openvpnas 2.5 still generates profiles with comp-lzo and ns-cert-type

Post Reply
matp
OpenVpn Newbie
Posts: 5
Joined: Tue Apr 10, 2018 10:26 am

openvpnas 2.5 still generates profiles with comp-lzo and ns-cert-type

Post by matp » Tue Apr 10, 2018 10:33 am

Updated to openvpnas 2.5.
Restarted server.
Downloaded fresh autologin profile files.

These profile files contain options

Code: Select all

# NOTE: LZO commands are pushed by the Access Server at connect time.
# NOTE: The below line doesn't disable LZO.
comp-lzo no
and

Code: Select all

ns-cert-type server
which were deprecated in 2.4 and removed in 2.5.

If I comment these options out in the profile file I can no longer connect (get an authentication error).

Tested on centos 6 and 7 with the official packages from here: https://openvpn.net/index.php/access-se ... as-sw.html

Is this a bug or is there some other upgrade mumbo-jumbo I have to do to make sure openvpnas 2.5 is generating correct/compatible profiles?

novaflash
OpenVPN Inc.
Posts: 1064
Joined: Fri Apr 13, 2012 8:43 pm

Re: openvpnas 2.5 still generates profiles with comp-lzo and ns-cert-type

Post by novaflash » Tue Apr 10, 2018 10:52 am

This is not a problem, there's no need to do anything (yet).

OpenVPN open source project is at version 2.4 and that core is in use in OpenVPN Access Server 2.5.

Later when the open source project goes to version 2.5, and Access Server follows by going to 2.5, then yes, this will become an issue. However, we intend to have Access Server updated to use the new parameters long before that.

matp
OpenVpn Newbie
Posts: 5
Joined: Tue Apr 10, 2018 10:26 am

Re: openvpnas 2.5 still generates profiles with comp-lzo and ns-cert-type

Post by matp » Tue Apr 10, 2018 1:17 pm

Okay, thanks for the explanation. Didn't realize that access server versioning was close but out of sync with the core openvpn.

novaflash
OpenVPN Inc.
Posts: 1064
Joined: Fri Apr 13, 2012 8:43 pm

Re: openvpnas 2.5 still generates profiles with comp-lzo and ns-cert-type

Post by novaflash » Tue Apr 10, 2018 1:22 pm

Well, one is the open source project, and the other is the commercial program, so yeah, different versioning scheme.

matp
OpenVpn Newbie
Posts: 5
Joined: Tue Apr 10, 2018 10:26 am

Re: openvpnas 2.5 still generates profiles with comp-lzo and ns-cert-type

Post by matp » Tue Apr 10, 2018 1:34 pm

I get that, just a little confusing when the versions are so close together. Especially because I am thinking in terms of the openvpn APIs from an interoperability (client) standpoint.

If the core APIs are really provided by openvpn (opensource) vs openvpnas, it would be more intuitive (to me) if openvpnas (as a sort of wrapper) adopted the underlying major/minor versions of the openvpn core and then just used patch level for various releases. But maybe there is more to AS in terms of APIs and interop than I am aware of. And what I describe feels wrong on other levels...

Just a thought, not trying to be an arm chair critic. Now I know and will remember to check the underlying openvpn version for a given version of openvpnas before thinking there is problem. Appreciate the quick response and education.

novaflash
OpenVPN Inc.
Posts: 1064
Joined: Fri Apr 13, 2012 8:43 pm

Re: openvpnas 2.5 still generates profiles with comp-lzo and ns-cert-type

Post by novaflash » Wed Apr 11, 2018 5:05 pm

If Access Server were only like a plugin or addon to OpenVPN, then sure, making the release numbers close makes sense. But it's an entirely different program, with a graphic interface, client software, user permission and group permission settings, google authenticator 2FA, LDAP and RADIUS connectivity, and so on. So it's just an entirely different program, and one that uses the OpenVPN program for the VPN tunnels. That's why we don't have them on the same versioning scheme.

guemi
OpenVpn Newbie
Posts: 3
Joined: Mon Jun 17, 2019 10:23 am

Re: openvpnas 2.5 still generates profiles with comp-lzo and ns-cert-type

Post by guemi » Sat Dec 28, 2019 9:08 pm

This still happens, with AS v.2.7.5.

Feels incredibly stupid that you need to edit the config everytime?

Post Reply