Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    OpenVPN compression

    General pfSense Questions
    8
    37
    13774
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • emammadov
      emammadov last edited by emammadov

      Hello,
      I want to setup OpenVPN, Compression has multiple options. In the past I have choosen Adaptive LZO Compression, recently I have read that Adaptive LZO Compression is depreciated in 2.4 version and has been removed in 2.5. Which option is recommended to choose? "Omit Preference (Use OpenVPN Default) has been choosen by default.

      0_1552475841348_openvpn.jpg

      Elvin

      1 Reply Last reply Reply Quote 0
      • jimp
        jimp Rebel Alliance Developer Netgate last edited by

        The current best practice is to disable compression for OpenVPN, due to attacks such as VORACLE which are possible when VPN traffic is compressed.

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • pfSenseTest
          pfSenseTest last edited by

          Best to remove the compression line completely from server and client config because of Voracle...
          https://community.openvpn.net/openvpn/wiki/VORACLE

          However, server may require it if you don't control it yourself.

          2x SG-5100 | MBT-4220 (retired) | SG-1000 (retired)

          1 Reply Last reply Reply Quote 0
          • emammadov
            emammadov last edited by emammadov

            Thank you for your replies. I selected "Disable Compression, retain compression packet framing (compress)". In our past pfsense I select Disable Compression for testing, then I can connect but cannot access servers and don't have internet connection. I selected Adaptive LZO Compression back, and now it began working. Should I export vpn files again after changing compression?

            Elvin

            1 Reply Last reply Reply Quote 0
            • Rico
              Rico LAYER 8 Rebel Alliance last edited by

              I use Push Compression option on the OpenVPN Server side and add compress to the client config file.
              Then I am able to switch server side compression settings without touching any of the client stuff. โ˜บ

              -Rico

              2x Netgate XG-7100 | 11x Netgate SG-5100 | 6x Netgate SG-3100 | 2x Netgate SG-1100

              1 Reply Last reply Reply Quote 1
              • emammadov
                emammadov last edited by

                But due to the Voracle attack, it is said not to use compression and it should be disabled. But my question is different.

                Elvin

                1 Reply Last reply Reply Quote 0
                • Rico
                  Rico LAYER 8 Rebel Alliance last edited by

                  It's not, with the compress option in Client Config and Push Compression (Server side) you should be able to push "Disable Compression, retain compression packet framing (compress)".

                  -Rico

                  2x Netgate XG-7100 | 11x Netgate SG-5100 | 6x Netgate SG-3100 | 2x Netgate SG-1100

                  1 Reply Last reply Reply Quote 0
                  • emammadov
                    emammadov last edited by emammadov

                    It is not clear to me. I want to say comprehensively. We are using pfsense at our office at the moment. Adaptive LZO Compression has been choosen in VPN / OpenVPN / Servers. Jimp and pfSenseTest users said that don't use Compression at the moment and disable it because of VORACLE attack. So I changed compression from "Adaptive LZO Compression" to "Disable Compression, retain compression packet framing (compress)". But after it, when users connects, they don't see our network, I switched it back, it began to work. Now I have question that, after disabling Compression, should I export new vpn files for users?

                    Elvin

                    1 Reply Last reply Reply Quote 0
                    • jimp
                      jimp Rebel Alliance Developer Netgate last edited by

                      The clients all have to be changed to match. Everyone has to agree on the compression setting, or you have to set the server to push it.

                      Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • emammadov
                        emammadov last edited by emammadov

                        Thanks, after I selected "Push Compression" in OpenVPN, there is new entries in Systems Logs, which I have never seen before. Is it normal?

                        Mar 14 21:11:46 kernel em0: promiscuous mode enabled
                        Mar 14 21:11:46 kernel bge0: promiscuous mode enabled
                        Mar 14 21:11:46 kernel vr0.460: promiscuous mode enabled
                        Mar 14 21:11:46 kernel vr0: promiscuous mode enabled
                        Mar 14 21:11:46 kernel re1: promiscuous mode enabled
                        Mar 14 21:11:46 kernel re0: promiscuous mode enabled
                        Mar 14 21:11:45 kernel em0: promiscuous mode disabled
                        Mar 14 21:11:45 kernel bge0: promiscuous mode disabled
                        Mar 14 21:11:45 kernel vr0.460: promiscuous mode disabled
                        Mar 14 21:11:45 kernel vr0: promiscuous mode disabled
                        Mar 14 21:11:45 kernel re1: promiscuous mode disabled
                        Mar 14 21:11:45 kernel re0: promiscuous mode disabled
                        Mar 14 21:11:45 kernel pid 7858 (ntopng), uid 0: exited on signal 11 (core dumped)

                        Elvin

                        1 Reply Last reply Reply Quote 0
                        • stephenw10
                          stephenw10 Netgate Administrator last edited by

                          None of those are OpenVPN related.

