openwrt
make ovpn-dco ready for openvpn
Hi: ovpn-dco was in openwrt since 22.03. but openvpn is too old so seems nobody had test it. I tried to compile/test ovpn-dco and openvpn 2.6.10 under 23.05, and found ovpn-dco module need some adjusting so openvpn can really use it.
- need to compile with "CONFIG_MODULE_STRIPPED=n" for the necessary file " /sys/module/ovpn_dco_v2/version"
- need to depend module CONFIG_CRYPTO_CHACHA20POLY1305" "CONFIG_CRYPTO_LIB_POLY1305" and "CONFIG_CRYPTO_LIB_CHACHA" to use chacha20poly1035.
Pivoting to this thread since spamming the main kernel-6.6-for-ramips thread is not really the right place anymore.
+kmod-crypto-chacha20poly1305 by itself already pulls in +kmod-crypto-lib-chacha20 +kmod-crypto-lib-poly1305 (and +kmod-crypto-aead which can thus be removed)
Working on those dep fixes, currently testing a build with adjustments. Thing is kernel modules build keeps crashing on missing chacha-mips.ko but the deps are now the same as kmod-wireguard which builds everything fine (confusing). Everything in the makefiles should be pulling that module in. I have done just about every clean other than distclean.
Okay I think the problem is that since kmod-wireguard is in-tree it can do all the cool submodule deps weaving from drivers/net/Kconfig, whilst and out-of-tree module build seems like it can't trigger all the same Kconfig things. Trying to figure out a way around that.
Still builds fine as long as kmod-wireguard is enabled so it can pull in the deps.
Okay there is a Kconfig but it seems to have zero effect on anything (I have cloned the wireguard Kconfig stuff into it using a patch).
The target package/ovpn-dco/prepare doesn't even happen until after package/kernel/linux crashes anyway.
A user wanted me to add my current bug report / ticket to this one so that's what I'm doing..
https://github.com/openwrt/openwrt/issues/15491
It seems to be a common issue from distro to distro of DCO not working.. working then not working again.. people maintaining this package don't seem to correctly test before releasing a issue.
Even the latest Ubuntu non-LTS (noble) is not immune.. while it was working with their previous versions perfectly fine.. DCO is not working with the latest 6.8 kernel for some reason.. even self-compiled DCO modules from github fails. The modules loads OK in kernel without error.. the problem is it can't create a tun0 device for some reason.. and when a client tries to connect it hangs with a repeating error of..
ubuntu kernel: ovpn: cannot retrieve device in ovpn_netlink_dump_peers: -19
Removing the module from kernel or rolling the kernel back to v. 6.5.x fixes the issue.. although I didn't do a speed test to verify if it was fully working with 6.5.x
What about openvpn executable itself, does standard one work, or you need to build it manually?
What about openvpn executable itself, does standard one work, or you need to build it manually?
OPENVPN_<ssl-flavor>_ENABLE_DCO defaults to n, and depends on OPENVPN_<ssl-flavor>_ENABLE_IPROUTE2 which also defaults to n
So I expect the prebuilds do not have those set y (or m) unless overridden elsewhere.
In addition to the kmod-ovpn-dco-v2 package, I also needed to install all three of kmod-crypto-chacha20poly1305, kmod-crypto-lib-chacha20, and kmod-crypto-lib-poly1305 for the CHACHA20-POLY1305 cipher to work with DCO. Without those last three packages, I got errors like:
dco_new_key: slot 0, key-id 0, peer-id 0, cipher CHACHA20-POLY1305
dco_new_key: netlink reports object not found, ovpn-dco unloaded?
dco_new_key: failed to send netlink message: No such file or directory (-2)
Impossible to install key material in DCO: No such file or directory
Exiting due to fatal error
