Skip to content

[change] OpenVPN: added modern compression options #198 #376

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
nemesifier merged 14 commits into from
Mar 12, 2026
Merged

[change] OpenVPN: added modern compression options #198 #376

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
ba8025d
[openvpn/schema] Add modern compression options #198
pushkar-gr Nov 8, 2025
47e0f25
[openvpn/tests] Add test cases for new compression options #198
pushkar-gr Nov 8, 2025
3f83eec
[docs/openvpn] Update documentation for new compression options #198
pushkar-gr Nov 8, 2025
1efd0a6
[fix] Updated tests and defaults for compression options
pandafy Mar 5, 2026
4c85237
[fix] Fixes by @coderabbitai
pandafy Mar 5, 2026
445c520
[fix] Fixes by @coderabbitai
pandafy Mar 6, 2026
3aaa26f
[fix] Updated field labels and docs
pandafy Mar 6, 2026
f795beb
[fix] Fixes by @coderabbitai
pandafy Mar 6, 2026
9b64990
[fix] Updated docs to include migration option in compress
pandafy Mar 9, 2026
9c6435e
[fix] Made requested changes
pandafy Mar 12, 2026
e9312b5
[fix] Fixes by @coderabbitai
pandafy Mar 12, 2026
ec7a1d6
[fix] Fixed default value for allow_compression
pandafy Mar 12, 2026
8a1a338
[chores] Adjusted ordering
nemesifier Mar 12, 2026
6e5b098
[docs] Increased consistency
nemesifier Mar 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
155 changes: 81 additions & 74 deletions docs/source/backends/openvpn.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,85 +86,92 @@ Required properties:
- proto
- dev

========================= ======= ============ ===========================
key name type default allowed values
========================= ======= ============ ===========================
``name`` string 2 to 24 alphanumeric
characters, dashes and
underscores
``mode`` string ``p2p`` or ``server``
``proto`` string ``udp``, ``tcp-client``,
``tcp-server``
``port`` integer ``1194`` integers
``data_ciphers`` list list of dicts, each dict
need to have ``cipher`` and
``optional``, see `cipher
property source code`_ for
the allowed ciphers
``data_ciphers_fallback`` string see `cipher property source
code`_
``dev_type`` string ``tun``, ``tap``
``dev`` string any non-whitespace
character (max length: 15)
``local`` string any string
``comp_lzo`` string ``adaptive`` ``yes``, ``no`` or
``adaptive``
``auth`` string ``SHA1`` see `auth property source
code`_
``cipher`` string ``BF-CBC`` see `cipher property source
code`_
``engine`` string ``bsd``, ``rsax``,
``dynamic`` or empty string
``ca`` string any non whitespace
character
``cert`` string any non whitespace
character
``key`` string any non whitespace
character
``pkcs12`` string any non whitespace
character
``tls_auth`` string string containing TLS Auth
key
``ns_cert_type`` string ``client``, ``server`` or
empty string
``mtu_disc`` string ``no`` ``no``, ``maybe`` or
``yes``
========================= ======= ========== =============================
key name type default allowed values
========================= ======= ========== =============================
``name`` string 2 to 24 alphanumeric
characters, dashes and
underscores
``mode`` string ``p2p`` or ``server``
``proto`` string ``udp``, ``tcp-client``,
``tcp-server``
``port`` integer ``1194`` integers
``data_ciphers`` list list of dicts, each dict need
to have ``cipher`` and
``optional``, see `cipher
property source code`_ for
the allowed ciphers
``data_ciphers_fallback`` string see `cipher property source
code`_
``dev_type`` string ``tun``, ``tap``
``dev`` string any non-whitespace character
(max length: 15)
``local`` string any string
``auth`` string ``SHA1`` see `auth property source
code`_
``cipher`` string ``BF-CBC`` see `cipher property source
code`_
``engine`` string ``bsd``, ``rsax``,
``dynamic`` or empty string
``ca`` string any non whitespace character
``cert`` string any non whitespace character
``key`` string any non whitespace character
``pkcs12`` string any non whitespace character
``tls_auth`` string string containing TLS Auth
key
``ns_cert_type`` string ``client``, ``server`` or
empty string
``mtu_disc`` string ``no`` ``no``, ``maybe`` or ``yes``
``mtu_test`` boolean ``False``
``fragment`` integer ``0`` any positive integer
``mssfix`` integer ``1450`` any positive integer
``keepalive`` string two numbers separated by
one space
``fragment`` integer ``0`` any positive integer
``mssfix`` integer ``1450`` any positive integer
``keepalive`` string two numbers separated by one
space
``persist_tun`` boolean ``False``
``persist_key`` boolean ``False``
``up`` string any non whitespace
character
``up_delay`` integer ``0`` any positive integer
``down`` string any non whitespace
character
``script_security`` integer ``1`` ``0``, ``1``, ``2``, ``3``
``user`` string any string
``group`` string any string
``mute`` integer ``0`` any positive integer
``status`` string string and number separated
by space, eg:
``/var/log/openvpn.status
10``
``status_version`` integer ``1`` ``1``, ``2``, ``3``
``up`` string any non whitespace character
``up_delay`` integer ``0`` any positive integer
``down`` string any non whitespace character
``script_security`` integer ``1`` ``0``, ``1``, ``2``, ``3``
``user`` string any string
``group`` string any string
``mute`` integer ``0`` any positive integer
``status`` string string and number separated
by space, eg:
``/var/log/openvpn.status
10``
``status_version`` integer ``1`` ``1``, ``2``, ``3``
``mute_replay_warnings`` boolean ``False``
``secret`` string any non whitespace
character
``reneg_sec`` integer ``3600`` any positive integer
``tls_timeout`` integer ``2`` any positive integer
``tls_cipher`` string any string
``remote_cert_tls`` string ``client``, ``server`` or
empty string
``secret`` string any non whitespace character
``reneg_sec`` integer ``3600`` any positive integer
``tls_timeout`` integer ``2`` any positive integer
``tls_cipher`` string any string
``remote_cert_tls`` string ``client``, ``server`` or
empty string
``float`` boolean ``False``
``auth_nocache`` boolean ``False``
``fast_io`` boolean ``False``
``log`` string filesystem path
``verb`` integer ``1`` from ``0`` (disabled) to
``11`` (very verbose)
========================= ======= ============ ===========================
``log`` string filesystem path
``verb`` integer ``1`` from ``0`` (disabled) to
``11`` (very verbose)
``allow_compression`` string ``""`` ``""`` (empty string to
remove the directive),
``asym`` (compression allowed
in one direction), ``no``
(disabled, default in OpenVPN
2.6), ``yes`` (allowed both
directions)
``compress`` string ``""`` ``""`` (empty string to
remove the directive),
``lzo``, ``lz4``, ``lz4-v2``,
``stub``, ``stub-v2``,
``migrate``.
``comp_lzo`` string **DEPRECATED**: ``yes``,
``no`` or ``adaptive``.
Default is empty string
(``""``). Use ``compress``
instead.
========================= ======= ========== =============================

