OpenVPN compression
-
Hello,
I want to setup OpenVPN, Compression has multiple options. In the past I have choosen Adaptive LZO Compression, recently I have read that Adaptive LZO Compression is depreciated in 2.4 version and has been removed in 2.5. Which option is recommended to choose? "Omit Preference (Use OpenVPN Default) has been choosen by default.
-
The current best practice is to disable compression for OpenVPN, due to attacks such as VORACLE which are possible when VPN traffic is compressed.
-
Best to remove the compression line completely from server and client config because of Voracle...
https://community.openvpn.net/openvpn/wiki/VORACLEHowever, server may require it if you don't control it yourself.
-
Thank you for your replies. I selected "Disable Compression, retain compression packet framing (compress)". In our past pfsense I select Disable Compression for testing, then I can connect but cannot access servers and don't have internet connection. I selected Adaptive LZO Compression back, and now it began working. Should I export vpn files again after changing compression?
-
I use Push Compression option on the OpenVPN Server side and add compress to the client config file.
Then I am able to switch server side compression settings without touching any of the client stuff.
-Rico
-
But due to the Voracle attack, it is said not to use compression and it should be disabled. But my question is different.
-
It's not, with the compress option in Client Config and Push Compression (Server side) you should be able to push "Disable Compression, retain compression packet framing (compress)".
-Rico
-
It is not clear to me. I want to say comprehensively. We are using pfsense at our office at the moment. Adaptive LZO Compression has been choosen in VPN / OpenVPN / Servers. Jimp and pfSenseTest users said that don't use Compression at the moment and disable it because of VORACLE attack. So I changed compression from "Adaptive LZO Compression" to "Disable Compression, retain compression packet framing (compress)". But after it, when users connects, they don't see our network, I switched it back, it began to work. Now I have question that, after disabling Compression, should I export new vpn files for users?
-
The clients all have to be changed to match. Everyone has to agree on the compression setting, or you have to set the server to push it.
-
Thanks, after I selected "Push Compression" in OpenVPN, there is new entries in Systems Logs, which I have never seen before. Is it normal?
Mar 14 21:11:46 kernel em0: promiscuous mode enabled
Mar 14 21:11:46 kernel bge0: promiscuous mode enabled
Mar 14 21:11:46 kernel vr0.460: promiscuous mode enabled
Mar 14 21:11:46 kernel vr0: promiscuous mode enabled
Mar 14 21:11:46 kernel re1: promiscuous mode enabled
Mar 14 21:11:46 kernel re0: promiscuous mode enabled
Mar 14 21:11:45 kernel em0: promiscuous mode disabled
Mar 14 21:11:45 kernel bge0: promiscuous mode disabled
Mar 14 21:11:45 kernel vr0.460: promiscuous mode disabled
Mar 14 21:11:45 kernel vr0: promiscuous mode disabled
Mar 14 21:11:45 kernel re1: promiscuous mode disabled
Mar 14 21:11:45 kernel re0: promiscuous mode disabled
Mar 14 21:11:45 kernel pid 7858 (ntopng), uid 0: exited on signal 11 (core dumped) -
None of those are OpenVPN related.
-
Probably from packet capture?
-
Looks more like ntopng restarting, taking all the interfaces out of promiscuous mode and then putting them back in.
Still unrelated to OpenVPN though.
Steve
-
I have still the same issue. I installed fresh pfsense and disabled compression. Windows machines and mobile phones connects and can access local network. Linux machines connects but can't access local network. I exported vpn files of Viscosity Bundle in Openvpn Client Export and imported files in Openvpn / Network Connection in Linux Mint, If I use compression in openvpn server and export new files and import them in Linux OS, then Linux machines can access local network.
But I export Archive in Openvpn server in pfSense and open terminal in Linux and run this command:
sudo openvpn --config user.ovpn and enter username and password then it connects and can access local network. -
You can edit the VPN connection in Linux Mint to change the compression settings.
Does it match what you set in pfSense? Can you change it to match? Does that then allow access?Steve
-
If I choose one of options in Compression, save and export new fles and import them in Linux Mint, then I connect and access local network.
Default was "Omit Preference (Use Openvpn Default). Because of Voracle attack, I choose "Disable Compression, retain compression packet framing (compress)".There is also option in Compression settings: "No LZO Compression (Legacy style, comp-lzo-no)".
To disable Compression, did I choose the right option? - "Disable Compression, retain compression packet framing (compress)".
-
"Disable Compression, retain compression packet framing (compress)" is selected in Compression. And I checked "Push Compression", after that, when I connect vpn, I can access local network. But I wonder why I have to check Push Compression?
But I ask again. To disable Compression, did I choose the right option? - "Disable Compression, retain compression packet framing (compress)".
-
What does it show in the client in Mint when you do that?
I always choose omit preference there unless the other end has some specific setting that requires it.
Steve
-
@stephenw10 It shows nothing. I suggest you do it in your test environment to make sure why it happens, maybe there is a bug and it needs to be fixed. I read again that pfsense developers says don't use compression and disable it, because you may be a victim of Voracle attack.
-
stephenw10 Netgate Administratorlast edited by stephenw10 Mar 25, 2019, 11:39 AM Mar 25, 2019, 11:36 AM
I have such a tunnel configured right now. It works fine with the inline config imported to Mint, I can ping across it.
That's against an SG-1100 running 2.4.4p2
In Mint that looks like this:
Steve