                          1 Reply Last reply Reply Quote 0
                          • Pippin
                            Pippin last edited by

                            Probably from packet capture?

                            I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
                            Halton Arp

                            1 Reply Last reply Reply Quote 0
                            • stephenw10
                              stephenw10 Netgate Administrator last edited by

                              Looks more like ntopng restarting, taking all the interfaces out of promiscuous mode and then putting them back in.

                              Still unrelated to OpenVPN though. ๐Ÿ˜‰

                              Steve

                              1 Reply Last reply Reply Quote 0
                              • emammadov
                                emammadov last edited by emammadov

                                I have still the same issue. I installed fresh pfsense and disabled compression. Windows machines and mobile phones connects and can access local network. Linux machines connects but can't access local network. I exported vpn files of Viscosity Bundle in Openvpn Client Export and imported files in Openvpn / Network Connection in Linux Mint, If I use compression in openvpn server and export new files and import them in Linux OS, then Linux machines can access local network.

                                But I export Archive in Openvpn server in pfSense and open terminal in Linux and run this command:
                                sudo openvpn --config user.ovpn and enter username and password then it connects and can access local network.

                                Elvin

                                1 Reply Last reply Reply Quote 0
                                • stephenw10
                                  stephenw10 Netgate Administrator last edited by

                                  You can edit the VPN connection in Linux Mint to change the compression settings.
                                  Does it match what you set in pfSense? Can you change it to match? Does that then allow access?

                                  Steve

                                  1 Reply Last reply Reply Quote 0
                                  • emammadov
                                    emammadov last edited by

                                    If I choose one of options in Compression, save and export new fles and import them in Linux Mint, then I connect and access local network.
                                    Default was "Omit Preference (Use Openvpn Default). Because of Voracle attack, I choose "Disable Compression, retain compression packet framing (compress)".

                                    There is also option in Compression settings: "No LZO Compression (Legacy style, comp-lzo-no)".

                                    To disable Compression, did I choose the right option? - "Disable Compression, retain compression packet framing (compress)".

                                    Elvin

                                    1 Reply Last reply Reply Quote 0
                                    • emammadov
                                      emammadov last edited by emammadov

                                      "Disable Compression, retain compression packet framing (compress)" is selected in Compression. And I checked "Push Compression", after that, when I connect vpn, I can access local network. But I wonder why I have to check Push Compression?

                                      But I ask again. To disable Compression, did I choose the right option? - "Disable Compression, retain compression packet framing (compress)".

                                      Elvin

                                      Pippin 1 Reply Last reply Reply Quote 0
                                      • stephenw10
                                        stephenw10 Netgate Administrator last edited by

                                        What does it show in the client in Mint when you do that?

                                        I always choose omit preference there unless the other end has some specific setting that requires it.

                                        Steve

                                        emammadov 1 Reply Last reply Reply Quote 0
                                        • emammadov
                                          emammadov @stephenw10 last edited by

                                          @stephenw10 It shows nothing. I suggest you do it in your test environment to make sure why it happens, maybe there is a bug and it needs to be fixed. I read again that pfsense developers says don't use compression and disable it, because you may be a victim of Voracle attack.

                                          Elvin

                                          1 Reply Last reply Reply Quote 0
                                          • stephenw10
                                            stephenw10 Netgate Administrator last edited by stephenw10

                                            I have such a tunnel configured right now. It works fine with the inline config imported to Mint, I can ping across it.

                                            Selection_596.png

                                            That's against an SG-1100 running 2.4.4p2

                                            In Mint that looks like this:
                                            Selection_597.png

                                            Steve

                                            1 Reply Last reply Reply Quote 0
                                            • emammadov
                                              emammadov last edited by

                                              Select Disable Compression in Compression settings and uncheck Push Compression in Openvpn server, then export bundle and import in Linux Mint. You will see what I mean.

