of the data channel in the OpenVPN wire protocol. These options must be
configured in a compatible way between both the local and remote side.
+--allow-compression mode
+ As described in the ``--compress`` option, compression is a potentially
+ dangerous option. This option allows controlling the behaviour of
+ OpenVPN when compression is used and allowed.
+
+ Valid syntaxes:
+ ::
+
+ allow-compression
+ allow-compression mode
+
+ The ``mode`` argument can be one of the following values:
+
+ :code:`asym` (default)
+ OpenVPN will only *decompress downlink packets* but *not compress
+ uplink packets*. This also allows migrating to disable compression
+ when changing both server and client configurations to remove
+ compression at the same time is not a feasible option.
+
+ :code:`no`
+ OpenVPN will refuse any non-stub compression.
+
+ :code:`yes`
+ OpenVPN will send and receive compressed packets.
+
--auth alg
Authenticate data channel packets and (if enabled) ``tls-auth`` control
channel packets with HMAC using message digest algorithm ``alg``. (The
not recommended. VPN tunnels which use compression are susceptible to
the VORALCE attack vector.
- The ``algorithm`` parameter may be :code:`lzo`, :code:`lz4`, or empty.
+ The ``algorithm`` parameter may be :code:`lzo`, :code:`lz4`,
+ :code:`lz4-v2`, :code:`stub`, :code:`stub-v2` or empty.
LZO and LZ4 are different compression algorithms, with LZ4 generally
offering the best performance with least CPU usage.
- If the ``algorithm`` parameter is empty, compression will be turned off,
- but the packet framing for compression will still be enabled, allowing a
- different setting to be pushed later.
+ The :code:`lz4-v2` and :code:`stub-v2` variants implement a better
+ framing that does not add overhead when packets cannot be compressed. All
+ other variants always add one extra framing byte compared to no
+ compression framing.
+
+ If the ``algorithm`` parameter is :code:`stub`, :code:`stub-v2` or empty,
+ compression will be turned off, but the packet framing for compression
+ will still be enabled, allowing a different setting to be pushed later.
+ Additionally, :code:`stub` and :code:`stub-v2` wil disable announcing
+ ``lzo`` and ``lz4`` compression support via *IV_* variables to the
+ server.
***Security Considerations***
Compression and encryption is a tricky combination. If an attacker knows
- or is able to control (parts of) the plaintext of packets that contain
+ or is able to control (parts of) the plain-text of packets that contain
secrets, the attacker might be able to extract the secret if compression
- is enabled. See e.g. the CRIME and BREACH attacks on TLS which also
- leverage compression to break encryption. If you are not entirely sure
- that the above does not apply to your traffic, you are advised to
- *not* enable compression.
+ is enabled. See e.g. the *CRIME* and *BREACH* attacks on TLS and
+ *VORACLE* on VPNs which also leverage to break encryption. If you are not
+ entirely sure that the above does not apply to your traffic, you are
+ advised to *not* enable compression.
--comp-lzo mode
**DEPRECATED** Enable LZO compression algorithm. Compression is
projects / thirdparty / openvpn.git / commitdiff
