Nethserver's openVPN configuration not liked by TunnelBlick (comp-lzo depecrated)

pagaille · August 26, 2018, 9:06am

Hi,

Since some time now I receive this warning when connecting to an Nethserver OpenVPN server :

Warning: This VPN may not connect in the future.

The OpenVPN configuration file for ‘matthieu.gaillet@lebrass.be-2’ contains these OpenVPN options:

‘comp-lzo’ was deprecated in OpenVPN 2.4 and removed in OpenVPN 2.5

You should update the configuration so it can be used with modern versions of OpenVPN.

Tunnelblick will use OpenVPN 2.4.6 - OpenSSL v1.0.2o to connect this configuration.

However, you will not be able to connect to this VPN with future versions of Tunnelblick that do not include a version of OpenVPN that accepts the options.

Probably this config switch should be removed from the config files generated by Nethserver.

TXs

pagaille · August 26, 2018, 7:46pm

Oh. Just noticed it totally by chance

This option can be removed i suppose.

EddieA · August 26, 2018, 9:08pm

No:

Use the newer --compress instead

Cheers.

pagaille · August 27, 2018, 7:03am

Spot on !

giacomo · August 27, 2018, 8:35am

We could add the new option (compress) for newly created server but not remove the old one, otherwise we will break all existing connections

stephdl · August 27, 2018, 8:16pm

reading this https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage

--compress [algorithm]
    Enable a compression algorithm.

    The algorithm parameter may be "lzo", "lz4", or empty. LZO and LZ4 are different compression algorithms, with LZ4 generally offering the best performance with least CPU usage. For backwards compatibility with OpenVPN versions before v2.4, use "lzo" (which is identical to the older option "--comp-lzo yes").

    If the algorithm parameter is empty, compression will be turned off, but the packet framing for compression will still be enabled, allowing a different setting to be pushed later. 
--comp-lzo [mode]
    DEPRECATED This option will be removed in a future OpenVPN release. Use the newer --compress instead.

    Use LZO compression -- may add up to 1 byte per packet for incompressible data. mode may be "yes", "no", or "adaptive" (default).

    In a server mode setup, it is possible to selectively turn compression on or off for individual clients.

    First, make sure the client-side config file enables selective compression by having at least one --comp-lzo directive, such as --comp-lzo no. This will turn off compression by default, but allow a future directive push from the server to dynamically change the on/off/adaptive setting.

    Next in a --client-config-dir file, specify the compression setting for the client, for example:

    comp-lzo yes
    push "comp-lzo yes"

    The first line sets the comp-lzo setting for the server side of the link, the second sets the client side.

I have the feeling that comp-lzo became compress lzo, for what I understood, it should be compatible. I suppose the setting became obsolete because you can use also LZ4

stephdl · August 29, 2018, 7:09pm

card created in need review

giacomo · November 8, 2018, 4:08pm

Issue created: https://github.com/NethServer/dev/issues/5631

compsos · April 19, 2019, 7:07am

Just setup some VPN road warriors accounts and the client fails to load with compress lzo in the opvn file but does work with comp-lzo. I manually modified the opvn file and works great.
Without that modification the VPN-GUI has a blank screen and the cli complains of the unknown option. compress