                                              Elvin

                                              1 Reply Last reply Reply Quote 0
                                              • stephenw10
                                                stephenw10 Netgate Administrator last edited by

                                                Compression is disabled by default, why would I do that?

                                                You still haven't said what Mint shows it's using for compression in the situation where there is seemingly a mismatch.

                                                Steve

                                                1 Reply Last reply Reply Quote 0
                                                • Gertjan
                                                  Gertjan last edited by

                                                  Just checking :

                                                  a3360caa-533a-4a1b-b926-89f3f89b7df5-image.png

                                                  really ? tap !?

                                                  No "help me" PM's please. Use the forum.

                                                  1 Reply Last reply Reply Quote 0
                                                  • stephenw10
                                                    stephenw10 Netgate Administrator last edited by

                                                    Ha, yeah I was testing everything on the 1100. That just happened to be the last thing I tested there. ๐Ÿ˜‰

                                                    Steve

                                                    1 Reply Last reply Reply Quote 0
                                                    • emammadov
                                                      emammadov last edited by emammadov

                                                      in your screenshot Omit Preference has been chosen in Compression in Openvpn Server. In my side, I have chosen "Disable Compression, retain compression packet framing (compress)" in Compression in Openvpn Server. I want to disable compression on server side and when I export vpn files of client, it will be automatically disabled on client side as well. But if I don't check Push Compression, then Linux users can't access local network when they are connected. I want to know why it happens?

                                                      There is no need to check Push Compression when Omit Preference is checked in Compression?

                                                      My screenshot is as follows.

                                                      Screenshot from 2019-03-25 21-18-54.png

                                                      Elvin

                                                      1 Reply Last reply Reply Quote 0
                                                      • stephenw10
                                                        stephenw10 Netgate Administrator last edited by

                                                        I would only expect to have to push the compression setting if you have changed it to something other than the default.

                                                        Steve

                                                        1 Reply Last reply Reply Quote 0
                                                        • emammadov
                                                          emammadov last edited by emammadov

                                                          It doesn't matter which compression setting I choose and keep Push compression unchecked, it is working well both in Windows and Linux machines. But if I choose Disable compression in Openvpn server and keep Push compression unchecked, then it is not working in Linux machines. To make it working, I have to check Push compression.

                                                          I have this logs in Openvpn Logs when Disable Compression and Push compression is checked. If I uncheck Push Compression, everything is okay in logs.

                                                          Mar 26 16:06:31 openvpn 29296 XX.XX.XX.XXX:60636 peer info: IV_TCPNL=1
                                                          Mar 26 16:06:31 openvpn 29296 XX.XX.XX.XXX:60636 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1550', remote='link-mtu 1549'
                                                          Mar 26 16:06:31 openvpn 29296 XX.XX.XX.XXX:60636 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
                                                          Mar 26 16:06:31 openvpn 29296 XX.XX.XX.XXX:60636 [elvin] Peer Connection Initiated with [AF_INET]XX.XX.XX.XXX:60636
                                                          Mar 26 16:06:31 openvpn user 'elvin' authenticated

                                                          Elvin

                                                          1 Reply Last reply Reply Quote 0
                                                          • stephenw10
                                                            stephenw10 Netgate Administrator last edited by

                                                            I've lost track of what the actual problem is here.

                                                            If you set a compression setting other than the default you have to either manually set that on the client to match or push the setting from the server. That seems like the expected behaviour.

                                                            Steve

                                                            1 Reply Last reply Reply Quote 0
                                                            • emammadov
                                                              emammadov last edited by emammadov

                                                              I set Compression to Omit Preference in Openvpn Server in pfSense, everything is okay. When I connect from android device with the software Openvpn Connect, the above logs appear in Openvpn logs in pfSense, but when I connect with Openvpn for Android, everyhing is okay in logs. Beside this, Openvpn Connect doesn't require "Password Protect Certificate" while others do.

                                                              Elvin

                                                              1 Reply Last reply Reply Quote 0
                                                              • stephenw10
                                                                stephenw10 Netgate Administrator last edited by

                                                                @emammadov said in OpenVPN compression:

                                                                I have this logs in Openvpn Logs when Disable Compression and Push compression is checked. If I uncheck Push Compression, everything is okay in logs.

