DCO module not installing on Rocky 8.8/9.2

[RemoteOne]

I have OpenVPN 2.6.5 servers configured on both Rocky Linux 8 and 9. In both cases, when DCO was initially released the driver publiched in the https://download.copr.fedorainfracloud. ... s/openvpn3 repositories compiled and loaded into the kernel properly. This is no longer the case. See errors below.

Is there a different repository that I should be downloading from? Or, is this a known issue?

Thanks

For Rocky 9 :-

Code: Select all

[root@rocky9-openvpn217 ~]# uname -r
5.14.0-284.18.1.el9_2.x86_64

Code: Select all

[root@rocky9-openvpn217 ~]# yum install kmod-ovpn-dco
Last metadata expiration check: 0:00:44 ago on Tue 08 Aug 2023 14:16:03.
Dependencies resolved.
================================================================================================================================================
 Package                      Architecture   Version                             Repository                                                Size
================================================================================================================================================
Installing:
 kmod-ovpn-dco                noarch         0-20220905git3ba6c07.el9            copr:copr.fedorainfracloud.org:dsommers:openvpn3          77 k
Installing dependencies:
 dkms                         noarch         3.0.11-1.el9                        epel                                                      85 k
 kernel-devel-matched         x86_64         5.14.0-284.25.1.el9_2               appstream                                                3.4 M
 tar                          x86_64         2:1.34-6.el9_1                      baseos                                                   876 k

Transaction Summary
================================================================================================================================================
Install  4 Packages

Total download size: 4.5 M
Installed size: 3.5 M
Is this ok [y/N]: y
Downloading Packages:
(1/4): tar-1.34-6.el9_1.x86_64.rpm                                                                              2.5 MB/s | 876 kB     00:00
(2/4): kmod-ovpn-dco-0-20220905git3ba6c07.el9.noarch.rpm                                                        167 kB/s |  77 kB     00:00
(3/4): dkms-3.0.11-1.el9.noarch.rpm                                                                             104 kB/s |  85 kB     00:00
(4/4): kernel-devel-matched-5.14.0-284.25.1.el9_2.x86_64.rpm                                                    5.4 MB/s | 3.4 MB     00:00
------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                           1.8 MB/s | 4.5 MB     00:02
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                        1/1
  Installing       : kernel-devel-matched-5.14.0-284.25.1.el9_2.x86_64                                                                      1/4
  Installing       : tar-2:1.34-6.el9_1.x86_64                                                                                              2/4
  Installing       : dkms-3.0.11-1.el9.noarch                                                                                               3/4
  Running scriptlet: dkms-3.0.11-1.el9.noarch                                                                                               3/4
  Installing       : kmod-ovpn-dco-0-20220905git3ba6c07.el9.noarch                                                                          4/4
  Running scriptlet: kmod-ovpn-dco-0-20220905git3ba6c07.el9.noarch                                                                          4/4
Loading new ovpn-dco-0.20220905git3ba6c07.el9 DKMS files...
Deprecated feature: REMAKE_INITRD (/usr/src/ovpn-dco-0.20220905git3ba6c07.el9/dkms.conf)
Building for 5.14.0-284.18.1.el9_2.x86_64 5.14.0-284.25.1.el9_2.x86_64
Building initial module for 5.14.0-284.18.1.el9_2.x86_64
Deprecated feature: REMAKE_INITRD (/var/lib/dkms/ovpn-dco/0.20220905git3ba6c07.el9/source/dkms.conf)
Error! Bad return status for module build on kernel: 5.14.0-284.18.1.el9_2.x86_64 (x86_64)
Consult /var/lib/dkms/ovpn-dco/0.20220905git3ba6c07.el9/build/make.log for more information.
warning: %post(kmod-ovpn-dco-0-20220905git3ba6c07.el9.noarch) scriptlet failed, exit status 10

Error in POSTIN scriptlet in rpm package kmod-ovpn-dco
  Verifying        : kmod-ovpn-dco-0-20220905git3ba6c07.el9.noarch                                                                          1/4
  Verifying        : dkms-3.0.11-1.el9.noarch                                                                                               2/4
  Verifying        : tar-2:1.34-6.el9_1.x86_64                                                                                              3/4
  Verifying        : kernel-devel-matched-5.14.0-284.25.1.el9_2.x86_64                                                                      4/4

Installed:
  dkms-3.0.11-1.el9.noarch         kernel-devel-matched-5.14.0-284.25.1.el9_2.x86_64        kmod-ovpn-dco-0-20220905git3ba6c07.el9.noarch
  tar-2:1.34-6.el9_1.x86_64

Complete!

