OpenVPN compression

emammadov

It doesn't matter which compression setting I choose and keep Push compression unchecked, it is working well both in Windows and Linux machines. But if I choose Disable compression in Openvpn server and keep Push compression unchecked, then it is not working in Linux machines. To make it working, I have to check Push compression.

I have this logs in Openvpn Logs when Disable Compression and Push compression is checked. If I uncheck Push Compression, everything is okay in logs.

Mar 26 16:06:31 openvpn 29296 XX.XX.XX.XXX:60636 peer info: IV_TCPNL=1
Mar 26 16:06:31 openvpn 29296 XX.XX.XX.XXX:60636 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1550', remote='link-mtu 1549'
Mar 26 16:06:31 openvpn 29296 XX.XX.XX.XXX:60636 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Mar 26 16:06:31 openvpn 29296 XX.XX.XX.XXX:60636 [elvin] Peer Connection Initiated with [AF_INET]XX.XX.XX.XXX:60636
Mar 26 16:06:31 openvpn user 'elvin' authenticated

stephenw10

I've lost track of what the actual problem is here.

If you set a compression setting other than the default you have to either manually set that on the client to match or push the setting from the server. That seems like the expected behaviour.

Steve

emammadov

I set Compression to Omit Preference in Openvpn Server in pfSense, everything is okay. When I connect from android device with the software Openvpn Connect, the above logs appear in Openvpn logs in pfSense, but when I connect with Openvpn for Android, everyhing is okay in logs. Beside this, Openvpn Connect doesn't require "Password Protect Certificate" while others do.

stephenw10

@emammadov said in OpenVPN compression:

I have this logs in Openvpn Logs when Disable Compression and Push compression is checked. If I uncheck Push Compression, everything is okay in logs.

So you only see that logged when you set a non-default compression setting and push the value? And it doesn't actually break anything?

The client side is free to refuse whatever the server pushes though they would not usually as that allows them to connect. It may simply not be setting it. However even if doesn't if it still passes traffic what issue are you trying to address here?

Steve

Gertjan

General remark : You checked openvpnn version on both sides ?
Recent versions changed behaviour, "compress" is a part of that (because of the possible flaw).

Elrick75

Hi,

What is the good choice to ?

Disable Compression, retain compression packet framing (compress)

OR

No LZO Compression

Currently, i use No LZO Compression, i add both lines in ovpn client files :

comp-lzo no
push "comp-lzo no"

Many thanks for your advise.

Pippin

Select:
"Disable Compression, retain compression packet framing (compress)"
Check:
"Push Compression"
is the "right" way.

Mar 26 16:06:31 openvpn 29296 XX.XX.XX.XXX:60636 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1550', remote='link-mtu 1549'

IIRC, this is a bug in MTU calculation in OpenVPN which is being worked on.

Elrick75

i read here, they suggest "comp-lzo no" >http://www.dsih.fr/article/3158/chiffrement-compression-revisons-nos-configurations-openvpn.html

I'm not sure that comp-lzo no equal Disable Compression, retain compression packet framing (compress)

It seems to equal No LZO Compression

Are you sure about your information?

Pippin

@Elrick75 said in OpenVPN compression:

i read here, they suggest "comp-lzo no" >http://www.dsih.fr/article/3158/chiffrement-compression-revisons-nos-configurations-openvpn.html

I'm not sure that comp-lzo no equal Disable Compression, retain compression packet framing (compress)

It's not equal because compress is a new directive.

Are you sure about your information?

Yes.

If you have older clients then "comp-lzo no" together with ""Push Compression" would be prefered but that is not always possible because depending on the client side setting it can lead to a mismatch, thus failing connection.

Elrick75

I'm currently using OpenVPN 2.4.7 as client and 2.4.6 on server side (under pfSense).
My opvn client config files use these line:

comp-lzo no
push "comp-lzo no"

On server side, i use No LZO Compression

I would like to understand the difference between Disable Compression, retain compression packet framing (compress) and No LZO Compression to know if it have any interest to choose more than the other ????

About OpenVPN on server side, 2.4.6 is older version, 2.4.7 was released in February 2019, does it is possible to update it to lastest version? how to doing it from pfSense user interface?

Many thanks in advance.

Pippin

The difference is that
--comp-lzo is for all OpenVPN versions.
--compress is for version 2.4 and higher.

Also see the manual:
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage