After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 769177 - Configuration to disable LZO is not honored
Configuration to disable LZO is not honored
Status: RESOLVED FIXED
Product: NetworkManager
Classification: Platform
Component: VPN: openvpn
unspecified
Other Linux
: Normal major
: ---
Assigned To: NetworkManager maintainer(s)
NetworkManager maintainer(s)
Depends on:
Blocks:
 
 
Reported: 2016-07-26 05:45 UTC by Manoharan
Modified: 2016-08-12 12:46 UTC
See Also:
GNOME target: ---
GNOME version: ---



Description Manoharan 2016-07-26 05:45:50 UTC
I am using NetworkManager OpenVPN plugin version 1.2.4 (in Arch Linux)

I have the LZO compression disabled (as the remote doesnt support it). But when I try to connect, It gives me a warning, that the local config has comp-lzo enabled. It works well with the version 1.2.2 though 


Details of the related config using nmcli (for my openvpn connection)
----------

vpn.data:                               ca = /home/xxx/root.ca, username = xxx, mssfix = no, port = 1194, tunnel-mtu = 1300, proto-tcp = no, comp-lzo = no, cipher = AES-128-CBC, remote = vpn.yyy.com, password-flags = 1, auth = SHA1, connection-type = password, remote-random = no

----------

Log from Journalctl:
--------
Jul 26 10:42:05 mypc nm-openvpn[9398]: WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
--------

Because of this, I couldnt use the openvpn:
--------
Jul 26 10:42:14 Brocade-8906 nm-openvpn[9398]: Bad LZO decompression header byte: 69
Jul 26 10:42:23 Brocade-8906 nm-openvpn[9398]: Bad LZO decompression header byte: 69

--------
Comment 1 Beniamino Galvani 2016-07-26 10:31:04 UTC
(In reply to Manoharan from comment #0)
> I am using NetworkManager OpenVPN plugin version 1.2.4 (in Arch Linux)
> 
> I have the LZO compression disabled (as the remote doesnt support it). But
> when I try to connect, It gives me a warning, that the local config has
> comp-lzo enabled. It works well with the version 1.2.2 though

Having comp-lzo=no is not the same as disabling LZO, but it means "turn off compression by default, but allow a future directive push from the server to dynamically change" according to 'man openvpn'. So I think you should remove altogether the comp-lzo=no option from VPN configuration. With nm-connection-editor you can simply uncheck the "use LZO data compression" flag.

Probably there was a change in behavior between 1.2.2 and 1.2.4, but I think the new way of handling the LZO option is more correct as it matches openvpn's options.
Comment 2 Manoharan 2016-07-26 10:54:10 UTC
(In reply to Beniamino Galvani from comment #1)
> (In reply to Manoharan from comment #0)
> > I am using NetworkManager OpenVPN plugin version 1.2.4 (in Arch Linux)
> > 
> > I have the LZO compression disabled (as the remote doesnt support it). But
> > when I try to connect, It gives me a warning, that the local config has
> > comp-lzo enabled. It works well with the version 1.2.2 though
> 
> Having comp-lzo=no is not the same as disabling LZO, but it means "turn off
> compression by default, but allow a future directive push from the server to
> dynamically change" according to 'man openvpn'. So I think you should remove
> altogether the comp-lzo=no option from VPN configuration. With
> nm-connection-editor you can simply uncheck the "use LZO data compression"
> flag.
> 
> Probably there was a change in behavior between 1.2.2 and 1.2.4, but I think
> the new way of handling the LZO option is more correct as it matches
> openvpn's options.

I have the option "use LZO data compression" option disabled in the connection configuration as well.
Comment 3 Erbureth 2016-08-01 16:44:13 UTC
Hi,

this is an issue in Fedora and Debian as well:

https://bugzilla.redhat.com/show_bug.cgi?id=1355688
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=833166

I have attached my syslog in the Debian bugreport
Comment 4 Beniamino Galvani 2016-08-01 19:53:49 UTC
(In reply to Manoharan from comment #2)

> I have the option "use LZO data compression" option disabled in the
> connection configuration as well.

