According to the new OpenVPN feature “Data Channel Offload (aka OVPN-DCO)” and how it can be used with a potential IPFire update i want to bring something up in here.
- ovpn-dco can be used in P2P mode so IPFire´s Net-to-Net connections are supported by this feature since N2N uses thre P2P topology.
- Since IPFire´s Roadwarrior uses --topology net30 but ovpn-dco needs a running --topology subnet it won´t work with the current OpenVPN Roadwarrior implementation on IPFire. To fix this, the CCD setup for --ifconfig-push needs changes in the address definitions → https://community.openvpn.net/openvpn/wiki/Topology .
It might be interesting to check the general limitations which can be found in here → openvpn/README.dco.md at master · OpenVPN/openvpn · GitHub .
Have compiled a first testing ISO which includes OpenSSL-3.0.8 (which fixes also CVE-2023-0401) , ovpn-dco-0.1.20230206 and OpenVPN-2.6.0 . This ISO does NOT include needed ovpnmmain.cgi changes which can be found in the mailinglist → OpenVPN patchset from Erik's input . All changes in this ISO can be found in here → git.ipfire.org Git - people/ummeegge/ipfire-2.x.git/commit and the ISO is located in here → Index of /~ummeegge if someone wants to give it a testing round in a VM. Have NOT tested it myself since time is currently a little rare.
Best,
Erik
EDIT: ovpn-dco module should be loaded via openvpnctrl.c like the tun module. All dependencies are resolved with ‘ip6_udp_tunnel’ and ‘udp_tunnel’. Git link has been adapted and new ISO is available under above address…