OpenVPN 2.6_rc1

Weekly dev snapshots are available for testing.
We talk about them here. Testing features in the dev snapshot helps the features make it to stable.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please report your experience with testing branch. Include what you were using and how
If there is a problem, the more info the better!
Post Reply
RemoteOne
OpenVPN User
Posts: 34
Joined: Wed Sep 18, 2019 10:11 am

OpenVPN 2.6_rc1

Post by RemoteOne » Mon Jan 09, 2023 3:51 pm

Hi,

I am running on CentOS.

I added the dsomers openvpn-beta repository to get access to 2.6_beta1. beta2 appeared there as an available update when it was released. However, rc1 is not showing up. Do I need to remove the openvpn-beta repository and add a different one to find the rc1 package?

Thanks in advance.

User avatar
dazo
OpenVPN Inc.
Posts: 155
Joined: Mon Jan 11, 2010 10:14 am
Location: dazo :: #openvpn-devel @ libera.chat

Re: OpenVPN 2.6_rc1 released

Post by dazo » Tue Jan 10, 2023 2:17 pm

RemoteOne wrote:
Mon Jan 09, 2023 3:51 pm
I added the dsomers openvpn-beta repository to get access to 2.6_beta1. beta2 appeared there as an available update when it was released. However, rc1 is not showing up. Do I need to remove the openvpn-beta repository and add a different one to find the rc1 package?
Hi, dsommers here!

Sorry about that. I came back from a long holiday yesterday, so I'm catching up on my backlog.

I've kicked off a new build with 2.6_rc1 now ... https://copr.fedorainfracloud.org/coprs ... d/5212371/

RemoteOne
OpenVPN User
Posts: 34
Joined: Wed Sep 18, 2019 10:11 am

Re: OpenVPN 2.6_rc1 released

Post by RemoteOne » Tue Jan 10, 2023 3:36 pm

Thank you.

Downloaded and starting to test with it

RemoteOne
OpenVPN User
Posts: 34
Joined: Wed Sep 18, 2019 10:11 am

Re: OpenVPN 2.6_rc1 released

Post by RemoteOne » Thu Jan 12, 2023 12:54 pm

@dazo I have tried configuring the Data Channel Offload on both Rocky(RHEL) 8 and Rocky 9 and in both cases I get

Note: Kernel support for ovpn-dco missing, disabling data channel offload.

I have enabled your dsommers/openvpn3 repository, and installed the kmod-ovpn-dco package using yum install kmod-ovpn-dco which looks to have completed without errors.

Is there anything else I need to do to for this to work?

TIA

User avatar
dazo
OpenVPN Inc.
Posts: 155
Joined: Mon Jan 11, 2010 10:14 am
Location: dazo :: #openvpn-devel @ libera.chat

Re: OpenVPN 2.6_rc1

Post by dazo » Thu Jan 12, 2023 2:25 pm

What is the output of the commands below?

Code: Select all

# uname -r
# dkms status
# modinfo ovpn-dco
Are you running the same kernel as the dkms build of ovpn-dco is built for?

RemoteOne
OpenVPN User
Posts: 34
Joined: Wed Sep 18, 2019 10:11 am

Re: OpenVPN 2.6_rc1

Post by RemoteOne » Thu Jan 12, 2023 3:17 pm

dazo wrote:
Thu Jan 12, 2023 2:25 pm
What is the output of the commands below?

Code: Select all

# uname -r
# dkms status
# modinfo ovpn-dco
Are you running the same kernel as the dkms build of ovpn-dco is built for?
Not sure on the kernel version question. Output of the commands below for both Rocky 8 and 9

Rocky 8

[root@openvpn218 ~]# uname -r
4.18.0-425.3.1.el8.x86_64

[root@openvpn218 ~]# dkms status
Deprecated feature: REMAKE_INITRD (/var/lib/dkms/ovpn-dco/0.20220905git3ba6c07.el8/source/dkms.conf)
ovpn-dco/0.20220905git3ba6c07.el8, 4.18.0-425.3.1.el8.x86_64, x86_64: installed