Client specific settings
~~~~~~~~~~~~~~~~~~~~~~~~
Expand Down Expand Up @@ -221,8 +228,8 @@ type is one the following:
- lists

For a list of all the OpenVPN configuration settings, refer to the
`OpenVPN 2.3 manual
<https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage>`_.
`OpenVPN 2.6 manual
<https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html>`_.

.. _auth property source code: https://github.com/openwisp/netjsonconfig/blob/master/netjsonconfig/backends/openvpn/schema.py#L157-L186

Expand Down
2 changes: 2 additions & 0 deletions netjsonconfig/backends/openvpn/openvpn.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,8 @@ def auto_client(
"dev_type",
"dev",
"comp_lzo",
"compress",
"allow_compression",
"auth",
"cipher",
"ca",
Expand Down
76 changes: 66 additions & 10 deletions netjsonconfig/backends/openvpn/schema.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
"""
OpenVpn 2.3 specific JSON-Schema definition
OpenVpn 2.6 specific JSON-Schema definition
"""

from copy import deepcopy
Expand Down Expand Up @@ -89,6 +89,16 @@
"RC2-OFB",
"none",
]

compression_algorithms = [
"lzo",
"lz4",
"lz4-v2",
"stub",
"stub-v2",
"migrate",
]
Comment thread
coderabbitai[bot] marked this conversation as resolved.

default_cipher = "AES-256-GCM"

base_openvpn_schema = {
Expand Down Expand Up @@ -143,15 +153,6 @@
"If unspecified, OpenVPN will bind to all interfaces.",
"propertyOrder": 8,
},
"comp_lzo": {
"title": "LZO compression",
"description": "Use fast LZO compression; may add up to 1 "
"byte per packet for incompressible data",
"type": "string",
"enum": ["yes", "no", "adaptive"],
"default": "adaptive",
"propertyOrder": 9,
},
"auth": {
"title": "auth digest algorithm",
"type": "string",
Expand Down Expand Up @@ -568,6 +569,61 @@
"description": "Set output verbosity for logging and debugging",
"propertyOrder": 52,
},
"allow_compression": {
"title": "allow compression",
"description": (
"Controls whether the peer is allowed to negotiate compression for the"
" VPN data channel. OpenVPN discourages the use of compression due to security"
" risks such as the VORACLE attack."
),
"type": "string",
"enum": ["", "asym", "no", "yes"],
"default": "",
"propertyOrder": 53,
},
"compress": {
"title": "compression algorithm",
"description": (
"Specifies the compression algorithm for the VPN data channel."
" OpenVPN discourages the use of compression due to security risks such as the"
" VORACLE attack. Leaving the value empty removes the compress directive from the"
" generated configuration."
),
"type": "string",
"enum": [""] + compression_algorithms,
"options": {
"enum_titles": [
"Disabled",
"LZO",
"LZ4",
"LZ4 v2",
"Stub (framing only)",
"Stub v2 (framing only)",
"Migrate (transition from comp-lzo)",
]
},
"default": "",
"propertyOrder": 54,
},
"comp_lzo": {
"title": "LZO compression",
"description": (
'DEPRECATED: Legacy LZO compression option. Use the "compression algorithm" option'
" instead. Leave empty unless compatibility with legacy OpenVPN clients is required."
),
"type": "string",
"enum": ["", "yes", "no", "adaptive"],
"options": {
"enum_titles": [
"disabled",
"yes",
"no",
"adaptive",
]
},
"default": "",
"propertyOrder": 55,
},
},
},
"client": {
Expand Down
Loading