Try to emphasise the transition from old ovpn-dco to new ovpn module

This tries to ensure that the difference between the old and new module
is clearer.

Also removed a duplicate section about --disable-dco from the manual page.

This also changes one instance of ovpn-dco to ovpn that is probably a bug
when reusing a tun device.

Change-Id: Iff9f6811fdf553f59f2afee0072d7bf90133d328
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@mandelbit.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1550
Message-Id: <20260411090625.18343-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36573.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

Author: schwabe

Changes.rst

@@ -54,11 +54,12 @@ Windows automatic service now runs as an unpriviledged user
     are not readable for ``NT SERVICE\OpenVPNService``.
 
 Support for new version of Linux DCO module
-    OpenVPN DCO module is moving upstream and being merged into the
-    main Linux kernel. For this process some API changes were required.
-    OpenVPN 2.7 will only support the new API. The new module is called
-    ``ovpn``. Out-of-tree builds for older kernels are available. Please
-    see the release announcements for futher information.
+    The OpenVPN DCO module has been merged into the Linux kernel as of
+    6.16.  This required some API changes and OpenVPN 2.7 only supports
+    the new API. The new module is called ``ovpn``. Out-of-tree builds
+    for older kernels are available from
+    https://github.com/OpenVPN/ovpn-backports. Please
+    see the release announcements for further information.
 
 Support for server mode in win-dco driver
     On Windows the win-dco driver can now be used in server setups.

configure.ac

@@ -731,7 +731,7 @@ if test "$enable_dco" != "no"; then
 				OPTIONAL_LIBNL_GENL_LIBS="${LIBNL_GENL_LIBS}"
 
 				AC_DEFINE(ENABLE_DCO, 1, [Enable shared data channel offload])
-				AC_MSG_NOTICE([Enabled ovpn-dco support for Linux])
+				AC_MSG_NOTICE([Enabled ovpn-dco (via ovpn kernel module) support for Linux])
 			fi
 			;;
 		*-*-freebsd*)

doc/man-sections/advanced-options.rst

@@ -103,7 +103,9 @@ used when debugging or testing out special usage scenarios.
 
   Data channel offload currently requires data-ciphers to only contain
   AEAD ciphers (AES-GCM and Chacha20-Poly1305) and Linux with the
-  ovpn-dco module.
+  ovpn module. The ovpn module has been integrated into the Linux kernel
+  since 6.16 or is available as backport from
+  https://github.com/OpenVPN/ovpn-backports.
 
   Note that some options have no effect or cannot be used when DCO mode
   is enabled.

doc/man-sections/generic-options.rst

@@ -176,15 +176,6 @@ which mode OpenVPN is configured as.
   on console) and ``--auth-nocache`` will fail as soon as key
   renegotiation (and reauthentication) occurs.
 
---disable-dco
-  Disable "data channel offload" (DCO).
-
-  On Linux don't use the ovpn-dco device driver, but rather rely on the
-  legacy tun module.
-
-  You may want to use this option if your server needs to allow clients
-  older than version 2.4 to connect.
-
 --disable-occ
   **DEPRECATED** Disable "options consistency check" (OCC) in configurations
   that do not use TLS.

src/openvpn/dco.c

@@ -376,9 +376,10 @@ dco_check_startup_option(msglvl_t msglevel, const struct options *o)
          * don't need to have the net_ctx percolate all the way here
          */
         int ret = net_iface_type(NULL, o->dev, iftype);
-        if ((ret == 0) && (strcmp(iftype, "ovpn-dco") != 0))
+        if ((ret == 0) && (strcmp(iftype, "ovpn") != 0))
         {
-            msg(msglevel, "Interface %s exists and is non-DCO. Disabling data channel offload",
+            msg(msglevel, "Interface %s exists and is not using the "
+                          "ovpn DCO driver. Disabling data channel offload",
                 o->dev);
             return false;
         }

src/openvpn/dco_linux.c

@@ -159,7 +159,7 @@ ovpn_nl_recvmsgs(dco_context_t *dco, const char *prefix)
             break;
 
         case -NLE_OBJ_NOTFOUND:
-            msg(M_INFO, "%s: netlink reports object not found, ovpn-dco unloaded?", prefix);
+            msg(M_INFO, "%s: netlink reports object not found, ovpn kernel module unloaded?", prefix);
             break;
 
         default:
@@ -1249,7 +1249,10 @@ dco_available(msglvl_t msglevel)
 {
     if (resolve_ovpn_netlink_id(D_DCO_DEBUG) < 0)
     {
-        msg(msglevel, "Note: Kernel support for ovpn-dco missing, disabling data channel offload.");
+        msg(msglevel, "Note: Kernel support for ovpn interfaces missing, "
+                      "disabling data channel offload. Use Linux 6.16.0 or "
+                      "newer with ovpn support or use ovpn-backports for "
+                      "interface support.");
         return false;
     }