[root@openvpn218 ~]# modinfo ovpn-dco
filename: /lib/modules/4.18.0-425.3.1.el8.x86_64/extra/ovpn-dco.ko.xz
alias: net-pf-16-proto-16-family-ovpn-dco
alias: rtnl-link-ovpn-dco
version: copr:0.20220905git3ba6c07.el8
license: GPL
author: (C) 2020-2022 OpenVPN, Inc.
description: OpenVPN data channel offload (ovpn-dco)
rhelversion: 8.7
srcversion: 618596E9098571628A3365F
depends: udp_tunnel,ip6_udp_tunnel
name: ovpn_dco
vermagic: 4.18.0-425.3.1.el8.x86_64 SMP mod_unload modversions
sig_id: PKCS#7
signer: DKMS module signing key
sig_key: 1E:2B:17:79:39:02:C7:5B:BC:08:58:86:9B:2F:95:49:3A:A2:6F:81
sig_hashalgo: sha256
signature: 2C:23:ED:75:53:43:D7:79:38:B3:60:16:5D:B2:C1:A1:44:6C:59:67:
81:EC:4B:A7:48:F2:F0:02:0A:CD:F5:E7:F7:A4:AA:5D:23:2F:9D:13:
BC:36:4E:69:34:8B:C1:5D:55:0D:5C:1B:CC:41:4A:36:20:E6:E6:EB:
52:BB:CB:8A:0C:F8:08:84:25:24:26:7B:37:77:28:77:88:AA:36:3F:
28:85:CB:F8:F6:B4:BE:43:9D:79:4F:B5:98:A3:C5:9A:E9:81:33:71:
DC:6F:19:6D:E0:0C:04:A5:68:4F:11:31:89:A6:BF:CC:A5:93:D2:5A:
0D:75:2A:96:73:D7:FB:DB:07:CC:61:EA:69:2A:56:E7:4D:C4:9D:B5:
06:8C:6D:C8:D1:16:8C:30:91:C5:8D:03:19:F8:38:50:3A:00:5B:C8:
2C:4D:D6:F4:D9:37:BA:D7:8E:92:5C:54:4E:D6:BE:12:CF:39:37:D4:
60:A6:42:3C:92:10:61:A7:E2:9D:BF:0B:A4:94:48:D4:4A:F1:08:5E:
AB:4C:34:48:C8:C8:FC:A7:63:E2:2F:32:23:4A:52:E7:CB:78:88:00:
03:82:23:B1:FC:04:AC:E4:5E:3C:93:67:30:F6:44:46:0C:48:52:5C:
73:3C:19:DC:71:9A:B3:4D:0C:E5:D1:D0:01:C3:11:4F
[root@openvpn218 ~]#


Rocky 9

[root@rocky9-openvpn217 ~]# uname -r
5.14.0-162.6.1.el9_1.0.1.x86_64

[root@rocky9-openvpn217 ~]# dkms status
Deprecated feature: REMAKE_INITRD (/var/lib/dkms/ovpn-dco/0.20220905git3ba6c07.el9/source/dkms.conf)
ovpn-dco/0.20220905git3ba6c07.el9, 5.14.0-162.6.1.el9_1.0.1.x86_64, x86_64: installed

[root@rocky9-openvpn217 ~]# modinfo ovpn-dco
filename: /lib/modules/5.14.0-162.6.1.el9_1.0.1.x86_64/extra/ovpn-dco.ko.xz
alias: net-pf-16-proto-16-family-ovpn-dco
alias: rtnl-link-ovpn-dco
version: copr:0.20220905git3ba6c07.el9
license: GPL
author: (C) 2020-2022 OpenVPN, Inc.
description: OpenVPN data channel offload (ovpn-dco)
rhelversion: 9.1
srcversion: D9E21BC3C39384ACEAD8AC5
depends: udp_tunnel,ip6_udp_tunnel
retpoline: Y
name: ovpn_dco
vermagic: 5.14.0-162.6.1.el9_1.0.1.x86_64 SMP preempt mod_unload modversions
sig_id: PKCS#7
signer: DKMS module signing key
sig_key: 04:CF:F4:BB:D3:75:EF:50:A3:C7:B2:A9:29:C4:17:03:63:5D:57:39
sig_hashalgo: sha512
signature: 2A:DC:52:E7:F5:7A:AB:E3:08:73:7C:36:9B:09:FC:DF:8A:8E:49:4E:
14:ED:A9:23:F3:FB:63:7B:39:FE:F1:19:4D:4F:58:F6:18:8B:85:C9:
EE:10:64:87:24:29:6D:13:7D:2C:BA:B2:49:53:91:F9:AD:C5:AD:EC:
5B:5B:06:E2:09:31:6D:5C:45:F7:1A:56:57:B3:00:F5:FF:10:2E:AD:
B4:7C:3D:60:59:C7:89:99:1B:64:1D:50:91:72:12:AC:E1:1E:0A:01:
87:82:E4:EE:2A:63:FE:46:AB:4D:BD:58:F1:D6:C7:5B:6B:61:F2:C4:
0D:D9:8E:D5:13:DC:05:A5:76:3A:B1:18:52:F2:E2:06:77:3C:4D:CB:
3E:A9:C4:FF:A1:1E:44:18:E5:A4:D6:41:BB:24:D5:A8:32:64:5C:F5:
04:FC:56:8A:AC:3F:A5:A7:34:78:10:13:57:D1:25:E8:7D:9D:C4:68:
F5:D4:EA:45:0D:F7:E1:31:B6:E9:28:34:51:30:4F:4B:B3:7C:25:3A:
69:50:FB:24:E4:F0:BA:A8:F4:2E:97:C6:BC:6E:34:52:45:62:C6:40:
EE:8D:25:C5:DB:F6:9B:CD:23:B6:AD:72:F6:6D:40:43:D4:C2:57:CF:
D1:BF:7B:F6:A1:66:76:A9:7C:49:CA:E0:5D:36:8F:6F
[root@rocky9-openvpn217 ~]#

User avatar
dazo
OpenVPN Inc.
Posts: 155
Joined: Mon Jan 11, 2010 10:14 am
Location: dazo :: #openvpn-devel @ libera.chat

Re: OpenVPN 2.6_rc1

Post by dazo » Thu Jan 12, 2023 3:50 pm

Okay, this looks good. Basically, the kernel version match can be described as running "dkms status -m ovpn-dco | grep $(uname -r)" ... if that does not give any output, the dkms build of ovpn-dco is not available for the currently running kernel. You seem to have a match here.

Check if the ovpn-dco kernel module is loaded:

Code: Select all

# lsmod | grep ovpn-dco   # To see if module is loaded
# modprobe ovpn-dco       # To load the module manually
If the kernel module was not loaded and you could load it manually, try running OpenVPN again and see if it still fails.

RemoteOne
OpenVPN User
Posts: 34
Joined: Wed Sep 18, 2019 10:11 am

Re: OpenVPN 2.6_rc1

Post by RemoteOne » Thu Jan 12, 2023 5:21 pm

So, different results.

Rocky 8

Initially, the lsmod does not find anything - NOTE: The grep looks like it should be for "ovpn_dco" rather than "ovpn-dco" - I just searched for "vpn"
The modprobe runs successfully, and a repeat of the lsmod finds 3 loaded modules.

[root@openvpn218 ~]# lsmod | grep vpn
[root@openvpn218 ~]# modprobe ovpn-dco
[root@openvpn218 ~]# lsmod | grep vpn
ovpn_dco 86016 0
ip6_udp_tunnel 16384 1 ovpn_dco
udp_tunnel 20480 1 ovpn_dco
[root@openvpn218 ~]# /bin/systemctl restart openvpn-server@openvpn218

However, restarting the service after this still logs the same "disabling" message.
Note: Kernel support for ovpn-dco missing, disabling data channel offload.


Rocky 9

Initially, the lsmod does not find anything
The modprobe fails

[root@rocky9-openvpn217 ~]# lsmod | grep vpn
[root@rocky9-openvpn217 ~]# modprobe ovpn-dco
modprobe: ERROR: could not insert 'ovpn_dco': Key was rejected by service
[root@rocky9-openvpn217 ~]#

User avatar
dazo
OpenVPN Inc.
Posts: 155
Joined: Mon Jan 11, 2010 10:14 am
Location: dazo :: #openvpn-devel @ libera.chat

Re: OpenVPN 2.6_rc1

Post by dazo » Thu Jan 12, 2023 9:10 pm

Okay, so there are at least two independent issues.

