Hello,
I see in the ovpnserver config there are some ipv6 options and others that aren’t available in the web ui to configure. I need to add some custom options to the ovpnserver config, particularly compress lz4-v2
Is this possible to add to the uci config for ovpnserver?
Can you pls give as more details as you can so that developers can check?
We will optimize vpn related to ipv6 etc so it is a good time that you bring things into attention.
Just so you’re aware, enabling compression in OpenVPN is a known security risk, and the option may be removed in a future version. It’s also not clear that it provides much of a performance improvement in the general use case. If possible, you may want to explore compressing your data before it goes through the tunnel.
Enabling compression on one side or the other but both will result in no data passing, and I think this fails silently even while a connection is successfully made. So if stupid is on the side you don’t control and compression is enabled, you may be stuck with enabling compression on your side. VORACLE is only on the upstream side, so a client can send compressed data safely. That’s why from 2.5 on, the default is asymmetric compression. The problem is, you are asking the sending side to spend time compressing what is probably an incompressible file, which is a waste of clock cycles. So from 2.6 on it is eliminated.
Importantly, the default setting when using compression is to use asymmetric compression. The default setting is no compression. Allow compression is only used when one party specifies a preference and the other does not.
This is the bigger issue, though mitigated in lz4-v2. Nonetheless, the official guidance is:
I fully agree with you. I was just pointing out that if one side includes the comp-lzo and the other side doesn’t, the connection will succeed but no traffic will pass. The OP said “I need to add” compression, and that could be why: his client has specified comp and he can’t push ignoring it.
I think just a box to add custom settings to the config or upload or paste in a fully custom config would be flexible.
To everyone making statements about compression security, ive read the summary of the issue and accept the risk. This is primarily used for mobile devices so any data reduction is worth it to me. Lz4v2 is also opportunistic compression and is cpu efficient
My need for custom config is because i have a datacenter network i connect to via openvpn when mobile, but ive found that its frustrating to manage my admin network at my branch office by routing from the trusted vpn, over my wan vpn and connecting to the admin host right next to me.
So i want to use custom settings to mirror the openvpn settings in the data center so when im on the branch office network, openvpn connects to the glinet router directly using the same hostname, but all admin traffic is routed locally (unless i connect to an admin host in the datacenter, but thats an accepted latency). I just have firewall rules that allow openvpn subnet traffic access to admin networks domain wide.
Totally cool - just something I wanted to make you aware of in case you weren’t. We get all levels of user here, and it’s natural for inexperienced users to think, “Compression! Great! Save data!” without understanding the various implications.
While I agree that it would be easier to do this in GUI (somewhat like pfSense does, for example), you also sound like the kind of person who should be able to pretty easily drop that into the server config file. They’re located in sub directories off of /etc/config, usually under a random number in version 4.X firmware.
I modified the config using some of the hidden options not in the gui, but my question was more about which undocumented option i could add to the glinet
I ended up just moving all my config to luci
Got what you mean and will discuss internally about this.