OpenVPN 2.4.7 compliancy issue : comp-lzo deprecated

[ktheking]

Hi all,

Many openvpn client (amongst Tunnelblick) will be using OpenVPN 2.4.

This means that the configuration files created in the Asus router vpn setup are not able to be compliant to this soon.

Can this be put in the queu for the next rc's for upgrade to 2.5 or option removal ?


The warning message from Tunnelblick client on OpenVPN 2.4 :



More on deprecared openvpn features :
https://community.openvpn.net/openvpn/wiki/DeprecatedOptions

Option: --comp-lzo ¶
Status Currently not planned for removal, see description for details
Deprecated in: OpenVPN v2.4
To be removed in: (not decided)
Affects: Client and server
Result if used: OpenVPN will ignore the option and provide a warning
Replaced by: --compress
Examples: --compress
--compress lzo
--compress lz4
The --comp-lzo option would only enable the LZO compression algorithm. The --compress option allows also to use the improved LZ4 algorithm instead. This will allow --compress to be pushed by the server on a per-client basis. Providing just --compress without an algorithm is the equivalent of --comp-lzo no which disables compression but enables the packet framing for compression.

Contrary to prior statements --comp-lzo no is not compatible with the --compress counterpart. Therefore openvpn needs to keep supporting --comp-lzo no for backward compatibility.

 

[ktheking]

Hi all,

Many openvpn client (amongst Tunnelblick) will be using OpenVPN 2.4.

This means that the configuration files created in the Asus router vpn setup are not able to be compliant to this soon.

Can this be put in the queu for the next rc's for upgrade to 2.5 or option removal ?


The warning message from Tunnelblick client on OpenVPN 2.4 :



More on deprecared openvpn features :
https://community.openvpn.net/openvpn/wiki/DeprecatedOptions

Option: --comp-lzo ¶
Status Currently not planned for removal, see description for details
Deprecated in: OpenVPN v2.4
To be removed in: (not decided)
Affects: Client and server
Result if used: OpenVPN will ignore the option and provide a warning
Replaced by: --compress
Examples: --compress
--compress lzo
--compress lz4
The --comp-lzo option would only enable the LZO compression algorithm. The --compress option allows also to use the improved LZ4 algorithm instead. This will allow --compress to be pushed by the server on a per-client basis. Providing just --compress without an algorithm is the equivalent of --comp-lzo no which disables compression but enables the packet framing for compression.

Contrary to prior statements --comp-lzo no is not compatible with the --compress counterpart. Therefore openvpn needs to keep supporting --comp-lzo no for backward compatibility.

Workaround :
Open the client.conf file you exported from the router and change "comp-lzo" to "compress lzo". Then you'll need to reimport that configuration into Tunnelblick. When I did that I stopped getting the warning and the connection still works as before. (Definitely back up client.conf before you edit it, in case something goes wrong.)

 

[elorimer]

I'm a little unclear on what you are doing/suggesting but better practice is to disable compression entirely: Disable not "none" in the router and no --compress in the .ovpn file.

 

[RMerlin]

The firmware is already compliant. If you enable LZO it will use the old syntax (or otherwise it would completely break compatibility for 2.2/2.3 clients). If you use LZ4, it uses the new syntax.

Changing this would be compatibility-breaking. And as the notice states, there are currently no plan from the OpenVPN devs to remove this setting (for the mentioned reasons).