I suspect Rocky 8 is booted without Secure Boot, that's why the 'modprobe' works. Can you try to disable SELinux on this host? (setenforce 0) and start it?

For Rocky 9, I would expect SELinux to also be an issue - but not just yet. That box is probably booted with Secure Boot and the signing certificate is not loaded into the kernel, so the kernel rejects the module as untrusted. 'dmesg' might give more details here. Have a look on how to sign kernel modules on RHEL-9, which should cover the needed details for Rocky 9 too: https://access.redhat.com/documentation ... the-kernel

There are further some docs for dkms, how to sign keys automatically - but that seems to happen already as I see the "signer" field as well as other signature related fields from the modinfo command.

RemoteOne
OpenVPN User
Posts: 34
Joined: Wed Sep 18, 2019 10:11 am

Re: OpenVPN 2.6_rc1

Post by RemoteOne » Fri Jan 13, 2023 11:54 am

Rocky 8

You are probably right on Rocky 8 and secure boot. That test instance is hosted on an old VMWare server that does not have UEFI secure boot capability.

If I disable selinux, then run modprobe, then restart openvpn I no longer see the "offload disabled" message at startup.

Is there a way to verify that it offload is being used beyond the absence of the message?
Is there a plan to address the selinux issue as our policy is not to disable it?

Rocky 9

I will need to get some time to read through the doc you linked

Happy to try any other tests you need me to do

RemoteOne
OpenVPN User
Posts: 34
Joined: Wed Sep 18, 2019 10:11 am

Re: OpenVPN 2.6_rc1

Post by RemoteOne » Fri Jan 13, 2023 12:05 pm

Our Rocky 9 VM is hosted on Hyper-V so, I could easily edit the VM to turn off Secure Boot for a test.

With secure boot and selinux both disabled, the modprobe works, and starting openvpn does not display the "offload disabled" at startup.

So, it looks like you are on the right track for both issues.

User avatar
dazo
OpenVPN Inc.
Posts: 155
Joined: Mon Jan 11, 2010 10:14 am
Location: dazo :: #openvpn-devel @ libera.chat

Re: OpenVPN 2.6_rc1

Post by dazo » Fri Jan 27, 2023 11:37 am

In regards to SELinux issues. I've sent a pull-req to the SELinux reference policy project: https://github.com/SELinuxProject/refpolicy/pull/591

A local quick fix:

Code: Select all

# grep -E 'avc:  denied  .* scontext=.*:openvpn_t:.* tclass=netlink_generic_socket' /var/log/audit/audit.log | audit2allow -M openvpn_dco && semodule -i openvpn_dco
This should end up with a simple module looking something like this:

Code: Select all

module openvpn_dco 1.0;

require {
	type openvpn_t;
	class netlink_generic_socket create_socket_perms;
}

#============= openvpn_t ==============
allow openvpn_t self:netlink_generic_socket create_socket_perms;
By installing the selinux-policy-devel you can compile this fairly simple yourself. First, copy the policy form the last blob above into a file called "openvpn_dco.te". Then run these commands:

Code: Select all

# ln -s /usr/share/selinux/devel/Makefile ./Makefile
# make openvpn_dco.pp
# semodule -i openvpn_dco.pp

RemoteOne
OpenVPN User
Posts: 34
Joined: Wed Sep 18, 2019 10:11 am

Re: OpenVPN 2.6_rc1

Post by RemoteOne » Wed Feb 15, 2023 4:50 pm

I just noticed your update today.

I can confirm I was able to run the modprobe on Rocky 8 with Selinux Enforcing after installing your custom policy.

The secure boot issue still exists, as you would expect.

In the VM settings, if I turn off Secure Boot, the Data Channel Offload works. If I re-enable secure boot and reboot the VM, Data Channel Offload will not work - the kernel module does not get loaded.

Surely every user should not need to sign the module with their own keys. Is there any chance the issue is that you have not registered your key with the "Microsoft UEFI Certificate Authority" as that is the one that HYPER-V uses?

Post Reply