PFSense/OpenVPN compression bug



  • Hi,

    I have an issue where I have the client side of a OVPN on PFSense (2.3.5-RELEASE-p2 (i386)). In the client setup compression is set to "Disbled - No compression" which generates a "comp-lzo no" line in the client config file.
    The server side (OVPN 2.4.4-2-ubuntu1.1)has all compression related config lines commented out with #.

    Auth works but i get LZO compression related errors in the logs and no traffic passes through. If I change compression in the client config to "No preference", i get no config line in the config file regarding compression and everything works.

    I'm guessing this is not as designed?


  • LAYER 8 Global Moderator

    Your version is no longer supported!!
    https://www.netgate.com/blog/pfsense-release-2-3-x-eol-reminder.html

    Lets say there was a bug - nobody is going do anything since the 2.3 line is no longer supported.. Update to current pfsense 2.4.4p2 and while your at it update to current openvpn on your server which 2.4.6

    Current version of pfsense runs
    OpenVPN 2.4.6 amd64-portbld-freebsd11.2



  • What are the exact errors you're seeing? The --comp-lzo option was deprecated in OpenVPN 2.4 (https://community.openvpn.net/openvpn/wiki/DeprecatedOptions) but should only issue a warning if used. OpenVPN wasn't updated to 2.4 in pfSense until 2.4.4 (https://www.netgate.com/docs/pfsense/releases/2-4-new-features-and-changes.html) so you certainly have a version mismatch between client and server, but it's not clear why just using the deprecated compression option kills connectivity altogether. This open issue seems potentially related: https://community.openvpn.net/openvpn/ticket/952 It sounds like you do have it working now with no compression though, so is your goal to get compression enabled, or just to understand why the --comp-lzo no option client-side was giving you errors?

    EDIT: johnpoz's answer to upgrade is definitely correct of course, unless you're stuck with 32-bit x86 hardware, but then it's probably worth upgrading the hardware too ☺ Probably not worth understanding the errors you're seeing now unless you have a purely academic interest in them.



  • @johnpoz Thanks for reply.
    My GUI says I’m on the latest version, weird...
    I guess some kind of ”manual” upgrade is required then. It used to be as easy as clicking “upgrade”



  • @sanamon 2.3.5-p2 was the last version with 32-bit support, so I'm guessing that's probably why it's not giving you an upgrade option. But you can back up your config and do a full re-installation and config restore. Here's the upgrade guide:
    https://www.netgate.com/docs/pfsense/install/upgrade-guide.html


  • Rebel Alliance Developer Netgate

    i386 is no longer supported. If you have 64-bit hardware with a 32-bit install, you'll need to reinstall with a current 64-bit image. If the hardware only supports 32-bit, you need new hardware.

    As for the OpenVPN issue, that's due to the change in defaults of OpenVPN between 2.3 and 2.4 (That is OpenVPN 2.3 and 2.4, not pfSense), even if you omit the option from both they won't match since one will have compression on when not specified, and the other may not. You need to choose options on both that have the same net effect.

    If you care about attacks like VORACLE, you'll want to completely and explicitly disable compression on both ends.


  • LAYER 8 Rebel Alliance

    Some months ago because of VORACLE I disabled compression completely, for testing only for my RAS Servers first...with a HUGE negative impact for my Users.
    e.g. working with MS Office files from SMB shares and saving them, took 5 to 10 times longer with compression off. Back to lz4-v2 now...

    -Rico