Just to confirm, does the output of 'nmcli connection show <con-name>' still have the comp-lzo option? And if it's there, can you please remove it from /etc/NetworkManager/system-connections/<con-name>, perform a 'nmcli connection reload' and try to connect again?


(In reply to Erbureth from comment #3)
> Hi,
> 
> this is an issue in Fedora and Debian as well:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1355688
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=833166
> 
> I have attached my syslog in the Debian bugreport

Same question, can you please paste the output of 'nmcli -f vpn.data connection show <con-name>' and try to remove the the comp-lzo option if it's in there?
Comment 5 Erbureth 2016-08-02 11:01:35 UTC
(In reply to Beniamino Galvani from comment #4)

> Same question, can you please paste the output of 'nmcli -f vpn.data
> connection show <con-name>'

$ nmcli -f vpn.data connection show Seznam\ VPN 
vpn.data:                               cert = /home/kriho/VPN/jan.kriho.pem, key = /home/kriho/VPN/jan.kriho.key, ca = /home/kriho/VPN/cacert.pem, dev-type = tun, mssfix = no, proto-tcp = no, cert-pass-flags = 1, comp-lzo = no, remote = {vpnserver}, connection-type = tls, remote-random = no

> and try to remove the the comp-lzo option if
> it's in there?

$ nmcli -f vpn.data connection show Seznam\ VPN 
vpn.data:                               cert = /home/kriho/VPN/jan.kriho.pem, key = /home/kriho/VPN/jan.kriho.key, ca = /home/kriho/VPN/cacert.pem, dev-type = tun, mssfix = no, cert-pass-flags = 1, proto-tcp = no, remote = {vpnserver}, connection-type = tls, remote-random = no

After the workaround the connection is working again.
Comment 6 Manoharan 2016-08-08 03:55:16 UTC
(In reply to Beniamino Galvani from comment #4)
> (In reply to Manoharan from comment #2)
> 
> > I have the option "use LZO data compression" option disabled in the
> > connection configuration as well.
> 
> Just to confirm, does the output of 'nmcli connection show <con-name>' still
> have the comp-lzo option? And if it's there, can you please remove it from
> /etc/NetworkManager/system-connections/<con-name>, perform a 'nmcli
> connection reload' and try to connect again?
> 

Yes, the output shows "comp-lzo=no" option (and with that the VPN connection doesnt work). Once I remove that manually from /etc/NetworkManager/system-connections/<name> and did a reload and the connection started to work. The below output is after removal of the option (the workaround config that works)

vpn.data:                               ca = /home/xxx/root.ca, username = xxx, mssfix = no, port = 1194, tunnel-mtu = 1300, proto-tcp = no, cipher = AES-128-CBC, remote = yyy.com, password-flags = 1, auth = SHA1, connection-type = password, remote-random = no


> 
> (In reply to Erbureth from comment #3)
> > Hi,
> > 
> > this is an issue in Fedora and Debian as well:
> > 
> > https://bugzilla.redhat.com/show_bug.cgi?id=1355688
> > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=833166
> > 
> > I have attached my syslog in the Debian bugreport
> 
> Same question, can you please paste the output of 'nmcli -f vpn.data
> connection show <con-name>' and try to remove the the comp-lzo option if
> it's in there?
Comment 7 Thomas Haller 2016-08-11 14:12:53 UTC
this is now fixed in nm-openvpn upstream to restore the old meaning:

https://git.gnome.org/browse/network-manager-openvpn/commit/?id=62bdd278d69cc396479af9d05a0b776d5ad386bf




plasma-nm should also be fixed, so that it sets "no-by-default" instead of "no" after https://quickgit.kde.org/?p=plasma-nm.git&a=commit&h=31bcd5f2cffd1c19fbd10ab0f4172f2d82eff194
Comment 8 Thomas Haller 2016-08-12 12:46:35 UTC
(In reply to Thomas Haller from comment #7)
> plasma-nm should also be fixed, so that it sets "no-by-default" instead of
> "no" after
> https://quickgit.kde.org/?p=plasma-nm.
> git&a=commit&h=31bcd5f2cffd1c19fbd10ab0f4172f2d82eff194

For the record: the bug against plasma-nm: https://bugs.kde.org/show_bug.cgi?id=366640