DCO on Oracle Linux

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
Harmanogo
OpenVpn Newbie
Posts: 5
Joined: Thu Jul 06, 2023 9:12 pm

DCO on Oracle Linux

Post by Harmanogo » Wed Sep 20, 2023 9:10 pm

Hi All,
I am running Oracle Linux 9.2. I enabled the dsommers/openvpn-release-2.6 and dsommers/openvpn3 repos and installed OpenVPN 2.6.6 and the kmod-ovpn-dco package.

I did my config and the service started fine but I am not seeing the kernel module loaded at all. lsmod doesn't show the module. Is it that I have to compile the module separately. Trying to find some info on that. Am I missing something obvious?

The log file has the error Note: Kernel support for ovpn-dco missing, disabling data channel offload.

Thanks for any help.
Top
RemoteOne
OpenVPN User
Posts: 31
Joined: Wed Sep 18, 2019 10:11 am

Re: DCO on Oracle Linux

Post by RemoteOne » Fri Oct 13, 2023 3:17 pm

DSommers has released an new Kernel Mod, and It looks like it is working again. However, Secure Boot has to be turned off for the OpenVPN host to use it as the Kernel mod is not signed.

You need to update the package kmod-ovpn-dco

this should remove the old package and replace it with the new.

Turn off secure boot on your host, and reboot

Code: Select all

modprobe ovpn-dco-v2
then

Code: Select all

lsmod | grep vpn

should show something like

Code: Select all

ovpn_dco_v2            90112  0
ip6_udp_tunnel         16384  1 ovpn_dco_v2
udp_tunnel             24576  1 ovpn_dco_v2
Then, restart the OpenVPN service and test

You should see the following references to DCO in your openvpn.log file (at VERB 4)

Code: Select all

2023-10-13 16:10:55 us=954458 OpenVPN 2.6.6 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
2023-10-13 16:10:55 us=954472 library versions: OpenSSL 1.1.1k  FIPS 25 Mar 2021, LZO 2.08
2023-10-13 16:10:55 us=954530 DCO version: copr:0.2.20230426.3.el8
......
2023-10-13 16:10:56 us=2438 net_iface_new: add tun0 type ovpn-dco
2023-10-13 16:10:56 us=3423 DCO device tun0 opened
......
Top
RemoteOne
OpenVPN User
Posts: 31
Joined: Wed Sep 18, 2019 10:11 am

Re: DCO on Oracle Linux

Post by RemoteOne » Fri Oct 13, 2023 4:43 pm

Note also, if you have SELINUX enabled, you will need to make a local policy to allow openvpn to use netlink_generic_socket. See the discussion in this thread viewtopic.php?t=35197
Top
RemoteOne
OpenVPN User
Posts: 31
Joined: Wed Sep 18, 2019 10:11 am

Re: DCO on Oracle Linux

Post by RemoteOne » Fri Oct 13, 2023 4:46 pm

I have been testing on Rocky 8. Just started on Rocky 9 now and it seems a further tweak will be needed for Selinux on that. Haven't figured out what it is as yet though.
Top
Post Reply

Return to “Server Administration”