[change] OpenVPN: updated compression options #198

Closes #198

---------

Co-authored-by: Gagan Deep <pandafy.dev@gmail.com>
Co-authored-by: Federico Capoano <f.capoano@openwisp.io>

Author: 3 people

docs/source/backends/openvpn.rst

@@ -86,85 +86,92 @@ Required properties:
 - proto
 - dev
 
-========================= ======= ============ ===========================
-key name                  type    default      allowed values
-========================= ======= ============ ===========================
-``name``                  string               2 to 24 alphanumeric
-                                               characters, dashes and
-                                               underscores
-``mode``                  string               ``p2p`` or ``server``
-``proto``                 string               ``udp``, ``tcp-client``,
-                                               ``tcp-server``
-``port``                  integer ``1194``     integers
-``data_ciphers``          list                 list of dicts, each dict
-                                               need to have ``cipher`` and
-                                               ``optional``, see `cipher
-                                               property source code`_ for
-                                               the allowed ciphers
-``data_ciphers_fallback`` string               see `cipher property source
-                                               code`_
-``dev_type``              string               ``tun``, ``tap``
-``dev``                   string               any non-whitespace
-                                               character (max length: 15)
-``local``                 string               any string
-``comp_lzo``              string  ``adaptive`` ``yes``, ``no`` or
-                                               ``adaptive``
-``auth``                  string  ``SHA1``     see `auth property source
-                                               code`_
-``cipher``                string  ``BF-CBC``   see `cipher property source
-                                               code`_
-``engine``                string               ``bsd``, ``rsax``,
-                                               ``dynamic`` or empty string
-``ca``                    string               any non whitespace
-                                               character
-``cert``                  string               any non whitespace
-                                               character
-``key``                   string               any non whitespace
-                                               character
-``pkcs12``                string               any non whitespace
-                                               character
-``tls_auth``              string               string containing TLS Auth
-                                               key
-``ns_cert_type``          string               ``client``, ``server`` or
-                                               empty string
-``mtu_disc``              string  ``no``       ``no``, ``maybe`` or
-                                               ``yes``
+========================= ======= ========== =============================
+key name                  type    default    allowed values
+========================= ======= ========== =============================
+``name``                  string             2 to 24 alphanumeric
+                                             characters, dashes and
+                                             underscores
+``mode``                  string             ``p2p`` or ``server``
+``proto``                 string             ``udp``, ``tcp-client``,
+                                             ``tcp-server``
+``port``                  integer ``1194``   integers
+``data_ciphers``          list               list of dicts, each dict need
+                                             to have ``cipher`` and
+                                             ``optional``, see `cipher
+                                             property source code`_ for
+                                             the allowed ciphers
+``data_ciphers_fallback`` string             see `cipher property source
+                                             code`_
+``dev_type``              string             ``tun``, ``tap``
+``dev``                   string             any non-whitespace character
+                                             (max length: 15)
+``local``                 string             any string
+``auth``                  string  ``SHA1``   see `auth property source
+                                             code`_
+``cipher``                string  ``BF-CBC`` see `cipher property source
+                                             code`_
+``engine``                string             ``bsd``, ``rsax``,
+                                             ``dynamic`` or empty string
+``ca``                    string             any non whitespace character
+``cert``                  string             any non whitespace character
+``key``                   string             any non whitespace character
+``pkcs12``                string             any non whitespace character
+``tls_auth``              string             string containing TLS Auth
+                                             key
+``ns_cert_type``          string             ``client``, ``server`` or
+                                             empty string
+``mtu_disc``              string  ``no``     ``no``, ``maybe`` or ``yes``
 ``mtu_test``              boolean ``False``
-``fragment``              integer ``0``        any positive integer
-``mssfix``                integer ``1450``     any positive integer
-``keepalive``             string               two numbers separated by
-                                               one space
+``fragment``              integer ``0``      any positive integer
+``mssfix``                integer ``1450``   any positive integer
+``keepalive``             string             two numbers separated by one
+                                             space
 ``persist_tun``           boolean ``False``
 ``persist_key``           boolean ``False``
-``up``                    string               any non whitespace
-                                               character
-``up_delay``              integer ``0``        any positive integer
-``down``                  string               any non whitespace
-                                               character
-``script_security``       integer ``1``        ``0``, ``1``, ``2``, ``3``
-``user``                  string               any string
-``group``                 string               any string
-``mute``                  integer ``0``        any positive integer
-``status``                string               string and number separated
-                                               by space, eg:
-                                               ``/var/log/openvpn.status
-                                               10``
-``status_version``        integer ``1``        ``1``, ``2``, ``3``
+``up``                    string             any non whitespace character
+``up_delay``              integer ``0``      any positive integer
+``down``                  string             any non whitespace character
+``script_security``       integer ``1``      ``0``, ``1``, ``2``, ``3``
+``user``                  string             any string
+``group``                 string             any string
+``mute``                  integer ``0``      any positive integer
+``status``                string             string and number separated
+                                             by space, eg:
+                                             ``/var/log/openvpn.status
+                                             10``
+``status_version``        integer ``1``      ``1``, ``2``, ``3``
 ``mute_replay_warnings``  boolean ``False``
-``secret``                string               any non whitespace
-                                               character
-``reneg_sec``             integer ``3600``     any positive integer
-``tls_timeout``           integer ``2``        any positive integer
-``tls_cipher``            string               any string
-``remote_cert_tls``       string               ``client``, ``server`` or
-                                               empty string
+``secret``                string             any non whitespace character
+``reneg_sec``             integer ``3600``   any positive integer
+``tls_timeout``           integer ``2``      any positive integer
+``tls_cipher``            string             any string
+``remote_cert_tls``       string             ``client``, ``server`` or
+                                             empty string
 ``float``                 boolean ``False``
 ``auth_nocache``          boolean ``False``
 ``fast_io``               boolean ``False``
-``log``                   string               filesystem path
-``verb``                  integer ``1``        from ``0`` (disabled) to
-                                               ``11`` (very verbose)
-========================= ======= ============ ===========================
+``log``                   string             filesystem path
+``verb``                  integer ``1``      from ``0`` (disabled) to
+                                             ``11`` (very verbose)
+``allow_compression``     string  ``""``     ``""`` (empty string to
+                                             remove the directive),
+                                             ``asym`` (compression allowed
+                                             in one direction), ``no``
+                                             (disabled, default in OpenVPN
+                                             2.6), ``yes`` (allowed both
+                                             directions)
+``compress``              string  ``""``     ``""`` (empty string to
+                                             remove the directive),
+                                             ``lzo``, ``lz4``, ``lz4-v2``,
+                                             ``stub``, ``stub-v2``,
+                                             ``migrate``.
+``comp_lzo``              string             **DEPRECATED**: ``yes``,
+                                             ``no`` or ``adaptive``.
+                                             Default is empty string
+                                             (``""``). Use ``compress``
+                                             instead.
+========================= ======= ========== =============================
 
 Client specific settings
 ~~~~~~~~~~~~~~~~~~~~~~~~
@@ -221,8 +228,8 @@ type is one the following:
 - lists
 
 For a list of all the OpenVPN configuration settings, refer to the
-`OpenVPN 2.3 manual
-<https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage>`_.
+`OpenVPN 2.6 manual
+<https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html>`_.
 
 .. _auth property source code: https://github.com/openwisp/netjsonconfig/blob/master/netjsonconfig/backends/openvpn/schema.py#L157-L186
 

netjsonconfig/backends/openvpn/openvpn.py

@@ -92,6 +92,8 @@ def auto_client(
             "dev_type",
             "dev",
             "comp_lzo",
+            "compress",
+            "allow_compression",
             "auth",
             "cipher",
             "ca",

netjsonconfig/backends/openvpn/schema.py

@@ -1,5 +1,5 @@
 """
-OpenVpn 2.3 specific JSON-Schema definition
+OpenVpn 2.6 specific JSON-Schema definition
 """
 
 from copy import deepcopy
@@ -89,6 +89,16 @@
     "RC2-OFB",
     "none",
 ]
+
+compression_algorithms = [
+    "lzo",
+    "lz4",
+    "lz4-v2",
+    "stub",
+    "stub-v2",
+    "migrate",
+]
+
 default_cipher = "AES-256-GCM"
 
 base_openvpn_schema = {
@@ -143,15 +153,6 @@
                     "If unspecified, OpenVPN will bind to all interfaces.",
                     "propertyOrder": 8,
                 },
-                "comp_lzo": {
-                    "title": "LZO compression",
-                    "description": "Use fast LZO compression; may add up to 1 "
-                    "byte per packet for incompressible data",
-                    "type": "string",
-                    "enum": ["yes", "no", "adaptive"],
-                    "default": "adaptive",
-                    "propertyOrder": 9,
-                },
                 "auth": {
                     "title": "auth digest algorithm",
                     "type": "string",
@@ -568,6 +569,61 @@
                     "description": "Set output verbosity for logging and debugging",
                     "propertyOrder": 52,
                 },
+                "allow_compression": {
+                    "title": "allow compression",
+                    "description": (
+                        "Controls whether the peer is allowed to negotiate compression for the"
+                        " VPN data channel. OpenVPN discourages the use of compression due to security"
+                        " risks such as the VORACLE attack."
+                    ),
+                    "type": "string",
+                    "enum": ["", "asym", "no", "yes"],
+                    "default": "",
+                    "propertyOrder": 53,
+                },
+                "compress": {
+                    "title": "compression algorithm",
+                    "description": (
+                        "Specifies the compression algorithm for the VPN data channel."
+                        " OpenVPN discourages the use of compression due to security risks such as the"
+                        " VORACLE attack. Leaving the value empty removes the compress directive from the"
+                        " generated configuration."
+                    ),
+                    "type": "string",
+                    "enum": [""] + compression_algorithms,
+                    "options": {
+                        "enum_titles": [
+                            "Disabled",
+                            "LZO",
+                            "LZ4",
+                            "LZ4 v2",
+                            "Stub (framing only)",
+                            "Stub v2 (framing only)",
+                            "Migrate (transition from comp-lzo)",
+                        ]
+                    },
+                    "default": "",
+                    "propertyOrder": 54,
+                },
+                "comp_lzo": {
+                    "title": "LZO compression",
+                    "description": (
+                        'DEPRECATED: Legacy LZO compression option. Use the "compression algorithm" option'
+                        " instead. Leave empty unless compatibility with legacy OpenVPN clients is required."
+                    ),
+                    "type": "string",
+                    "enum": ["", "yes", "no", "adaptive"],
+                    "options": {
+                        "enum_titles": [
+                            "disabled",
+                            "yes",
+                            "no",
+                            "adaptive",
+                        ]
+                    },
+                    "default": "",
+                    "propertyOrder": 55,
+                },
             },
         },
         "client": {