Page 1 of 1

DCO Breaking 2FA?

Posted: Thu Oct 21, 2021 3:31 pm
by x86txt
I am running openvpn3 with the dco module enabled, as per instructions. When I run it on a vanilla install of Linux Mint (kernel 5.4) it works perfectly. However, when I run it on Linux Mint Edge (kernel v 5.11) it hangs right before the 2FA prompt, but otherwise doesn't throw any errors. If I tell it --dco false the connection is able to complete, just without 2FA of course.

Can anyone help me figure out why the kernel difference would be causing this? Do I need to re-compile the dco module against the 5.11 kernel?

Re: DCO Breaking 2FA?

Posted: Sat Nov 06, 2021 12:02 pm
by dazo
Which version of OpenVPN 3 Linux are you running? The latest v16_beta should include some fixes to the 2FA authentication. We don't fully understand how how enabling DCO should change any behaviour in regards to 2FA auth. 2FA is not involved with the OpenVPN data channel. All authentication happens via the OpenVPN control channel, and these packets should just be passed on to the VPN client process in user space directly.

The kernel module is always required to be rebuilt against newer kernels, as that's how kernel modules behaves. Kernel modules have a strict 1:1 relation on the version the module is compiled against and the currently running kernel. That is not something we can change.