Page 5 of 9 FirstFirst ... 34567 ... LastLast
Results 41 to 50 of 85
  1. #41
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,324

    Default

    Quote Originally Posted by sky-knight View Post
    one of them is on the 3.x kernel, and the other was on the 4.x. So I don't think the kernel version has anything to do with it.
    yeah, that was a thought I had when the only one I had that I knew of which switched to "compress" was also the only one I'd seen running kernel 4.9... but clearly the unit running 4.9 (as mysterious as it is) has nothing to do the OpenVPN settings changing.

    on another note, it appears that using "compress lzo" on the server side is the more forward-compatible setting; it's the same as "comp-lzo" in effect, but "comp-lzo" is deprecated and will be (has been?) removed in future versions. I haven't tried it yet, but that's what the docs say

  2. #42
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,324

    Default

    Quote Originally Posted by johnsonx42 View Post
    on another note, it appears that using "compress lzo" on the server side is the more forward-compatible setting; it's the same as "comp-lzo" in effect, but "comp-lzo" is deprecated and will be (has been?) removed in future versions. I haven't tried it yet, but that's what the docs say
    confirmed, "compress lzo" works with older clients and existing client config files with "comp-lzo" but will also be forward compatible.

    So that's the best fix I can think of right now for existing openvpn configs that get broken by 14.1 - in OpenVPN->Advanced, click "Exclude" next to existing option "compress", then add new option "compress" with option value "lzo"

    repeat same in the client (bottom) half of the screen, so that future openvpn client configs you create will still work. "compress" and "compress lzo" aren't compatible with each other; reading the docs I don't see a server-side setting that will work both ways (I don't know why the client and server don't simply negotiate compression settings; presumably there's some reason they don't do this)
    Last edited by johnsonx42; 12-09-2018 at 06:04 PM.

  3. #43
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,859

    Default

    That does appear to be the case, compress lzo doesn't work on OpenVPN clients older than 2.4, but a server configured with compress lzo, is still compatible with older clients configured with comp-lzo.

    Which means Untangle should be able to safely update that parameter without breaking anything older, but still supporting anything newer. The client section need only be concerned with generating new clients that work.

    Managing the remote endpoints versioning remains a challenge, but that's nothing new.

    To make matters worse, compress alone apparently doesn't compress anything, only enable the encapsulation for compression.

    However, a client with the compress directive, can apparently be pushed the algorithm from the server.

    So a server could have:

    compress lzo
    push "compress lzo"

    And the client just have:

    compress

    Which allows the server to set a compression after the fact, so the new settings are substantially more flexible. Current man page indicates we have lzo, and lz4 to work with. Though lzo is the one one supported by clients older than 2.4.

    But the key here is in theory a server with

    compress lzo
    push "compress lzo"

    would be compatible with clients running compress, compress lzo, and comp-lzo. And all of them would be using adaptive lzo compression to communicate.
    Last edited by sky-knight; 12-09-2018 at 06:27 PM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #44
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,324

    Default

    Quote Originally Posted by sky-knight View Post
    So a server could have:

    compress lzo
    push "compress lzo"

    And the client just have:

    compress

    Which allows the server to set a compression after the fact, so the new settings are substantially more flexible.
    oh, yes, that is even better. so later on, when all the clients with "comp-lzo" are gone and they all have just "compress", you can then get rid of lzo if you like just by changing server-side settings. I gather the wisdom is that these days compression does so little good it's rarely worth the overhead.

    sky I think we've nailed the remediation for this problem, now Untangle needs to figure out why it broke in the first place so anyone who upgrades later doesn't get bit by this.

  5. #45
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,324

    Default

    confirmed, this definitely works for old and new clients, whether the client has "comp-lzo", "compress" or "compress lzo" (obviously a 2.3 client won't understand "compress", but it will have "comp-lzo" already):

    OpenVPN->Advanced:
    - check "Exclude" next to existing Server option compress
    - add custom option compress with value lzo
    - add custom option push with value "compress lzo"

    (used underline rather than quotes to make clear the quotes are required for the push option value)

    no changes to client half

    oh, wait...what was it they say about pictures?
    openvpn.JPG
    Last edited by johnsonx42; 12-09-2018 at 06:48 PM.

  6. #46
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,859

    Default

    I'm past the remediation and pontificating on the long term.

    I'm also enjoying the fact that we've found an easy way to take properly upgraded systems a step closer to tomorrows settings without a nuke and pave.

    But seriously, not bad for some weekend warrior work with only a minor dose of mad panic.

    I am glad you seem to have several asymptomatic units to examine, because it looks like I blew away mine.
    Last edited by sky-knight; 12-09-2018 at 07:54 PM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #47
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,324

    Default

    Quote Originally Posted by sky-knight View Post
    I'm also enjoying the fact that we've found an easy way to take properly upgraded systems a step closer to tomorrows settings without a nuke and pave.
    Good point, these settings are appropriate for any current Untangle system to make it more future proof, especially one that has an SHA512 certificate already (if you've got an md5 certificate then you're going to have to blow it away eventually anyway so future-proofing is likely irrelevant).

    For a system that still has its original openvpn options, the difference would be the Excluded option on the server half would be the old "comp-lzo" setting, with the same two added custom options, and then on the client half you'd also exclude "comp-lzo" and replace it with "compress". This would make all new client configs compliant with the new and future clients, while preserving the older clients and client configs using "comp-lzo".

    (in fact I think Untangle should make this change to all boxes that still have "comp-lzo" on the next upgrade - it's better than just leaving "comp-lzo", which is deprecated already, but retains all backwards compatibility)

    we've fixed untangle openvpn this weekend... what's next?
    Last edited by johnsonx42; 12-09-2018 at 10:29 PM.

  8. #48
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,324

    Default

    for what it's worth to interested parties, I've now seen two of my systems that had previously switched to "compress" during the 14.1 upgrade now have switched to "compress lz4", presumably during the 14.1.1 update. a 3rd system that did change before hasn't changed now.
    openvpn-lz4.JPG

    This produces the same sort of errors after connecting as the original "comp-lzo" to "compress" switch, and traffic won't pass. If you still have "comp-lzo" in the client config, you'll get these errors:
    Code:
    Tue Feb 26 12:07:14 2019 Initialization Sequence Completed
    Tue Feb 26 12:07:19 2019 Bad LZO decompression header byte: 251
    Tue Feb 26 12:07:29 2019 Bad LZO decompression header byte: 251
    Tue Feb 26 12:07:39 2019 Bad LZO decompression header byte: 251
    Tue Feb 26 12:07:49 2019 Bad LZO decompression header byte: 251
    Tue Feb 26 12:07:59 2019 Bad LZO decompression header byte: 251
    Tue Feb 26 12:08:09 2019 [server] Inactivity timeout (--ping-restart), restarting
    (it then reconnects and the cycle repeats)
    and if you had already changed your client config to "compress" to match the 14.1 settings, then you'll get this:
    Code:
    Tue Feb 26 12:11:11 2019 Initialization Sequence Completed
    Tue Feb 26 12:11:14 2019 Bad compression stub (swap) decompression header byte: 105
    Tue Feb 26 12:11:15 2019 Bad compression stub (swap) decompression header byte: 105
    Tue Feb 26 12:11:15 2019 Bad compression stub (swap) decompression header byte: 105
    Tue Feb 26 12:11:16 2019 Bad compression stub (swap) decompression header byte: 105
    Tue Feb 26 12:11:18 2019 Bad compression stub (swap) decompression header byte: 105
    Tue Feb 26 12:11:22 2019 Bad compression stub (swap) decompression header byte: 105
    Tue Feb 26 12:12:02 2019 Bad compression stub (swap) decompression header byte: 105
    (these just go on forever)

    the immediate solutions are the same as before - override the server settings as shown in the posts above to make the server work with the old client configs, or distribute new client configs to match the server configs (or manually edit the client config, which is what I did, and did again)

    going forward though, it does seem that something is fouled up in the OpenVPN config that causes the default settings to change during upgrade, so this may keep happening to afflicted installs every time Untangle changes the OpenVPN defaults.

    (thinking further, that 3rd system that didn't change again is the one where I put in the custom settings as shown in the screenshot a couple of posts up. my custom settings are still there, and the default setting "compress" is still there. I changed that one because end-users use OpenVPN, and I didn't want to change their client configs. On the other two, I left the server-side settings alone and just edited my client-side file because I'm the only one that uses OpenVPN. so it seems that having the custom settings in there caused the update to not change the default settings, while the other two still have the same problem and picked up the new defaults. again.)
    Last edited by johnsonx42; 02-26-2019 at 01:37 PM.

  9. #49
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,324

    Default

    oh, by the way, while the option "compress lz4" works as shown, I believe the correct way to do it is to have "compress" as the Option Name, and then "lz4" as the Option Value. That would make it consistent with the way the rest of the options are defined

  10. #50
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,859

    Default

    There shouldn't even be a compression directive on the client, it can be pushed and we avoid all of this when we do things that way.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Page 5 of 9 FirstFirst ... 34567 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2