OpenVPN client: possible bug

Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware
Author Message
gridrun
DD-WRT Novice


Joined: 29 Oct 2011
Posts: 24

PostPosted: Mon Mar 12, 2012 7:36    Post subject: OpenVPN client: possible bug Reply with quote
Router: TL-WR1043ND
Firmware: DD-WRT v24-sp2 (r18024)

When configuring the openvpn client with LZO compression disabled, the dd-wrt GUI writes

Quote:

comp-lzo no


to it's config. This is incorrect and causes problems on servers that have LZO compression disabled. Communication will not be possible, and server logs will contain messages "unknown IP protocol version=15".

Proper procedure for the GUI would be to not include the comp-lzo directive, when compression is disabled.

I believe this behaviour to be a bug. After a failed attempt to hack the part(s) of DDWRT that create /tmp/openvpncl/openvpn.conf, I resorted to a dirty hack using sed and some scripting:

*** Startup ***

#!/bin/sh
#openvpn comp-lzo workaround script (Startup)
echo '#!/bin/sh' > /tmp/etc/fixovpn.sh
echo 'cd /tmp/openvpncl/' >> /tmp/etc/fixovpn.sh
echo 'sed "/$comp-lzo/d" openvpn.conf > openvpn.tmp' >> /tmp/etc/fixovpn.sh
echo 'mv openvpn.tmp openvpn.conf' >> /tmp/etc/fixovpn.sh
echo 'killall openvpn' >> /tmp/etc/fixovpn.sh
echo 'sleep 1' >> /tmp/etc/fixovpn.sh
echo '/usr/sbin/openvpn --config /tmp/openvpncl/openvpn.conf' >> /tmp/etc/fixovpn.sh
chmod ugo+x /tmp/etc/fixovpn.sh


*** Firewall ***

#!/bin/sh
#openvpn comp-lzo workaround script (Firewall)
/tmp/etc/fixovpn.sh
iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE
echo 'VPNfix applied.' > /tmp/etc/fixed


Not very elegant. Maybe there's a better way to fix this?

cheers
grid
Sponsor
gridrun
DD-WRT Novice


Joined: 29 Oct 2011
Posts: 24

PostPosted: Tue Mar 13, 2012 4:54    Post subject: Reply with quote
In case somebody (Brainslayer?) fixes this: could the openVPN GUI be updated to include textboxes for up and down config directives? I envision the textboxes to contain the path to the respective script.

Thankies! Very Happy
checho
DD-WRT Guru


Joined: 27 Feb 2007
Posts: 527
Location: Bulgaria

PostPosted: Tue Mar 13, 2012 6:02    Post subject: Reply with quote
report here -> http://svn.dd-wrt.com:8000/report

The forum is not a bugtracker. The opposite is also true.
Sash
DD-WRT Guru


Joined: 20 Sep 2006
Posts: 17619
Location: Hesse/Germany

PostPosted: Tue Mar 13, 2012 10:55    Post subject: Reply with quote
gridrun wrote:
In case somebody (Brainslayer?) fixes this: could the openVPN GUI be updated to include textboxes for up and down config directives? I envision the textboxes to contain the path to the respective script.

Thankies! Very Happy


no. use daemon mode and scripts

_________________
Forum Guidelines...How to get help
&
Forum Rules
&
RTFM/STFW
&
Throw some buzzwords into the WIKI search Exclamation
_________________
I'm NOT rude, just offer pure facts!
_________________
Atheros (TP-Link & Clones, etc ) debrick service in EU
_________________
Guide on HowTo be Safe, Secure and Protect Your Online Anonymity!
Sash
DD-WRT Guru


Joined: 20 Sep 2006
Posts: 17619
Location: Hesse/Germany

PostPosted: Tue Mar 13, 2012 10:58    Post subject: Re: OpenVPN client: possible bug Reply with quote
gridrun wrote:
Router: TL-WR1043ND
Firmware: DD-WRT v24-sp2 (r18024)

When configuring the openvpn client with LZO compression disabled, the dd-wrt GUI writes

Quote:

comp-lzo no


to it's config. This is incorrect and causes problems on servers that have LZO compression disabled. Communication will not be possible, and server logs will contain messages "unknown IP protocol version=15".

Proper procedure for the GUI would be to not include the comp-lzo directive, when compression is disabled.


regarding the man ddwrt uses the correct syntax. so not a problem on our side. also i never have seen this behavior. u should upgrade your servers...

