I'm confused as to whats going on with my openvpn server. Since doing a sysupgrade to a current build from Git I'm getting the following errors when my clients connect, and no client connectivity:
Tue May 29 21:11:54 2018 daemon.warn openvpn(vpnserver)[6904]: 148.252.128.147:48844 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1542'
Tue May 29 21:11:54 2018 daemon.warn openvpn(vpnserver)[6904]: 148.252.128.147:48844 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
However this is inconsistent with my config file which specifies comp-lzo on both server and client, and also specifies no MTU. Is it possible it is loading config from elsewhere? How can I tell?
root@router:~# cat /etc/config/openvpn
config openvpn 'vpnserver'
option status '/tmp/openvpn-udp-status.log'
option enabled '1'
option dev_type 'tun'
option dev 'ovpns0'
option port '1194'
option proto 'udp'
option comp_lzo 'yes'
option keepalive '10 120'
option persist_key '1'
option persist_tun '1'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/my-server.crt'
option key '/etc/openvpn/my-server.key'
option dh '/etc/openvpn/dh2048.pem'
option tls_auth '/etc/openvpn/tls-auth.key 0'
option mode 'server'
option tls_server '1'
option server '192.168.200.0 255.255.255.0'
option topology 'subnet'
option client_to_client '1'
option route_gateway 'dhcp'
list push 'comp-lzo yes'
list push 'persist-key'
list push 'persist-tun'
list push 'topology subnet'
list push 'redirect-gateway def1'
list push 'route-gateway dhcp'
list push 'route 192.168.200.0 255.255.255.0'
list push 'route 192.168.1.0 255.255.255.0'
list push 'dhcp-option DNS 192.168.1.1'
list push 'dhcp-option DOMAIN lan'
OK so I got a bit further - my config is safe and sound in /etc/config/openvpn since the rebuild, however when openvpn runs (i.e. Start/Stop in Luci) it is loading config from /var/etc/openvpn-vpnserver.conf
However if I make changes to the config in Luci - they update in /etc/config/openvpn but do not get changed in /var/etc/openvpn-vpnserver.conf
I've tried building the config from scratch and it seems that UCI is ignoring the 'comp_lzo' option in my /etc/config/openvpn file when it builds the /var config file.
However I think I've found the issue - the option 'comp-lzo' was deprecated in openvpn 2.4 in favor of 'compress lzo'. If I change to this in the /etc/config/openvpn - it works.
The option is only deprecated not removed, but for some reason UCI won't allow the comp-lzo setting to make it through to the openvpn .conf file.
Whenever an error with "...is used inconsistently" shows up in the OpenVPN log, its referencing the server and client options are not in sync.
99% of OpenVPN config options must be mirrored in the server and client configs.
Additionally, it's recommended to tune OpenVPN configs with a custom tunnel MTU value (not the same as the link MTU), dependent on the encryption cipher used (see the Tuning Tab).
hi, I'm having the same problem with compression after upgrade to 18.06. Can you tell me what exactly you put in the config file (parameter and its value)?
I tried compress_lzo 'yes' as well as compress_lzo '1' but it doesn't work, I guess it is different syntax, client still complains with the error as in the first post
comp-lzo option is deprecated after OpenVPN 2.4, the correct options are now:
option compress 'lzo'
list push 'compress lzo'
However this will cause issues if clients older than version 2.4 try to connect. This is a known regression issue with OpenVPN for which there is no simple work-around.