OpenVPN Errors since SysUpgrade

Folks,

I'm confused as to whats going on with my openvpn server. Since doing a sysupgrade to a current build from Git I'm getting the following errors when my clients connect, and no client connectivity:

Tue May 29 21:11:54 2018 daemon.warn openvpn(vpnserver)[6904]: 148.252.128.147:48844 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1542'
Tue May 29 21:11:54 2018 daemon.warn openvpn(vpnserver)[6904]: 148.252.128.147:48844 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'

However this is inconsistent with my config file which specifies comp-lzo on both server and client, and also specifies no MTU. Is it possible it is loading config from elsewhere? How can I tell?

root@router:~# cat /etc/config/openvpn
config openvpn 'vpnserver'
        option status '/tmp/openvpn-udp-status.log'
        option enabled '1'
        option dev_type 'tun'
        option dev 'ovpns0'
        option port '1194'
        option proto 'udp'
        option comp_lzo 'yes'
        option keepalive '10 120'
        option persist_key '1'
        option persist_tun '1'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/my-server.crt'
        option key '/etc/openvpn/my-server.key'
        option dh '/etc/openvpn/dh2048.pem'
        option tls_auth '/etc/openvpn/tls-auth.key 0'
        option mode 'server'
        option tls_server '1'
        option server '192.168.200.0 255.255.255.0'
        option topology 'subnet'
        option client_to_client '1'
        option route_gateway 'dhcp'
        list push 'comp-lzo yes'
        list push 'persist-key'
        list push 'persist-tun'
        list push 'topology subnet'
        list push 'redirect-gateway def1'
        list push 'route-gateway dhcp'
        list push 'route 192.168.200.0 255.255.255.0'
        list push 'route 192.168.1.0 255.255.255.0'
        list push 'dhcp-option DNS 192.168.1.1'
        list push 'dhcp-option DOMAIN lan'

OK so I got a bit further - my config is safe and sound in /etc/config/openvpn since the rebuild, however when openvpn runs (i.e. Start/Stop in Luci) it is loading config from /var/etc/openvpn-vpnserver.conf

However if I make changes to the config in Luci - they update in /etc/config/openvpn but do not get changed in /var/etc/openvpn-vpnserver.conf

Whats causing this?

Even weirder - if I delete /var/etc/openvpn-vpnserver.conf when I do a save config in Luci it recreates it - BUT WITH THE WRONG CONFIG!! Ahhhh!

What you're describing is normal behavior. Config files for OpenWrt are found at /etct/config, not in /var. The files in /var are created by the UCI.

Are you using the command /etc/init.d/openvpn restart to reload the config?

Yes. That exact command.

I've tried building the config from scratch and it seems that UCI is ignoring the 'comp_lzo' option in my /etc/config/openvpn file when it builds the /var config file.

root@router:/# cat /etc/config/openvpn

config openvpn 'vpnserver1'
        option status '/tmp/openvpn-udp-status.log'
        option enabled '1'
        option dev_type 'tun'
        option dev 'ovpns0'
        option proto 'udp'
        option keepalive '10 120'
        option persist_key '1'
        option persist_tun '1'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/my-server.crt'
        option key '/etc/openvpn/my-server.key'
        option dh '/etc/openvpn/dh2048.pem'
        option tls_auth '/etc/openvpn/tls-auth.key 0'
        option mode 'server'
        option tls_server '1'
        option server '192.168.200.0 255.255.255.0'
        option topology 'subnet'
        option client_to_client '1'
        option route_gateway 'dhcp'
        list push 'comp-lzo yes'
        list push 'persist-key'
        list push 'persist-tun'
        list push 'topology subnet'
        list push 'redirect-gateway def1'
        list push 'route-gateway dhcp'
        list push 'route 192.168.200.0 255.255.255.0'
        list push 'route 192.168.1.0 255.255.255.0'
        list push 'dhcp-option DNS 192.168.1.1'
        list push 'dhcp-option DOMAIN lan'
        option comp_lzo 'yes'
        option port '1194'

root@router:/# /etc/init.d/openvpn restart
root@router:/# cat /var/etc/openvpn-vpnserver1.conf
client-to-client
persist-key
persist-tun
tls-server
ca /etc/openvpn/ca.crt
cert /etc/openvpn/my-server.crt
dev ovpns0
dev-type tun
dh /etc/openvpn/dh2048.pem
keepalive 10 120
key /etc/openvpn/my-server.key
mode server
port 1194
proto udp
push "comp-lzo yes"
push "persist-key"
push "persist-tun"
push "topology subnet"
push "redirect-gateway def1"
push "route-gateway dhcp"
push "route 192.168.200.0 255.255.255.0"
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 192.168.1.1"
push "dhcp-option DOMAIN lan"
route-gateway dhcp
server 192.168.200.0 255.255.255.0
status /tmp/openvpn-udp-status.log
tls-auth /etc/openvpn/tls-auth.key 0
topology subnet
root@router:/#

Note the comp-lzo option is not in the /var file.

Try:
option comp_lzo '1'

Didn't work.

However I think I've found the issue - the option 'comp-lzo' was deprecated in openvpn 2.4 in favor of 'compress lzo'. If I change to this in the /etc/config/openvpn - it works.

The option is only deprecated not removed, but for some reason UCI won't allow the comp-lzo setting to make it through to the openvpn .conf file.

Whenever an error with "...is used inconsistently" shows up in the OpenVPN log, its referencing the server and client options are not in sync.

  • 99% of OpenVPN config options must be mirrored in the server and client configs.

Additionally, it's recommended to tune OpenVPN configs with a custom tunnel MTU value (not the same as the link MTU), dependent on the encryption cipher used (see the Tuning Tab).

1 Like

hi, I'm having the same problem with compression after upgrade to 18.06. Can you tell me what exactly you put in the config file (parameter and its value)?

I tried compress_lzo 'yes' as well as compress_lzo '1' but it doesn't work, I guess it is different syntax, client still complains with the error as in the first post

comp-lzo option is deprecated after OpenVPN 2.4, the correct options are now:

option compress 'lzo'
list push 'compress lzo'

However this will cause issues if clients older than version 2.4 try to connect. This is a known regression issue with OpenVPN for which there is no simple work-around.

2 Likes

Thanks, it works for me now!

I've updated the OpenVPN Server (Comprehensive) & OpenVPN (Server Setup) wikis with this

1 Like

Also worth noting that OpenVPN 2.4 supports the superior LZ4 compression algorithm, via
option compress 'lz4'
and
list push 'compress lz4'

This is what the wikis were changed to

1 Like