Troubleshooting tips for OpenVPN DCO
DCO doesn't load
Issue: The Access Server status page states, "ovpn-dco module is available but inactive."
Resolution: When encountering this message, step through the installation again to ensure you have all the necessary pieces. This message means that DCO didn't load. Refer to these troubleshooting tips to resolve it, or send us a support ticket.
Linux headers not installed
Issue: OpenVPN DCO requires the latest Linux kernel headers.
Resolution:Follow the steps below to install the headers and set them to install with updates automatically.
Note
If you need to stay with a specific kernel header, refer to the next troubleshooting section.
With DCO installed and the kernel headers set to automatically install, running apt update and apt upgrade will always give you the latest kernel and headers on Ubuntu and Debian, keeping DCO working. For RHEL, run yum update or yum upgrade.
Ubuntu/Debian
Check the current kernel version for your OS:
uname -r
Our example output was 5.15.0-75-generic. In place of "generic," you may see "cloud," "aws," and others, which you enter in your install command.
Install the latest kernel header:
apt install linux-headers-[generic/aws/cloud/etc]
For our example, we enter the command
apt install linux-headers-generic
. Note your kernel uname to enter the correct kernel header package name.
Mark the headers to install automatically:
apt-mark auto linux-headers-generic
Red Hat Enterprise Linux
Check the current kernel version for your OS:
uname -r
Our example output was 5.15.0-75-generic. In place of "generic," you may see "cloud," "aws," and others, which you enter in your install command.
Install the latest kernel header:
yum install linux-headers-[generic/aws/cloud/etc]
For example, you might use the command
yum install linux-headers-generic
. Note your kernel uname to enter the correct kernel package name.
OpenVPN DCO with an OS that stays on a specific kernel version
Issue: You need your OS to stay with a specific kernel version.
Resolution: Follow these steps for installing DCO on a Linux OS where you want to stay on a specific kernel version.
Follow the steps in this DCO tutorial to install openvpn-dco.
Check your current kernel type (our example uses 5.15.0-1025-aws kernel):
uname -r
The results display your kernel information such as this:
5.15.0-1025-aws
Install the necessary kernel headers for your kernel:
apt install linux-headers-5.19.0-1025-aws
If you upgrade your kernel, ensure you install the needed kernel headers for the new kernel.
EFI variables not found
Issue: During installation, you may receive the message, "EFI variables are not supported on this system. /sys/firmware/efi/efivars not found, aborting." Access Server may not display ovpn-dco available on the Status Overview without EFI variables.
Resolution: Install efivar:
apt-get install efivar
Advanced VPN directives
Issue: You encounter errors or can't verify that DCO is running.
Resolution: Check for any advanced VPN directives:
Sign in to the Admin Web UI.
Click Configuration > Advanced VPN.
Scroll down to Additional OpenVPN Config Directives (Advanced).
If you have any server or client config directives, review them one by one. You may need to remove them for DCO to work correctly.
Legacy OpenVPN features
Issue: You want to enable OpenVPN DCO with an older Access Server configuration, but some legacy features aren't compatible with DCO.
Resolution: If your configuration supports any of the below features, refer to the following subsections for details.
Legacy features that aren't DCO-compatible:
Compression
Legacy data ciphers
Bridging
Legacy DHCP options
We deprecated support for compression due to the Voracle vulnerability. Access Server 2.6.1 and newer disable compression during upgrades, so this should be fine unless you specifically re-enable compression.
If you enable DCO, Access Server turns compression off forcibly, as it is not and will not be implemented.
Blowfish and other CBC-type ciphers are not supported. DCO only supports AEAD ciphers such as AES-256-GCM, AES-128-GCM, and ChaCha20-Poly1305.
Access Server 2.5 and newer implements AES-256-CBC by default with an automatic upgrade to AES-256-GCM.
For clients, OpenVPN 2.4 and newer uses AES-256-CBC with an automatic upgrade to AES-256-GCM. OpenVPN3-based clients can also do this. However, if you support OpenVPN 2.3 and older clients, you may need to maintain support for CBC-type ciphers and can't use DCO.
Access Server bridging functionality is deprecated. While it can still be used (without DCO), we don't fully support it. Since DCO is new, we didn't implement bridging functionality there, but it may be implemented in the future.
Some options can be passed using the DHCP options mechanism in the TAP Windows driver that isn't implemented in the DCO for Windows driver. An example of this is Netbios over TCP/IP, as this is a legacy option that will be phased out.