From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4dWdHw2pnLz331h for ; Wed, 17 Dec 2025 15:38:52 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [IPv6:2001:678:b28::25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4dWdHr5xYMz2xPP for ; Wed, 17 Dec 2025 15:38:48 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange secp256r1 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4dWdHq38MDz3wM for ; Wed, 17 Dec 2025 15:38:47 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1765985927; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ou6RqXHCDCiFgAfQrd3w8swuDBk2CA8iLhyX5IxBBcc=; b=YjNiQdWMIktvF4CtSMKlWWR8lyX/4Q0DDWBFlrOz8B9iTcP/1oIHWplOwR/bgSg1fPbiI7 /KKSUk8S+8ClyBAw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1765985927; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ou6RqXHCDCiFgAfQrd3w8swuDBk2CA8iLhyX5IxBBcc=; b=aQBj5mraXI0C/SZNGfBul8yyNC0fZcHpaRBl9Hqy0F148TjD+ris7Q9xVRo84xwnd2ZdgZ lpmuqlPgDwy5X/sEj9VGUgBuHYp4DhmRVx4bUp/GGObp5CfLGs2RiX3lPul/pvi9kWv4Bj jiscpHF+q2BlmNArCtUbuWNh77Yk7xRcxCUDxS5uTSJcTKcCvPf1csfFXnhHxxGpV0kG3K YXiik7JtvELtrf0d6Fxih4NRO4hbGNHCa+FaXsKTrpCmuZy6qtuQbxxDcHV9TE8yGhg0/Y eHpoOtzBmepzkVORqu+TfFQim+iAbPYP0O7Bhwrb/0yr6jGWXD1914VuS9VVwQ== Message-ID: <952ccc564b43e7bf281870651ca7cedb6212aad0.camel@ipfire.org> Subject: Re: Kernel 6.18 fist tests... From: ummeegge To: development@lists.ipfire.org Date: Wed, 17 Dec 2025 16:38:43 +0100 In-Reply-To: <57905d1bd3feb93af1322e1229c325fbf4902d4e.camel@ipfire.org> References: <57905d1bd3feb93af1322e1229c325fbf4902d4e.camel@ipfire.org> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 As a side note, the new kernel delivers also the OpenVPN data channel offload modul ` $ lsmod | grep ovpn =20 ovpn 98304 0 ip6_udp_tunnel 16384 2 ovpn,wireguard udp_tunnel 36864 2 ovpn,wireguard ` ` $ modinfo ovpn =20 filename: /lib/modules/6.18.1- ipfire/kernel/drivers/net/ovpn/ovpn.ko.xz license: GPL author: Antonio Quartulli description: OpenVPN data channel offload (ovpn) alias: net-pf-16-proto-16-family-ovpn srcversion: 3489B2E6A6AC611BFA9C567 depends: udp_tunnel,ip6_udp_tunnel intree: Y name: ovpn retpoline: Y vermagic: 6.18.1-ipfire SMP preempt mod_unload modversions=20 sig_id: PKCS#7 signer: Build time autogenerated kernel key sig_key: =20 4F:44:D3:C8:7A:2F:B2:87:6F:B1:98:F4:9A:B1:B1:DA:88:EB:66:AF sig_hashalgo: sha512 signature: =20 30:65:02:31:00:D1:C5:0C:D6:00:BC:87:04:27:7F:11:BB:39:5F:B3: 65:10:81:AB:09:76:7D:8D:12:17:34:E9:20:EF:21:E3:FD:85: 3F:DB: C1:DA:60:8D:1B:62:1F:C7:24:4B:EF:DC:4B:02:30:73:8B:EB: 1A:88: 7A:D9:2F:44:6D:73:1D:07:14:29:83:0F:91:EF:44:E2:88:97: 02:2D: EB:8D:1C:0A:D7:00:19:50:01:F9:55:78:B4:F1:96:05:56:95: BF:83: FA:8E:62 ` https://blog.openvpn.net/openvpn-dco-added-to-linux-kernel-2025 . The new openvpn-2.7_rc3 version supports now also the new ovpn DCO Linux kernel module https://community.openvpn.net/Downloads#openvpn-27_rc3-released-28-november= -2025 which is native in which works good after a first look over. There was the need to delete the `--enable-iproute2` and add the `-- enable-dco` compiletime options. There is also the need to Remove or change the `--data-ciphers-fallback` flag to an AEAD cipher in server.conf , after that: - Server starts with DCO - Logs show explicit DCO activation: "net_iface_new: add tun0 type ovpn" "DCO device tun0 opened" "ovpn-dco device [tun0] opened" "dco_new_peer", "dco_install_key", "dco_set_peer" - Data channel uses AES-256-GCM in kernel mode - Server-side DCO active even with 2.6 client Some more infos. Erik P.S.: OpenVPN-2.7 uses now `Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bits RSA, signature: RSA-SHA256, peer temporary key: 768 bits X25519MLKEM768, peer signing digest/type: rsa_pss_rsae_sha256 RSASSA-PSS, key agreement: X25519MLKEM768` so with default config, hybrid post-quantum key exchange (X25519MLKEM768 =3D X25519 + Kyber-768/ML-KEM-768) is available :-) .