"For backwards compatibility with OpenVPN versions before v2.4, use "lzo" (which is identical to the older option "--comp-lzo yes")."
So, does that also mean that setting the option "compress" with no parameters is the same as setting the older option "comp-lzo no"?
I am having an issue with my VPN provider. I am on XP / OpenVPN 2.3.18, and the VPN recently updated their servers to 2.4.x. It connects, but then no data transfers, and I get "Bad LZO decompression header byte" entries in the log file before it reconnects due to an inactivity timeout. This keeps repeating after every minute due to inactivity timeout (no data can be sent or received through the tunnel due to these bad headers).
There is also an entry in the log file, "Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:5: compress (2.3.18)"
The VPN says they only have "compress" as a push option with no parameter; LZO or LZ4 isn't specified. Logs seem to confirm that.
https://community.openvpn.net/openvpn/w ... n24ManPage says about "compress" (in the above screen capture): "If the algorithm parameter is empty, compression will be turned off, but the packet framing for compression will still be enabled, allowing a different setting to be pushed later."
For "comp-lzo no", it says "This will turn off compression by default, but allow a future directive push from the server to dynamically change the on/off/adaptive setting." Is this happening through the same "packet framing" tech that 2.4 is using, or is 2.4 using something new / different?
If it's different, then I guess that explains the incompatibility. But if it's supposed to be the same (i.e., backwards compatible), then this might be a bug?
It does seems a bit silly to have backwards compatibility for "compress lzo" <---> "comp-lzo yes", but not for "compress" <---> "comp-lzo no", if that is indeed the case.
OpenVPN Config (from VPN):
cipher AES-128-CBC
auth SHA512
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA
client
verify-x509-name california name
dev tun
resolv-retry 20
route-delay 2
comp-lzo no
remote-cert-tls server
nobind
auth-user-pass auth.txt
key-direction 1
<ca>
-----BEGIN CERTIFICATE-----
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************
-----END CERTIFICATE-----
</ca>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
********************************
********************************
********************************
********************************
********************************
********************************
********************************
********************************
********************************
********************************
********************************
********************************
********************************
********************************
********************************
********************************
-----END OpenVPN Static key V1-----
</tls-auth>
Log file:
Wed Oct 11 02:33:27 2017 OpenVPN 2.3.18 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Sep 26 2017
Wed Oct 11 02:33:27 2017 Windows version 5.1 (Windows XP) 32bit
Wed Oct 11 02:33:27 2017 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.10
Enter Management Password:
Wed Oct 11 02:33:27 2017 Control Channel Authentication: tls-auth using INLINE static key file
Wed Oct 11 02:33:27 2017 Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.236:8008 [nonblock]
Wed Oct 11 02:33:28 2017 TCP connection established with [AF_INET]xxx.xxx.xxx.236:8008
Wed Oct 11 02:33:28 2017 TCPv4_CLIENT link local: [undef]
Wed Oct 11 02:33:28 2017 TCPv4_CLIENT link remote: [AF_INET]xxx.xxx.xxx.236:8008
Wed Oct 11 02:33:29 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Oct 11 02:33:30 2017 [california] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.236:8008
Wed Oct 11 02:33:33 2017 Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:5: compress (2.3.18)
Wed Oct 11 02:33:33 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Wed Oct 11 02:33:33 2017 open_tun, tt->ipv6=0
Wed Oct 11 02:33:33 2017 TAP-WIN32 device [TAP-Windows Adapter V9] opened: \\.\Global\{DB99BA9D-6BDB-4208-8369-DBDE740BD1EA}.tap
Wed Oct 11 02:33:33 2017 Set TAP-Windows TUN subnet mode network/local/netmask = xxx.xxx.xxx.128/xxx.xxx.xxx.130/255.255.255.240 [SUCCEEDED]
Wed Oct 11 02:33:33 2017 Notified TAP-Windows driver to set a DHCP IP/netmask of xxx.xxx.xxx.130/255.255.255.240 on interface {DB99BA9D-6BDB-4208-8369-DBDE740BD1EA} [DHCP-serv: xxx.xxx.xxx.142, lease-time: 31536000]
Wed Oct 11 02:33:33 2017 Successful ARP Flush on interface [327684] {DB99BA9D-6BDB-4208-8369-DBDE740BD1EA}
Wed Oct 11 02:33:36 2017 Initialization Sequence Completed
Wed Oct 11 02:33:53 2017 Bad LZO decompression header byte: 42
Wed Oct 11 02:33:54 2017 Bad LZO decompression header byte: 69
Wed Oct 11 02:34:02 2017 Bad LZO decompression header byte: 69
Wed Oct 11 02:34:09 2017 Bad LZO decompression header byte: 69
Wed Oct 11 02:34:29 2017 Bad LZO decompression header byte: 42
Wed Oct 11 02:34:33 2017 [california] Inactivity timeout (--ping-restart), restarting
Wed Oct 11 02:34:33 2017 SIGUSR1[soft,ping-restart] received, process restarting
Wed Oct 11 02:34:38 2017 Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.236:8008 [nonblock]
Wed Oct 11 02:34:39 2017 SIGTERM[hard,init_instance] received, process exiting