    --comp-lzo [mode]
    Use fast LZO compression -- may add up to 1 byte per packet for incompressible data. mode may be "yes", "no", or "adaptive" (default).

    In a server mode setup, it is possible to selectively turn compression on or off for individual clients.

    First, make sure the client-side config file enables selective compression by having at least one --comp-lzo directive, such as --comp-lzo
    no. This will turn off compression by default, but allow a future directive push from the server to dynamically change the on/off/adaptive
    setting.

    Next in a --client-config-dir file, specify the compression setting for the client, for example:

    comp-lzo yes
    push "comp-lzo yes"

    The first line sets the comp-lzo setting for the server side of the link, the second sets the client side.

_________________
Forum Guidelines...How to get help
&
Forum Rules
&
RTFM/STFW
&
Throw some buzzwords into the WIKI search Exclamation
_________________
I'm NOT rude, just offer pure facts!
_________________
Atheros (TP-Link & Clones, etc ) debrick service in EU
_________________
Guide on HowTo be Safe, Secure and Protect Your Online Anonymity!
gridrun
DD-WRT Novice


Joined: 29 Oct 2011
Posts: 24

PostPosted: Tue Mar 13, 2012 18:09    Post subject: Reply with quote
Thanks Sash, I'm investigating further with the pfSense crew.

From what I understand now, the root cause is that the options mismatch:

- openvpn cfg on dd-wrt always contains comp-lzo
- openvpn cfg on pfSense does not contain comp-lzo when LZO is disabled.

The error message in server logs "IP packet with unknown IP version=15 seen" makes sense when compression is enabled on one end, while not on the other.
daveM
DD-WRT Novice


Joined: 02 May 2011
Posts: 41

PostPosted: Wed Mar 14, 2012 13:11    Post subject: Reply with quote
if "comp-lzo" is printed to the configuration, extra lzo bit is added (even if 'no' is specified as option), and this will cause errors if making a connection to another openvpn with no "comp-lzo" printed.

i reported this and suggested that dd-wrt have a drop-down with a 'disabled' option to better reflect the real openvpn options (like tomatousb and other firmwares do) but the ticket was ignored and closed.
daveM
DD-WRT Novice


Joined: 02 May 2011
Posts: 41

PostPosted: Wed Mar 14, 2012 15:52    Post subject: Reply with quote
oh my god...sash actually committed fixes on this issue...i think i am going to faint
gridrun
DD-WRT Novice


Joined: 29 Oct 2011
Posts: 24

PostPosted: Wed Mar 14, 2012 20:31    Post subject: Reply with quote
daveM wrote:
if "comp-lzo" is printed to the configuration, extra lzo bit is added (even if 'no' is specified as option), and this will cause errors if making a connection to another openvpn with no "comp-lzo" printed.

i reported this and suggested that dd-wrt have a drop-down with a 'disabled' option to better reflect the real openvpn options (like tomatousb and other firmwares do) but the ticket was ignored and closed.


Ah, right there! Thanks DaveM for the insight. I second your opinion on the "disabled" option as I'm not a fan of quick'n'dirty sed hacks myself Smile
But alas, the trick with disabling compression through a ccd option didn't work out so I'm stuck with that for now. Maybe a mistake on my end, I'll check back when I have more time.

In fact, it's all no problem if you're going to set up a new server; you'll just include "comp-lzo no" in the server config. But stuff gets complicated when you have an existing server (of which you possibly have no control) and are trying to hookup a DD-WRT to it, like I did.

Someone not familiar with the command line will have a very frustrating experience, to say the least. Mine surely was, and it would have been a catastrophic failure if it weren't for my humble *nix skillz... Hence why I posted about the topic after all, so others running into the same situation will have a lead, hopefully saving them a night's worth of work. And hence also why I'd suggest to the dd-wrt devs to consider adding the requested feature none the less.

Cheers
grid
daveM
DD-WRT Novice


Joined: 02 May 2011
Posts: 41

PostPosted: Wed Mar 14, 2012 21:59    Post subject: Reply with quote
hmm... first they added support for null cipher/auth, now they added proper comp-lzo support, i hope auth-user-pass is next since sash seems to be in the mood Idea
gridrun
DD-WRT Novice


Joined: 29 Oct 2011
Posts: 24

PostPosted: Wed Mar 14, 2012 22:47    Post subject: Reply with quote
Pretty cool. Thanks Sash! Cool
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum