From patchwork Fri Apr 10 13:28:54 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4884 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:3cd4:b0:84a:48f:a1fd with SMTP id o20csp449153mav; Fri, 10 Apr 2026 06:29:25 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCWK2EH2DOdozBguQzMWkGy9uZWzwFqMFxbm+cXBzJBtKNkcKbYawghCul8FtOGU3U3x8xvq3ZGoEik=@openvpn.net X-Received: by 2002:a05:6871:6202:b0:417:3be0:4e4e with SMTP id 586e51a60fabf-423e0e6a703mr1629172fac.16.1775827765528; Fri, 10 Apr 2026 06:29:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1775827765; cv=none; d=google.com; s=arc-20240605; b=KReor13K3pmJ3Atlwt3x5dFsxWGMUTgpF52IbJjkoD/Z+TpP+oVg5WEeCIchW/Pxj6 BRrYhFlo7Mq38E5+OnN6rMJOmsfaeUNdTzVQDDEwrxsOSylrJKmva7fj98JZLz8MKREn Y5tPZy9q2mfDJ+c3Y4sZj41QKymOVL/Qj9iFdSnPbI6RcDUme4G7ynFA3M9ACw1rG6xI hzmk1jLaFwcfCT/bcDBr0IyCnOBOlL6aFuhYgQnKvR4ojMwtCRQGSOvK3eRKtiNO+pq8 wOhdWm43lo+WkGM4yPmdIpLI4mU7FnKT9P5uHKKnFDPNU4Q7e8+VWCO5B3ITmQcEBzjl usSg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=/BGeGyKYY1z7jzEfIX3vNCCUfcN3En6Od8MXY84PxWs=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=M562HO1eMuMmhTFcE5+9M/YjSJJNy4/f3EJ57MAq7Cm1Tq9oKYk5wxHuBfhZtW9VcD yThZvCO47pJgu7N2/kamaEyLXCZ4q/hyjmAA16SFw9p67frEQNq2WYIqHGsW0+XXkc2G T+z/FsKv/o0khCIwVUkcIY0zcEiqlRhoyYSfe6deu5C8a/vnKeheIF2IZWN9nRTHNnC6 ohZvFh2XTNxBrM7EKxTrvJfKnGQlDztGsCi7wd6FstVHe8Etb0G/HU92FoKHUPEjFW1u a1qY05Y/2j4xFAvAreUYlRYMqec2ym5vWmyiI/pR+GZ8KrKYHqB3BReRcTRbeko5/NDK ODQw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=a1KToXB8; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=Tvw3GMFh; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=QvCg5yLg; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-423dd38882dsi2510116fac.31.2026.04.10.06.29.25 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 10 Apr 2026 06:29:25 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=a1KToXB8; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=Tvw3GMFh; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=QvCg5yLg; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=/BGeGyKYY1z7jzEfIX3vNCCUfcN3En6Od8MXY84PxWs=; b=a1KToXB8db6JN9Q7WKqlpkpWS+ l63GrXyHS6YFkF5/EmTE9u8G3kpPemFsjvbZ7nf5qGYtUr3i/Tej4WMrEYdtSvSI5ULzZiuAKEnX8 esaz4fi6DI/FOMRSxgjuzXqGJMGrhB3NpMQ2VqNuCm+xWFeQ+FEPjX/EJvgN0vUah1dE=; Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1wBBv8-000461-Pt; Fri, 10 Apr 2026 13:29:15 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1wBBv7-00045m-5y for openvpn-devel@lists.sourceforge.net; Fri, 10 Apr 2026 13:29:13 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=VQuDYTvhfLxoIMv7Qf5AoxdIsmuwMw8w1Bx6w7Av4io=; b=Tvw3GMFh+Yxi8cjXakl53NcdL1 V5XJSqxccqHwaudH+RW9B4X5yh3lQ2/maijDdjkn886p6WPWuCKNjcpXD0OKvYhnEojde+ujZoCj/ upuTEqZgZqRrheig1CpoXaks0veCyuXSrtlCWphq6tGwZ3W1iEsRAHsO6pcAUuoSh2tE=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=VQuDYTvhfLxoIMv7Qf5AoxdIsmuwMw8w1Bx6w7Av4io=; b=QvCg5yLgdgIiLa1jzG5uk3ktMO VdKOtt0ZZNAIkbKwwssSBAbFIR6vxFxnXxIpYZY8y6qv1smo2riCORcQBCQHlL1+YJ06sTuvbc9ya /78U7QlIvMGqNS1BVDo+RtDxLfNlh4UlPzR89vZOIO7GX7XnoCQ+Yc7h89Sdw6zySml0=; Received: from [193.149.48.129] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1wBBv6-0006sp-O4 for openvpn-devel@lists.sourceforge.net; Fri, 10 Apr 2026 13:29:13 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 63ADT09s032395 for ; Fri, 10 Apr 2026 15:29:00 +0200 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 63ADT0kM032394 for openvpn-devel@lists.sourceforge.net; Fri, 10 Apr 2026 15:29:00 +0200 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Fri, 10 Apr 2026 15:28:54 +0200 Message-ID: <20260410132900.32381-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.52.0 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-1.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Arne Schwabe This tries to ensure that the difference between the old and new module is clearer. Also removed a duplicate section about --disable-dco from the manual page. Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URI: configure.ac] [URI: openvpn.net] 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1wBBv6-0006sp-O4 Subject: [Openvpn-devel] [PATCH v5] Try to emphasise the transition from old ovpn-dco to new ovpn module X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1862090375168316365?= X-GMAIL-MSGID: =?utf-8?q?1862090375168316365?