Hi, (copying openvpn-devel, as Arne and Antonio are not reading -users)
On Wed, Jan 18, 2023 at 05:34:51PM +0100, Ralf Hildebrandt via Openvpn-users
wrote:
> You might have noticed our bug reports regarding capabilities && 2.6rc2.
> The whole point of it all was to test 2.6.x's DCO in our openvpn
> infrastructure :)
And we appreciate this :-)
> But once we enabled DCO on the server side, things started to go awry - again.
>
> 2.5.x was not able to connect.
> So I thought: "Meh, maybe I should use 2.6rc on both cient and server".
> Said and done.
>
> Now the server complains:
> =========================
[..]
> Jan 18 17:16:36 localhost openvpn-udp[50313]: hildeb/10.31.123.139:39440
> Note: '--allow-compression' is not set to 'no', disabling data channel
> offload.
> Jan 18 17:16:36 localhost openvpn-udp[50313]: hildeb/10.31.123.139:39440
> Consider using the '--compress migrate' option.
> Jan 18 17:16:36 localhost openvpn-udp[50313]: hildeb/10.31.123.139:39440
> MULTI: client has been rejected due to incompatible DCO options
This is a bit surprising. As you say, it *should* do that for the whole
server, not on a per-client connection.
Is there something related to compression in the main config and/or in
the per-client config (ccd, plugin, ...)?
[..]
> I'm reading this as: The server doesn't like the client based on
> "incompatible DCO
> options", obviously due to "allow-compression" not being set to "no"
> (which is the default, according to the docs)
Correct. This is surprising, and should not happen.
(Sometimes its unavoidable - like, global options *are* compatible with
DCO, and then a per-client config shows up with incompatible options -
and then there is nothing the server can do, as it can not switch to
non-DCO for an individual client. But see above, should not happen here)
[..]
> allow-compression no
> --- snip ---
>
> So we clearly set "allow-compression" to "no". And no other compression
> is active (I think).
Indeed!
Anything special config generated by the client-connect script, maybe?
[..]
> 2023-01-18 17:16:37 AUTH: Received control message: AUTH_FAILED
> 2023-01-18 17:16:37 SIGTERM received, sending exit notification to peer
Signalling server->client is limited at this point, but maybe we could
find a way to make this "AUTH_FAILED:server options incompatible with DCO"
or so. Arne?
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany [email protected]
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
