openvpn icon indicating copy to clipboard operation
openvpn copied to clipboard
verified publisher icon OpenVPN

dco: `ping` option does not work unless either `ping-restart` or `ping-exit` is present

Open LGA1150 opened this issue 1 month ago • 10 comments

In a P2P config with a ping option but without ping-restart or ping-exit, DCO does not ping the remote. It works only after disabling DCO.

LGA1150 avatar Nov 20 '25 10:11 LGA1150

It seems this is a control channel feature (different from keepalive)? Therefore this is an issue with the userspace program. I am moving this ticket to the right repo

ordex avatar Nov 20 '25 12:11 ordex

--ping without --ping-restart is likely just not implemented in DCO... that is only half of what --keepalive does (arm both: outgoing packets and setup a keepalive timer on incoming packets).

Not sure if this is a relevant scenario for anything...

cron2 avatar Nov 20 '25 12:11 cron2

@ordex

       --keepalive args
              A helper directive designed to simplify the expression of --ping
              and --ping-restart.
..

              For example, --keepalive 10 60 expands as follows:

                 if mode server:
                     ping 10                    # Argument: interval
                     ping-restart 120           # Argument: timeout*2
                     push "ping 10"             # Argument: interval
                     push "ping-restart 60"     # Argument: timeout
                 else
                     ping 10                    # Argument: interval
                     ping-restart 60            # Argument: timeout

cron2 avatar Nov 20 '25 12:11 cron2

@LGA1150 can you clarify how ping without ping-restart is any useful? Personally I have only seen config files using keepalive

ordex avatar Nov 21 '25 00:11 ordex

For the very same reason, DCO right now expects a TIMEOUT next to the sending INTERVAL:

 257         if ((attrs[OVPN_A_PEER_KEEPALIVE_INTERVAL] &&
 258              !attrs[OVPN_A_PEER_KEEPALIVE_TIMEOUT]) ||
 259             (!attrs[OVPN_A_PEER_KEEPALIVE_INTERVAL] &&
 260              attrs[OVPN_A_PEER_KEEPALIVE_TIMEOUT])) {
 261                 NL_SET_ERR_MSG_FMT_MOD(info->extack,
 262                                        "keepalive interval and timeout are required together");
 263                 return -EINVAL;
 264         }

ordex avatar Nov 21 '25 00:11 ordex

can you clarify how ping without ping-restart is any useful? Personally I have only seen config files using keepalive

ping without ping-restart works like Wireguard's persistent-keepalive, i.e. a peer behind NAT sends packet periodically to keep the NAT session valid and the endpoint does not need to respond.

LGA1150 avatar Nov 21 '25 01:11 LGA1150

so basically you'll have only one endpoint sending the ping? does it mean on the other side you have only ping-restart without ping?

ordex avatar Nov 21 '25 10:11 ordex

To keep the NAT state current, ping on the client and nothing else anywhere else would do the job - so no ping-restart anywhere.

Floating would, of course, also do the job (NAT state expires, next outgoing packet does a new NAT state and updates the now-current IP+Port on the server) - but it will not help with "the VPN sits around idle all day, and you want to access it from the outside" when the NAT state expires.

cron2 avatar Nov 21 '25 10:11 cron2

so no ping-restart anywhere.

not needed, but at least the server knows when the UDP client is gone

ordex avatar Nov 21 '25 10:11 ordex

so no ping-restart anywhere.

not needed, but at least the server knows when the UDP client is gone

True, but I guess that this is also not supported with DCO today...? ("just incoming timeout handling, no outgoing packets")

cron2 avatar Nov 21 '25 16:11 cron2