= From: Arne Schwabe This tries to ensure that the difference between the old and new module is clearer. Also removed a duplicate section about --disable-dco from the manual page. This also changes one instance of ovpn-dco to ovpn that is probably a bug when reusing a tun device. Change-Id: Iff9f6811fdf553f59f2afee0072d7bf90133d328 Signed-off-by: Arne Schwabe Acked-by: Antonio Quartulli Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1550 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1550 This mail reflects revision 5 of this Change. Acked-by according to Gerrit (reflected above): Antonio Quartulli diff --git a/Changes.rst b/Changes.rst index 36af4e7..d29c4af 100644 --- a/Changes.rst +++ b/Changes.rst @@ -54,11 +54,12 @@ are not readable for ``NT SERVICE\OpenVPNService``. Support for new version of Linux DCO module - OpenVPN DCO module is moving upstream and being merged into the - main Linux kernel. For this process some API changes were required. - OpenVPN 2.7 will only support the new API. The new module is called - ``ovpn``. Out-of-tree builds for older kernels are available. Please - see the release announcements for futher information. + The OpenVPN DCO module has been merged into the Linux kernel in 6.16. + This required some API changes and OpenVPN 2.7 will only supports the + new API. The new module is called ``ovpn``. Out-of-tree builds for + older kernels are available from + https://github.com/OpenVPN/ovpn-backports. Please + see the release announcements for further information. Support for server mode in win-dco driver On Windows the win-dco driver can now be used in server setups. diff --git a/configure.ac b/configure.ac index ecef2b9..1fd44f3 100644 --- a/configure.ac +++ b/configure.ac @@ -731,7 +731,7 @@ OPTIONAL_LIBNL_GENL_LIBS="${LIBNL_GENL_LIBS}" AC_DEFINE(ENABLE_DCO, 1, [Enable shared data channel offload]) - AC_MSG_NOTICE([Enabled ovpn-dco support for Linux]) + AC_MSG_NOTICE([Enabled ovpn-dco (via ovpn kernel module) support for Linux]) fi ;; *-*-freebsd*) diff --git a/doc/man-sections/advanced-options.rst b/doc/man-sections/advanced-options.rst index e1115e4..e50c578 100644 --- a/doc/man-sections/advanced-options.rst +++ b/doc/man-sections/advanced-options.rst @@ -102,7 +102,9 @@ Data channel offload currently requires data-ciphers to only contain AEAD ciphers (AES-GCM and Chacha20-Poly1305) and Linux with the - ovpn-dco module. + ovpn module. The ovpn module is integrated into the Linux kernel + since 6.16 or available as backport from + https://github.com/OpenVPN/ovpn-backports. Note that some options have no effect or cannot be used when DCO mode is enabled. diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index f46dfec..81e375d 100644 --- a/doc/man-sections/generic-options.rst +++ b/doc/man-sections/generic-options.rst @@ -178,15 +178,6 @@ on console) and ``--auth-nocache`` will fail as soon as key renegotiation (and reauthentication) occurs. ---disable-dco - Disable "data channel offload" (DCO). - - On Linux don't use the ovpn-dco device driver, but rather rely on the - legacy tun module. - - You may want to use this option if your server needs to allow clients - older than version 2.4 to connect. - --disable-occ **DEPRECATED** Disable "options consistency check" (OCC) in configurations that do not use TLS. diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c index 26b8645..f5b7081 100644 --- a/src/openvpn/dco.c +++ b/src/openvpn/dco.c @@ -376,9 +376,10 @@ * don't need to have the net_ctx percolate all the way here */ int ret = net_iface_type(NULL, o->dev, iftype); - if ((ret == 0) && (strcmp(iftype, "ovpn-dco") != 0)) + if ((ret == 0) && (strcmp(iftype, "ovpn") != 0)) { - msg(msglevel, "Interface %s exists and is non-DCO. Disabling data channel offload", + msg(msglevel, "Interface %s exists and is not using the " + "ovpn DCO driver. Disabling data channel offload", o->dev); return false; } diff --git a/src/openvpn/dco_linux.c b/src/openvpn/dco_linux.c index b92fa43..e7caff6 100644 --- a/src/openvpn/dco_linux.c +++ b/src/openvpn/dco_linux.c @@ -159,7 +159,7 @@ break; case -NLE_OBJ_NOTFOUND: - msg(M_INFO, "%s: netlink reports object not found, ovpn-dco unloaded?", prefix); + msg(M_INFO, "%s: netlink reports object not found, ovpn kernel module unloaded?", prefix); break; default: @@ -1248,7 +1248,10 @@ { if (resolve_ovpn_netlink_id(D_DCO_DEBUG) < 0) { - msg(msglevel, "Note: Kernel support for ovpn-dco missing, disabling data channel offload."); + msg(msglevel, "Note: Kernel support for ovpn interfaces missing, " + "disabling data channel offload. Use Linux 6.16.0 or " + "newer with ovpn support or use ovpn-backports for " + "interface support."); return false; }