Bug #13664
closed
GUI allows configuring OpenVPN DCO with incompatible options (TCP, compression, TAP, net30)
Added by Jim Pingle about 2 years ago.
Updated almost 2 years ago.
Description
When DCO mode is enabled for OpenVPN, the GUI allows configuring options which are currently incompatible with OpenVPN DCO.
So far the ones we have noted are:
- Compression -- should be forced to "no" sp so it gets disabled. GUI options can be hidden. Backend code should force compression off at all times.
- Protocol selection allows choosing TCP, but DCO is only compatible with UDP encapsulation. GUI should suppress the TCP options when DCO is enabled. Backend code should refuse to start, since changing protocols automatically could be problematic for the user in various ways.
- Status changed from New to In Progress
- Status changed from In Progress to Feedback
- % Done changed from 0 to 100
Tested against:
23.01-DEVELOPMENT (amd64)
built on Fri Dec 02 06:04:48 UTC 2022
FreeBSD 14.0-CURRENT
When DCO is enabled, disable and hide compression options.
It works as expected !
Also remove TCP options when DCO is enabled.
It works as expected !
If an existing instance has DCO+TCP enabled, log a useful error and don't try to start.
I imported a config where the protocol was set to TCP, plus DCO was enabled. The OpenVPN service didn't start. Merely resaving the OpenVPN server config automatically reverted the protocol to UDP, and the service started successfully.
If an existing instance has compression enabled, disabled compression forcefully.
I imported a config where the compression was enabled + DCO enabled. It was automatically reverted to Refuse any non-stub compression (Most Secure).
There are more incompatible options that should be suppressed.
TAP mode (L2)
topologies other than subnet
That's all I found. Maybe there is something else.
https://community.openvpn.net/openvpn/wiki/DataChannelOffload
- Status changed from Feedback to In Progress
- % Done changed from 100 to 80
OK, I'll open this back up and work up similar changes to disable and force the TUN/TAP setting to always be 'tun', and to disable the option for topology and force it to subnet.
- Status changed from In Progress to Feedback
- % Done changed from 80 to 100
- Subject changed from GUI allows configuring OpenVPN DCO with incompatible options (TCP, compression) to GUI allows configuring OpenVPN DCO with incompatible options (TCP, compression, TAP, net30)
Testes against the following release:
23.01-DEVELOPMENT (amd64)
built on Thu Dec 08 06:08:06 UTC 2022
FreeBSD 14.0-CURRENT
It hides dev mode and topology choices when DCO is enabled, as expected.
The ticket can be resolved.
- Status changed from Feedback to Resolved
Also available in: Atom
PDF
Updated by 
Updated by