                                                                So you only see that logged when you set a non-default compression setting and push the value? And it doesn't actually break anything?

                                                                The client side is free to refuse whatever the server pushes though they would not usually as that allows them to connect. It may simply not be setting it. However even if doesn't if it still passes traffic what issue are you trying to address here?

                                                                Steve

                                                                1 Reply Last reply Reply Quote 0
                                                                • Gertjan
                                                                  Gertjan last edited by

                                                                  General remark : You checked openvpnn version on both sides ?
                                                                  Recent versions changed behaviour, "compress" is a part of that (because of the possible flaw).

                                                                  No "help me" PM's please. Use the forum.

                                                                  1 Reply Last reply Reply Quote 0
                                                                  • E
                                                                    Elrick75 last edited by

                                                                    Hi,

                                                                    What is the good choice to ?

                                                                    Disable Compression, retain compression packet framing (compress)

                                                                    OR

                                                                    No LZO Compression

                                                                    Currently, i use No LZO Compression, i add both lines in ovpn client files :

                                                                    comp-lzo no
                                                                    push "comp-lzo no"

                                                                    Many thanks for your advise.

                                                                    1 Reply Last reply Reply Quote 0
                                                                    • Pippin
                                                                      Pippin @emammadov last edited by

                                                                      Select:
                                                                      "Disable Compression, retain compression packet framing (compress)"
                                                                      Check:
                                                                      "Push Compression"
                                                                      is the "right" way.

                                                                      Mar 26 16:06:31 openvpn 29296 XX.XX.XX.XXX:60636 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1550', remote='link-mtu 1549'

                                                                      IIRC, this is a bug in MTU calculation in OpenVPN which is being worked on.

                                                                      I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
                                                                      Halton Arp

                                                                      1 Reply Last reply Reply Quote 0
                                                                      • E
                                                                        Elrick75 last edited by

                                                                        i read here, they suggest "comp-lzo no" >http://www.dsih.fr/article/3158/chiffrement-compression-revisons-nos-configurations-openvpn.html

                                                                        I'm not sure that comp-lzo no equal Disable Compression, retain compression packet framing (compress)

                                                                        It seems to equal No LZO Compression

                                                                        Are you sure about your information?

                                                                        1 Reply Last reply Reply Quote 0
                                                                        • Pippin
                                                                          Pippin last edited by

                                                                          @Elrick75 said in OpenVPN compression:

                                                                          i read here, they suggest "comp-lzo no" >http://www.dsih.fr/article/3158/chiffrement-compression-revisons-nos-configurations-openvpn.html

                                                                          I'm not sure that comp-lzo no equal Disable Compression, retain compression packet framing (compress)

                                                                          It's not equal because compress is a new directive.

                                                                          Are you sure about your information?

                                                                          Yes.

                                                                          If you have older clients then "comp-lzo no" together with ""Push Compression" would be prefered but that is not always possible because depending on the client side setting it can lead to a mismatch, thus failing connection.

                                                                          I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
                                                                          Halton Arp

                                                                          1 Reply Last reply Reply Quote 0
                                                                          • E
                                                                            Elrick75 last edited by Elrick75

                                                                            I'm currently using OpenVPN 2.4.7 as client and 2.4.6 on server side (under pfSense).
                                                                            My opvn client config files use these line:

                                                                            comp-lzo no
                                                                            push "comp-lzo no"

                                                                            On server side, i use No LZO Compression

                                                                            I would like to understand the difference between Disable Compression, retain compression packet framing (compress) and No LZO Compression to know if it have any interest to choose more than the other ????

                                                                            About OpenVPN on server side, 2.4.6 is older version, 2.4.7 was released in February 2019, does it is possible to update it to lastest version? how to doing it from pfSense user interface?

                                                                            Many thanks in advance.

                                                                            1 Reply Last reply Reply Quote 0
                                                                            • Pippin
                                                                              Pippin last edited by

                                                                              The difference is that
                                                                              --comp-lzo is for all OpenVPN versions.
                                                                              --compress is for version 2.4 and higher.

                                                                              Also see the manual:
                                                                              https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage

                                                                              I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
                                                                              Halton Arp

                                                                              1 Reply Last reply Reply Quote 0
                                                                              • Referenced by  S SteveITS 
                                                                              • First post
                                                                                Last post