From: Arne Schwabe Date: Sat, 11 Apr 2026 09:06:18 +0000 (+0200) Subject: Try to emphasise the transition from old ovpn-dco to new ovpn module X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;ds=inline;p=thirdparty%2Fopenvpn.git Try to emphasise the transition from old ovpn-dco to new ovpn module This tries to ensure that the difference between the old and new module is clearer. Also removed a duplicate section about --disable-dco from the manual page. This also changes one instance of ovpn-dco to ovpn that is probably a bug when reusing a tun device. Change-Id: Iff9f6811fdf553f59f2afee0072d7bf90133d328 Signed-off-by: Arne Schwabe Acked-by: Antonio Quartulli Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1550 Message-Id: <20260411090625.18343-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36573.html Signed-off-by: Gert Doering --- diff --git a/Changes.rst b/Changes.rst index 36af4e761..1f992b2be 100644 --- a/Changes.rst +++ b/Changes.rst @@ -54,11 +54,12 @@ Windows automatic service now runs as an unpriviledged user are not readable for ``NT SERVICE\OpenVPNService``. Support for new version of Linux DCO module - OpenVPN DCO module is moving upstream and being merged into the - main Linux kernel. For this process some API changes were required. - OpenVPN 2.7 will only support the new API. The new module is called - ``ovpn``. Out-of-tree builds for older kernels are available. Please - see the release announcements for futher information. + The OpenVPN DCO module has been merged into the Linux kernel as of + 6.16. This required some API changes and OpenVPN 2.7 only supports + the new API. The new module is called ``ovpn``. Out-of-tree builds + for older kernels are available from + https://github.com/OpenVPN/ovpn-backports. Please + see the release announcements for further information. Support for server mode in win-dco driver On Windows the win-dco driver can now be used in server setups. diff --git a/configure.ac b/configure.ac index ecef2b9e4..1fd44f320 100644 --- a/configure.ac +++ b/configure.ac @@ -731,7 +731,7 @@ if test "$enable_dco" != "no"; then OPTIONAL_LIBNL_GENL_LIBS="${LIBNL_GENL_LIBS}" AC_DEFINE(ENABLE_DCO, 1, [Enable shared data channel offload]) - AC_MSG_NOTICE([Enabled ovpn-dco support for Linux]) + AC_MSG_NOTICE([Enabled ovpn-dco (via ovpn kernel module) support for Linux]) fi ;; *-*-freebsd*) diff --git a/doc/man-sections/advanced-options.rst b/doc/man-sections/advanced-options.rst index 73ca44a3e..3eff3085a 100644 --- a/doc/man-sections/advanced-options.rst +++ b/doc/man-sections/advanced-options.rst @@ -103,7 +103,9 @@ used when debugging or testing out special usage scenarios. Data channel offload currently requires data-ciphers to only contain AEAD ciphers (AES-GCM and Chacha20-Poly1305) and Linux with the - ovpn-dco module. + ovpn module. The ovpn module has been integrated into the Linux kernel + since 6.16 or is available as backport from + https://github.com/OpenVPN/ovpn-backports. Note that some options have no effect or cannot be used when DCO mode is enabled. diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index 415b81fa8..6815dc29d 100644 --- a/doc/man-sections/generic-options.rst +++ b/doc/man-sections/generic-options.rst @@ -176,15 +176,6 @@ which mode OpenVPN is configured as. on console) and ``--auth-nocache`` will fail as soon as key renegotiation (and reauthentication) occurs. ---disable-dco - Disable "data channel offload" (DCO). - - On Linux don't use the ovpn-dco device driver, but rather rely on the - legacy tun module. - - You may want to use this option if your server needs to allow clients - older than version 2.4 to connect. - --disable-occ **DEPRECATED** Disable "options consistency check" (OCC) in configurations that do not use TLS. diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c index 26b864545..f5b70818b 100644 --- a/src/openvpn/dco.c +++ b/src/openvpn/dco.c @@ -376,9 +376,10 @@ dco_check_startup_option(msglvl_t msglevel, const struct options *o) * don't need to have the net_ctx percolate all the way here */ int ret = net_iface_type(NULL, o->dev, iftype); - if ((ret == 0) && (strcmp(iftype, "ovpn-dco") != 0)) + if ((ret == 0) && (strcmp(iftype, "ovpn") != 0)) { - msg(msglevel, "Interface %s exists and is non-DCO. Disabling data channel offload", + msg(msglevel, "Interface %s exists and is not using the " + "ovpn DCO driver. Disabling data channel offload", o->dev); return false; } diff --git a/src/openvpn/dco_linux.c b/src/openvpn/dco_linux.c index b87842833..4c896f6ab 100644 --- a/src/openvpn/dco_linux.c +++ b/src/openvpn/dco_linux.c @@ -159,7 +159,7 @@ ovpn_nl_recvmsgs(dco_context_t *dco, const char *prefix) break; case -NLE_OBJ_NOTFOUND: - msg(M_INFO, "%s: netlink reports object not found, ovpn-dco unloaded?", prefix); + msg(M_INFO, "%s: netlink reports object not found, ovpn kernel module unloaded?", prefix); break; default: @@ -1249,7 +1249,10 @@ dco_available(msglvl_t msglevel) { if (resolve_ovpn_netlink_id(D_DCO_DEBUG) < 0) { - msg(msglevel, "Note: Kernel support for ovpn-dco missing, disabling data channel offload."); + msg(msglevel, "Note: Kernel support for ovpn interfaces missing, " + "disabling data channel offload. Use Linux 6.16.0 or " + "newer with ovpn support or use ovpn-backports for " + "interface support."); return false; }