forcefully.

Actions #3

Updated by Danilo Zrenjanin 2 months ago

Tested against:

23.01-DEVELOPMENT (amd64)
built on Fri Dec 02 06:04:48 UTC 2022
FreeBSD 14.0-CURRENT

When DCO is enabled, disable and hide compression options.

It works as expected !

Also remove TCP options when DCO is enabled.

It works as expected !

If an existing instance has DCO+TCP enabled, log a useful error and don't try to start.

I imported a config where the protocol was set to TCP, plus DCO was enabled. The OpenVPN service didn't start. Merely resaving the OpenVPN server config automatically reverted the protocol to UDP, and the service started successfully.

If an existing instance has compression enabled, disabled compression forcefully.

I imported a config where the compression was enabled + DCO enabled. It was automatically reverted to Refuse any non-stub compression (Most Secure).

There are more incompatible options that should be suppressed.

TAP mode (L2)
topologies other than subnet

That's all I found. Maybe there is something else.
https://community.openvpn.net/openvpn/wiki/DataChannelOffload

Actions #4

Updated by Jim Pingle 2 months ago

  • Status changed from Feedback to In Progress
  • % Done changed from 100 to 80

OK, I'll open this back up and work up similar changes to disable and force the TUN/TAP setting to always be 'tun', and to disable the option for topology and force it to subnet.

Actions #5

Updated by Jim Pingle about 2 months ago

  • Status changed from In Progress to Feedback
  • % Done changed from 80 to 100

GUI now hides dev mode and topology choices when DCO is enabled, both front and backend code force the use of tun dev mode and subnet topology.

https://gitlab.netgate.com/pfSense/factory/-/commit/a4b5b343d7fbc2695efde70749e15cb0a15518d2

Actions #6

Updated by Jim Pingle about 2 months ago

  • Subject changed from GUI allows configuring OpenVPN DCO with incompatible options (TCP, compression) to GUI allows configuring OpenVPN DCO with incompatible options (TCP, compression, TAP, net30)
Actions #7

Updated by Danilo Zrenjanin about 2 months ago

Testes against the following release:

23.01-DEVELOPMENT (amd64)
built on Thu Dec 08 06:08:06 UTC 2022
FreeBSD 14.0-CURRENT

It hides dev mode and topology choices when DCO is enabled, as expected.

The ticket can be resolved.

Actions #8

Updated by Jim Pingle about 2 months ago

  • Status changed from Feedback to Resolved
Actions

Also available in: Atom PDF