DCO Breaking 2FA?

Weekly dev snapshots are available for testing.
We talk about them here. Testing features in the dev snapshot helps the features make it to stable.
Forum rules
Please report your experience with testing branch. Include what you were using and how
If there is a problem, the more info the better!
Post Reply
OpenVpn Newbie
Posts: 1
Joined: Thu Oct 21, 2021 3:27 pm

DCO Breaking 2FA?

Post by x86txt » Thu Oct 21, 2021 3:31 pm

I am running openvpn3 with the dco module enabled, as per instructions. When I run it on a vanilla install of Linux Mint (kernel 5.4) it works perfectly. However, when I run it on Linux Mint Edge (kernel v 5.11) it hangs right before the 2FA prompt, but otherwise doesn't throw any errors. If I tell it --dco false the connection is able to complete, just without 2FA of course.

Can anyone help me figure out why the kernel difference would be causing this? Do I need to re-compile the dco module against the 5.11 kernel?

User avatar
OpenVPN Inc.
Posts: 148
Joined: Mon Jan 11, 2010 10:14 am
Location: dazo :: #openvpn-devel @ libera.chat

Re: DCO Breaking 2FA?

Post by dazo » Sat Nov 06, 2021 12:02 pm

Which version of OpenVPN 3 Linux are you running? The latest v16_beta should include some fixes to the 2FA authentication. We don't fully understand how how enabling DCO should change any behaviour in regards to 2FA auth. 2FA is not involved with the OpenVPN data channel. All authentication happens via the OpenVPN control channel, and these packets should just be passed on to the VPN client process in user space directly.

The kernel module is always required to be rebuilt against newer kernels, as that's how kernel modules behaves. Kernel modules have a strict 1:1 relation on the version the module is compiled against and the currently running kernel. That is not something we can change.

Post Reply