From: Ralf Lici <ralf@mandelbit.com>
Date: Fri, 17 Oct 2025 19:16:06 +0000 (+0200)
Subject: options: warn and ignore --reneg-bytes/pkts when DCO is enabled
X-Git-Tag: v2.7_rc1~40
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c9a320649bd4ec43d3f2640f70476178d8fcc660;p=thirdparty%2Fopenvpn.git

options: warn and ignore --reneg-bytes/pkts when DCO is enabled

Thresholds specified by --reneg-bytes and --reneg-pkts cannot be
enforced when DCO is enabled, as it only provides global statistics.

Rather than adding complexity to support these options, ignore them when
DCO is enabled. Print a warning to inform users and update the manpage
accordingly.

Change-Id: I7b718a14b81e3759398e7a52fe151102494cc821
Signed-off-by: Ralf Lici <ralf@mandelbit.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1280
Message-Id: <20251017191612.15642-1-gert@greenie.muc.de>
URL: https://sourceforge.net/p/openvpn/mailman/message/59248122/
Signed-off-by: Gert Doering <gert@greenie.muc.de>
---

diff --git a/doc/man-sections/renegotiation.rst b/doc/man-sections/renegotiation.rst
index 1e7c34002..f5eb90de5 100644
--- a/doc/man-sections/renegotiation.rst
+++ b/doc/man-sections/renegotiation.rst
@@ -19,10 +19,18 @@ separate ephemeral encryption key which is rotated at regular intervals.
   the SWEET32 attack vector. For more information see the ``--cipher``
   option.
 
+  When data channel offload (DCO) is enabled, this option is ignored. DCO
+  does not support configurable renegotiation thresholds; automatic key
+  renegotiation mechanisms are sufficient for modern ciphers.
+
 --reneg-pkts n
   Renegotiate data channel key after **n** packets sent and received
   (disabled by default).
 
+  When data channel offload (DCO) is enabled, this option is ignored. DCO
+  does not support configurable renegotiation thresholds; automatic key
+  renegotiation mechanisms are sufficient for modern ciphers.
+
 --reneg-sec args
   Renegotiate data channel key after at most ``max`` seconds
   (default :code:`3600`) and at least ``min`` seconds (default is 90% of
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 44f68c74b..65c6b3b3e 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -3317,11 +3317,22 @@ options_postprocess_verify(const struct options *o)
 
     dns_options_verify(M_FATAL, &o->dns_options);
 
-    if (dco_enabled(o) && o->enable_c2c)
+    if (dco_enabled(o))
     {
-        msg(M_WARN, "Note: --client-to-client has no effect when using data "
-                    "channel offload: packets are always sent to the VPN "
-                    "interface and then routed based on the system routing table");
+        if (o->enable_c2c)
+        {
+            msg(M_WARN, "Note: --client-to-client has no effect when using data "
+                        "channel offload: packets are always sent to the VPN "
+                        "interface and then routed based on the system routing table");
+        }
+
+        if (o->renegotiate_bytes > 0 || o->renegotiate_packets)
+        {
+            msg(M_WARN, "Note: '--reneg-bytes' and '--reneg-pkts' are not supported "
+                        "by data channel offload; automatic key renegotiation "
+                        "mechanisms are sufficient for modern ciphers. "
+                        "Ignoring these options.");
+        }
     }
 }