diff options
author | Arne Schwabe | 2021-03-24 23:08:53 +0100 |
---|---|---|
committer | Gert Doering | 2021-04-02 14:49:39 +0200 |
commit | 8fa8a17528c001abc7d5f45e9c2ffa3ed2f6af43 (patch) | |
tree | e1a4b0d3ac8b44f84bd86dbb1be689c3398407b7 /doc | |
parent | 72e1ecb5b5d282c591cc32bbd378efbebfb03918 (diff) | |
download | openvpn-8fa8a17528c001abc7d5f45e9c2ffa3ed2f6af43.zip openvpn-8fa8a17528c001abc7d5f45e9c2ffa3ed2f6af43.tar.gz |
Implement '--compress migrate' to migrate to non-compression setup
This option allow migration to a non compression server config while
still retraining compatibility with client that have a compression
setting in their config.
For existing setups that used to have comp-lzo no or another
compression setting in their configs it is a difficult to migrate to
a setup without compression without replacing all client configs at
once especially if OpenVPN 2.3 or earlier clients are in the mix that
do not support pushing stub-v2. Even with OpenVPN 2.4 and later clients
that support pushing this is not a satisfying solution as the clients
log occ mismatches and the "push stub-v2" needs to be in the server
config "forever".
If the new migrate option to compress is set and a client is detected
that indicates that compression is used (via OCC), the server will
automatically add ``--push compress stub-v2`` to the client specific
configuration if stub-v2 is supported by the client and otherwise
switch to ``comp-lzo no`` and add ``--push comp-lzo`` to the client
specific configuration.
Patch v2: better commit message/man page, add USE_COMP ifdefs, various
style fixes
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210324220853.31246-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21801.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Diffstat (limited to 'doc')
-rw-r--r-- | doc/man-sections/protocol-options.rst | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/doc/man-sections/protocol-options.rst b/doc/man-sections/protocol-options.rst index e9d5d63..01789e5 100644 --- a/doc/man-sections/protocol-options.rst +++ b/doc/man-sections/protocol-options.rst @@ -84,10 +84,10 @@ configured in a compatible way between both the local and remote side. --compress algorithm **DEPRECATED** Enable a compression algorithm. Compression is generally not recommended. VPN tunnels which use compression are susceptible to - the VORALCE attack vector. + the VORALCE attack vector. See also the :code:`migrate` parameter below. The ``algorithm`` parameter may be :code:`lzo`, :code:`lz4`, - :code:`lz4-v2`, :code:`stub`, :code:`stub-v2` or empty. + :code:`lz4-v2`, :code:`stub`, :code:`stub-v2`, :code:`migrate` or empty. LZO and LZ4 are different compression algorithms, with LZ4 generally offering the best performance with least CPU usage. @@ -106,6 +106,15 @@ configured in a compatible way between both the local and remote side. Note: the :code:`stub` (or empty) option is NOT compatible with the older option ``--comp-lzo no``. + Using :code:`migrate` as compression algorithm enables a special migration mode. + It allows migration away from the ``--compress``/``--comp-lzo`` options to no compression. + This option sets the server to no compression mode and the server behaves identical to + a server without a compression option for all clients without a compression in their + config. However, if a client is detected that indicates that compression is used (via OCC), + the server will automatically add ``--push compress stub-v2`` to the client specific + configuration if supported by the client and otherwise switch to ``comp-lzo no`` + and add ``--push comp-lzo`` to the client specific configuration. + ***Security Considerations*** Compression and encryption is a tricky combination. If an attacker knows |