From patchwork Sat Apr 11 09:06:18 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4885 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:b0d8:b0:84a:48f:a1fd with SMTP id p24csp134369maw; Sat, 11 Apr 2026 02:07:06 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCVFvSktIxQKLryfvvgKH7I5ZJk3vZr3mSJt8M4sCyYxZTuvoHWECugdUb+DzINpe75cqYiNzSHG/9I=@openvpn.net X-Received: by 2002:a05:6820:7519:b0:684:afab:3fda with SMTP id 006d021491bc7-68be7ee6f81mr1852262eaf.33.1775898426118; Sat, 11 Apr 2026 02:07:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1775898426; cv=none; d=google.com; s=arc-20240605; b=HJ4xtaAO4lBLx4LBehWjYK0/oRE9b3XxNLDegkGLZlmN41Yfqdx/GzawWWpOZa5YBj 1bSA6HaZHlCIdaLLjsLwDGnEByrEYKz0ME7VLWC/UjKJkknaPNU0q72vUVBttp5tgk93 9LAAvdjjoIpPS17B/lOolV+fPKDI5JPJ3sqpGIMLdwYDYxayo5UfjzF5eOXbOow9yHPy GT7RXQzJulS93hrOVTkm8xmIzksKKW1ImgIeRCfEAQUf5SXxuz7HBk3kJkpKQF13q94i ZAg9OsJw84dcaTmWzEszjfbs3RLnosN71TIRm058LhY0OcJdCM6BSU2eBz+45bIPxHnM ZDcQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=IUGysHP+LGDe59tmh/3z4pfVyhoXhP4ezbrSMLcqgBU=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=FjiFpJRMNnVghP1YTk8BVbXr4V30ilPCMDRKtJwCfcftJ6Uz3nKgAt4VnzqcCVibVg uGO4bybFOh7z4IYBNT0k99VW0Ko1MEjNi3SBHb045/bJ57BdZGF5Y1KDlRSNKW6k9ci+ 6vdidNm+7kUAoQDZv/R0EpWdqGIw8ZxLyyxmxvxSZbBqRCwoFOZBDD7ugnNPGEQ1jR0Q SFXpC5cL/FAh9qHeRivuIpOvOjrtWMryBzEjEU5rB1BXJJvQasBXpvrbKimiQIBrnxDb kFpCYOIoX/k8BHG/iETkD2VoWJaXMRkX7wLOk32ovQ93A338AoyJoZ5hXTEPPlkgmQ28 y1ig==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=UP9Z3c11; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=Ius+pkiL; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=eX2vgmJN; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-423dd3f429bsi4253021fac.98.2026.04.11.02.07.05 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 11 Apr 2026 02:07:05 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=UP9Z3c11; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=Ius+pkiL; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=eX2vgmJN; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=IUGysHP+LGDe59tmh/3z4pfVyhoXhP4ezbrSMLcqgBU=; b=UP9Z3c11djGQ1Nj7sgDZ21zqG4 mwWSa0BB7iq5LQCsSZ0+pMOln0VV2v9bumXD3HdQbv3HFWePEhrZeResVtO1Iow9hkVz240DbX/KZ PQr+FEsN0+L+9gYTxz1WNvqUp0BReHM2HNL3v18ES4lQeLz7Pq9gX3RZQWcJmLaDPptw=; Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1wBUIt-0003vC-0z; Sat, 11 Apr 2026 09:06:59 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1wBUIY-0003tJ-Sj for openvpn-devel@lists.sourceforge.net; Sat, 11 Apr 2026 09:06:38 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=ObvAlmm1/CB+69Frl5agaG5lvS+V3KqeYEr10QNXtT4=; b=Ius+pkiL0wV22Gay2jkkzeLlfQ OdOvRrA7/YopvZou+VyeGADhSEAqOjgYgQlwOKf6LP8RMjjwSigwIx3JHBpTtKTbMXmtVa+uhOMdv UBm+YppV2otL/eVrtD0dVnNUXXQm9o70DVduCAgcQ6pxn7GS/Xdr4ZOo2wMAv9BFUko0=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=ObvAlmm1/CB+69Frl5agaG5lvS+V3KqeYEr10QNXtT4=; b=eX2vgmJN1IdvvcP56ruidCUxxK xlrcbMI8+Br5gN5GrR0cHY8ot7+djhSknEfXbsYdSt5/5zAdQXYyhAnQjs2RWC6u3Ve75ISDvIMH6 mxocvz8BMbKaYroPhyspINfR9bLWQaPCmcbC5/hRG3XNrV85Y8COV4lUK64W/XcJ4IHg=; Received: from [193.149.48.129] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1wBUIX-0008HW-N0 for openvpn-devel@lists.sourceforge.net; Sat, 11 Apr 2026 09:06:38 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 63B96Pdf018360 for ; Sat, 11 Apr 2026 11:06:25 +0200 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 63B96PP5018359 for openvpn-devel@lists.sourceforge.net; Sat, 11 Apr 2026 11:06:25 +0200 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Sat, 11 Apr 2026 11:06:18 +0200 Message-ID: <20260411090625.18343-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.52.0 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-2.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Arne Schwabe This tries to ensure that the difference between the old and new module is clearer. Also removed a duplicate section about --disable-dco from the manual page. Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1wBUIX-0008HW-N0 Subject: [Openvpn-devel] [PATCH v6] Try to emphasise the transition from old ovpn-dco to new ovpn module X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1862090375168316365?= X-GMAIL-MSGID: =?utf-8?q?1862164467922298263?= From: Arne Schwabe This tries to ensure that the difference between the old and new module is clearer. Also removed a duplicate section about --disable-dco from the manual page. This also changes one instance of ovpn-dco to ovpn that is probably a bug when reusing a tun device. Change-Id: Iff9f6811fdf553f59f2afee0072d7bf90133d328 Signed-off-by: Arne Schwabe Acked-by: Antonio Quartulli Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1550 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1550 This mail reflects revision 6 of this Change. Acked-by according to Gerrit (reflected above): Antonio Quartulli diff --git a/Changes.rst b/Changes.rst index 36af4e7..1f992b2 100644 --- a/Changes.rst +++ b/Changes.rst @@ -54,11 +54,12 @@ are not readable for ``NT SERVICE\OpenVPNService``. Support for new version of Linux DCO module - OpenVPN DCO module is moving upstream and being merged into the - main Linux kernel. For this process some API changes were required. - OpenVPN 2.7 will only support the new API. The new module is called - ``ovpn``. Out-of-tree builds for older kernels are available. Please - see the release announcements for futher information. + The OpenVPN DCO module has been merged into the Linux kernel as of + 6.16. This required some API changes and OpenVPN 2.7 only supports + the new API. The new module is called ``ovpn``. Out-of-tree builds + for older kernels are available from + https://github.com/OpenVPN/ovpn-backports. Please + see the release announcements for further information. Support for server mode in win-dco driver On Windows the win-dco driver can now be used in server setups. diff --git a/configure.ac b/configure.ac index ecef2b9..1fd44f3 100644 --- a/configure.ac +++ b/configure.ac @@ -731,7 +731,7 @@ OPTIONAL_LIBNL_GENL_LIBS="${LIBNL_GENL_LIBS}" AC_DEFINE(ENABLE_DCO, 1, [Enable shared data channel offload]) - AC_MSG_NOTICE([Enabled ovpn-dco support for Linux]) + AC_MSG_NOTICE([Enabled ovpn-dco (via ovpn kernel module) support for Linux]) fi ;; *-*-freebsd*) diff --git a/doc/man-sections/advanced-options.rst b/doc/man-sections/advanced-options.rst index e1115e4..ab4eb48 100644 --- a/doc/man-sections/advanced-options.rst +++ b/doc/man-sections/advanced-options.rst @@ -102,7 +102,9 @@ Data channel offload currently requires data-ciphers to only contain AEAD ciphers (AES-GCM and Chacha20-Poly1305) and Linux with the - ovpn-dco module. + ovpn module. The ovpn module has been integrated into the Linux kernel + since 6.16 or is available as backport from + https://github.com/OpenVPN/ovpn-backports. Note that some options have no effect or cannot be used when DCO mode is enabled. diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index f46dfec..81e375d 100644 --- a/doc/man-sections/generic-options.rst +++ b/doc/man-sections/generic-options.rst @@ -178,15 +178,6 @@ on console) and ``--auth-nocache`` will fail as soon as key renegotiation (and reauthentication) occurs. ---disable-dco - Disable "data channel offload" (DCO). - - On Linux don't use the ovpn-dco device driver, but rather rely on the - legacy tun module. - - You may want to use this option if your server needs to allow clients - older than version 2.4 to connect. - --disable-occ **DEPRECATED** Disable "options consistency check" (OCC) in configurations that do not use TLS. diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c index 26b8645..f5b7081 100644 --- a/src/openvpn/dco.c +++ b/src/openvpn/dco.c @@ -376,9 +376,10 @@ * don't need to have the net_ctx percolate all the way here */ int ret = net_iface_type(NULL, o->dev, iftype); - if ((ret == 0) && (strcmp(iftype, "ovpn-dco") != 0)) + if ((ret == 0) && (strcmp(iftype, "ovpn") != 0)) { - msg(msglevel, "Interface %s exists and is non-DCO. Disabling data channel offload", + msg(msglevel, "Interface %s exists and is not using the " + "ovpn DCO driver. Disabling data channel offload", o->dev); return false; } diff --git a/src/openvpn/dco_linux.c b/src/openvpn/dco_linux.c index b92fa43..e7caff6 100644 --- a/src/openvpn/dco_linux.c +++ b/src/openvpn/dco_linux.c @@ -159,7 +159,7 @@ break; case -NLE_OBJ_NOTFOUND: - msg(M_INFO, "%s: netlink reports object not found, ovpn-dco unloaded?", prefix); + msg(M_INFO, "%s: netlink reports object not found, ovpn kernel module unloaded?", prefix); break; default: @@ -1248,7 +1248,10 @@ { if (resolve_ovpn_netlink_id(D_DCO_DEBUG) < 0) { - msg(msglevel, "Note: Kernel support for ovpn-dco missing, disabling data channel offload."); + msg(msglevel, "Note: Kernel support for ovpn interfaces missing, " + "disabling data channel offload. Use Linux 6.16.0 or " + "newer with ovpn support or use ovpn-backports for " + "interface support."); return false; }