Am 10.02.23 um 10:02 schrieb Lev Stipakov:
We can certainly add logic that will make the
client abort in this cases but that should affect all the other options
that are being pushed that the client refuses.
At least for compression we know for sure that the tunnel will be broken,
doesn't it warrant any special case? At least clear log message "you connection
will be broken for sure, but we haven't added logic to not to
establish it at all just yet"
Moreover, with this patch broken VPN providers become even more broken - before
one could add "disable-dco" and have a working tunnel with compression framing.
Right now the behavior is consistently broken with/without dco - which
is expected,
but do we really want to add broken cases?
To be honest, I have little sympathy for these VPN providers. Just
because most OpenVPN 2.5.0 and earlier would accept pushing compression
does not make that correct behaviour. And having no comp-lzo in your
config but pushing "comp-lzo no" is pretty non-standard behaviour. I
never seen that kind of thing before apart from deliberate testing.
OpenVPN AS will also do that stuff but it will check your IV_COMP_*
variables before pushing.
If we want to make it easier for users to workaround these broken VPN
providers, we might want to highlight compat-mode more in UI etc. E.g.
having a dropdown/checkbox in OpenVPN GUI that allows picking
compat-mode 2.5.0/2.4.0/2.3.6/2.3.0
Arne
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
