Re: [Openvpn-users] Is Data Channel Offload REALLY THAT awesome? A very privacy-centered VPN vendors turns off ovpn-dco

Thu, 09 Feb 2023 23:27:54 -0800 

Hi,

"turns off" is less something of "they do not think DCO is good" but
"they have no idea what they are doing".

On Thu, Feb 09, 2023 at 10:28:42PM +0100, Stella Ashburne wrote:
> Below are the contents of the config file:
[..]
> comp-lzo no

This command should not be there.  Very simple.  Because it serves no
purpose, except "increase the data channel overhead, and be incompatible
with DCO".

"comp-lzo no" is a historic misnomer, from before all of the current
developers got involved - it changes the data packet format from "plain,
uncompressed" to "compression framing, but do not send compressed packets"
(it would accept incoming compressed packets with this setting).

DCO does not support any sort of compression, because of VORACLE, and
"any" includes "does not support compression framing with uncompressed
packets".

Leaving it off does not make it work if turned on on the other end, as
one side "with compression framing" can not talk to the other side
"without compression framing".


[..]
> Below are the contents of connection log file:
> 
> 2023-02-08 04:21:36 us=625000 Note: '--allow-compression' is not set to 'no', 
> disabling data channel offload.

Arguably this message is slightly confusing, and it should point to
"--comp-lzo", not to "--allow-compression" (internally, these options
interact, and the code that does the DCO compatibility check is not
checking in the right order).  Arne has sent a patch to make this better.


The main difference between this and the Mullwad VPN is that "comp-lzo no"
is in the config file, so OpenVPN will detect an incompatible setting and
disable DCO.  With Mullvad, "comp-lzo no" is pushed from the server, and
at this point, OpenVPN can no longer disable DCO and ends in a state
where compression framing is off (because the kernel can't do it) but
the server expects it to be on - so, no data transfer.

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             g...@greenie.muc.de

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users






















					Reply via email to