Rocky 8 :-

Code: Select all

[root@openvpn218 ~]# uname -r
4.18.0-477.15.1.el8_8.x86_64

Code: Select all

[root@openvpn218 ~]# yum install kmod-ovpn-dco
Last metadata expiration check: 1:51:05 ago on Tue 08 Aug 2023 12:46:07 IST.
Dependencies resolved.
====================================================================================================================================================================================
 Package                          Architecture              Version                                       Repository                                                           Size
====================================================================================================================================================================================
Installing:
 kmod-ovpn-dco                    noarch                    0-20220905git3ba6c07.el8                      copr:copr.fedorainfracloud.org:dsommers:openvpn3                     79 k
Installing dependencies:
 dkms                             noarch                    3.0.11-1.el8                                  epel                                                                 90 k

Transaction Summary
====================================================================================================================================================================================
Install  2 Packages

Total download size: 170 k
Installed size: 474 k
Is this ok [y/N]: y
Downloading Packages:
(1/2): kmod-ovpn-dco-0-20220905git3ba6c07.el8.noarch.rpm                                                                                            605 kB/s |  79 kB     00:00
(2/2): dkms-3.0.11-1.el8.noarch.rpm                                                                                                                 178 kB/s |  90 kB     00:00
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                               164 kB/s | 170 kB     00:01
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                                            1/1
  Installing       : dkms-3.0.11-1.el8.noarch                                                                                                                                   1/2
  Running scriptlet: dkms-3.0.11-1.el8.noarch                                                                                                                                   1/2
  Installing       : kmod-ovpn-dco-0-20220905git3ba6c07.el8.noarch                                                                                                              2/2
  Running scriptlet: kmod-ovpn-dco-0-20220905git3ba6c07.el8.noarch                                                                                                              2/2
Loading new ovpn-dco-0.20220905git3ba6c07.el8 DKMS files...
Deprecated feature: REMAKE_INITRD (/usr/src/ovpn-dco-0.20220905git3ba6c07.el8/dkms.conf)
Building for 4.18.0-477.15.1.el8_8.x86_64
Building initial module for 4.18.0-477.15.1.el8_8.x86_64
Deprecated feature: REMAKE_INITRD (/var/lib/dkms/ovpn-dco/0.20220905git3ba6c07.el8/source/dkms.conf)
Error! Bad return status for module build on kernel: 4.18.0-477.15.1.el8_8.x86_64 (x86_64)
Consult /var/lib/dkms/ovpn-dco/0.20220905git3ba6c07.el8/build/make.log for more information.
warning: %post(kmod-ovpn-dco-0-20220905git3ba6c07.el8.noarch) scriptlet failed, exit status 10

Error in POSTIN scriptlet in rpm package kmod-ovpn-dco
  Verifying        : kmod-ovpn-dco-0-20220905git3ba6c07.el8.noarch                                                                                                              1/2
  Verifying        : dkms-3.0.11-1.el8.noarch                                                                                                                                   2/2

Installed:
  dkms-3.0.11-1.el8.noarch                                                       kmod-ovpn-dco-0-20220905git3ba6c07.el8.noarch

Complete!

[RemoteOne]

Answering my own question ....

DSommers has released an new Kernel Mod, and It looks like it is working again. However, Secure Boot has to be turned off for the OpenVPN host to use it as the Kernel mod is not signed.

You need to update the package kmod-ovpn-dco

this should remove the old package and replace it with the new.

Turn off secure boot on your host, and reboot

Code: Select all

modprobe ovpn-dco-v2

then

Code: Select all

lsmod | grep vpn 

should show something like

Code: Select all

ovpn_dco_v2            90112  0
ip6_udp_tunnel         16384  1 ovpn_dco_v2
udp_tunnel             24576  1 ovpn_dco_v2

Then, restart the OpenVPN service and test

You should see the following references to DCO in your openvpn.log file (at VERB 4)

Code: Select all

2023-10-13 16:10:55 us=954458 OpenVPN 2.6.6 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
2023-10-13 16:10:55 us=954472 library versions: OpenSSL 1.1.1k  FIPS 25 Mar 2021, LZO 2.08
2023-10-13 16:10:55 us=954530 DCO version: copr:0.2.20230426.3.el8
......
2023-10-13 16:10:56 us=2438 net_iface_new: add tun0 type ovpn-dco
2023-10-13 16:10:56 us=3423 DCO device tun0 opened
......

[RemoteOne]

Note also, if you have SELINUX enabled, you will need to make a local policy to allow openvpn to use netlink_generic_socket. See the discussion in this thread viewtopic.php?t=35197

[RemoteOne]

I have been testing on Rocky 8. Just started on Rocky 9 now and it seems a further tweak will be needed for Selinux on that. Haven't figured out what it is as yet though.