Bug 372086

Summary: Make configuration option for LZO compression of OpenVPN connection tri-state
Product: [Applications] systemsettings Reporter: Matthias Nagel <matthias.nagel>
Component: kcm_networkmanagementAssignee: Lukáš Tinkl <lukas>
Status: RESOLVED DUPLICATE    
Severity: normal CC: jgrulich
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: unspecified   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description Matthias Nagel 2016-11-04 17:44:00 UTC 
The graphical editor has a checkbox to either enable or disable the LZO compression of OpenVPN connections. This option is translats to "comp-lzo=no" or "comp-lzo=yes" respectively in the corresponding configuration file under /etc/NetworkManager/. At the level of OpenVPN this corresponds to the equally named option.

Howerver, this option is tri-state and can be left unconfigured which has a different meaning than "yes" or "no". See man page of OpenVPN.

If at the client side either "comp-lzo=no" or "comp-lzo=yes" and at the server side the configuration is left unspecified under certain conditions the connection can be successfully established but become useless due to LZO errors

Nov 03 21:09:56 nm-openvpn[17410]: OpenVPN 2.3.12 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Oct 30 2016
Nov 03 21:09:56 nm-openvpn[17410]: library versions: OpenSSL 1.0.2j  26 Sep 2016, LZO 2.08
Nov 03 21:09:57 nm-openvpn[17410]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 03 21:09:57 nm-openvpn[17410]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Nov 03 21:09:57 nm-openvpn[17410]: Attempting to establish TCP connection with [AF_INET]193.197.62.25:1194 [nonblock]
Nov 03 21:09:58 nm-openvpn[17410]: TCP connection established with [AF_INET]193.197.62.25:1194
Nov 03 21:09:58 nm-openvpn[17410]: TCPv4_CLIENT link local: [undef]
Nov 03 21:09:58 nm-openvpn[17410]: TCPv4_CLIENT link remote: [AF_INET]193.197.62.25:1194
Nov 03 21:09:59 nm-openvpn[17410]: WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Nov 03 21:09:59 nm-openvpn[17410]: [openvpn.scc.kit.edu] Peer Connection Initiated with [AF_INET]193.197.62.25:1194
Nov 03 21:10:01 nm-openvpn[17410]: TUN/TAP device tap0 opened
Nov 03 21:10:01 nm-openvpn[17410]: /usr/libexec/nm-openvpn-service-openvpn-helper --debug 0 17403 --bus-name org.freedesktop.NetworkManager.openvpn.Connection_1 --tap -- tap0 1500 1592 141.3.200.95 255.255.255.0 init
Nov 03 21:10:01 nm-openvpn[17410]: GID set to nm-openvpn
Nov 03 21:10:01 nm-openvpn[17410]: UID set to nm-openvpn
Nov 03 21:10:01 nm-openvpn[17410]: Initialization Sequence Completed
Nov 03 21:10:01 nm-openvpn[17410]: Bad LZO decompression header byte: 255
Nov 03 21:10:01 nm-openvpn[17410]: Bad LZO decompression header byte: 255
Nov 03 21:10:01 nm-openvpn[17410]: Bad LZO decompression header byte: 255
Nov 03 21:10:01 nm-openvpn[17410]: Bad LZO decompression header byte: 51
....

This behaviour is expected and reproducible.

If one edits the configuration file under /etc/NetworkManager/ manually be means of a text editor and removes the "comp-lzo=<yes|no>" directive from the configuration file, everything works as expected. However, as soon as one opens the connection in the graphical connection editor again, the "comp-lzo" directive is re-inserted into the configuration file and set to whatever the checkbox state is in. After that the OpenVPN connection does not work and one must edit the configuration file again.

Proposed solution: Make the checkbox tri-state.
Comment 1 Jan Grulich 2016-11-06 14:27:42 UTC 

*** This bug has been marked as a duplicate of bug 366640 ***