Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Issues with compression settings (comp-lzo)

    Scheduled Pinned Locked Moved OpenVPN
    10 Posts 6 Posters 4.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      aleksap
      last edited by aleksap

      Hi Everyone!

      I'm trying to setup one of my VLANs to route all traffic to VPN tunnel.
      I have OpenVPN server running and I'm connecting to it from my pfsense.
      Connection get's established (it does reset every 120 sec but that's different problem).
      For now I would like to focus to this frustrating comp-ltzo setting.

      I have tried literally every possible combination and somehow client is always sending that.
      This is what I'm seeing on server side:

      
Jan 23 00:47:24 ip-172-26-2-10 openvpn[25071]: xxxxxxx:44543 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1601', remote='link-mtu 1602'
Jan 23 00:47:24 ip-172-26-2-10 openvpn[25071]: xxxxx:44543 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'

      This is what I'm seeing on my client side:

      Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'

      I have NO idea where comp-lzo is coming from. As I mentioned, I have tried every possible combination but it almost looks like it's embedded into client without an option to override it?

      client version:

      OpenVPN 2.4.9 amd64-portbld-freebsd11.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on May  4 2020
library versions: OpenSSL 1.0.2u-freebsd  20 Dec 2019, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=yes enable_strict_options=no enable_systemd=no enable_werror=no enable_win32_dll=yes enable_x509_alt_username=no with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no

      server version is:

      
root@ip-172-26-2-10:/home/ubuntu# openvpn --version
OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep  5 2019
library versions: OpenSSL 1.1.1f  31 Mar 2020, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no

      Thanks!

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @aleksap
        last edited by

        @aleksap
        Post your server and client configuration.

        A 1 Reply Last reply Reply Quote 0
        • A
          aleksap @viragomann
          last edited by

          @viragomann thanks for replying.

          here is server:

          
local xx.xx.xx.xx
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
log /var/log/openvpn/openvpn.log
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.255.0
server-ipv6 fdxxx1194:1194:1194::/64
push "redirect-gateway def1 ipv6 bypass-dhcp"
ifconfig-pool-persist ipp.txt
keepalive 10 600
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem
explicit-exit-notify

          client config (pfsense)

          dev ovpnc1
verb 4
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-256-CBC
auth SHA512
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local xx.xx.xx.xx
tls-client
client
lport 0
management /var/etc/openvpn/client1.sock unix
remote xx.xx.xx.xx 1194 udp4
ifconfig 10.0.1.2 10.0.1.1
ca /var/etc/openvpn/client1.ca
cert /var/etc/openvpn/client1.cert
key /var/etc/openvpn/client1.key
tls-crypt /var/etc/openvpn/client1.tls-crypt
ncp-ciphers AES-128-GCM:AES-256-GCM
compress
resolv-retry infinite
topology subnet
route-noexec

          I have tried all kind of combinations and always get same error.
          As you can see, I do not have compress-ltzo on my client side but somehow it keeps sending that parameter.

          I would appreciate any help or guide.

          Thanks!

          A 1 Reply Last reply Reply Quote 0
          • A
            aleksap @aleksap
            last edited by

            I have to add, I tried removing compress from client, I tried "comp-lzo no", I tried to run different type of compression on both server and client and it's always same.

            V 1 Reply Last reply Reply Quote 0
            • V
              viragomann @aleksap
              last edited by

              @aleksap
              Seems there is no compress setting on the Server, but on the client. You can use 'comp-lzo adaptive' and 'push "comp-lzo adaptive"' on the server. This you should not need any compress setting on the client, but should also work with 'compress'.

              On the client there are two directives which you should remove, cause these settings are given by the server:
              ifconfig
              topology subnet

              johnpozJ 1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator @viragomann
                last edited by

                You should really be moving away from compress or compress-lzo

                These options have both been deprecated.. And will not function going forward.

                https://community.openvpn.net/openvpn/wiki/DeprecatedOptions

                Also see
                https://community.openvpn.net/openvpn/wiki/VORACLE

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                C 1 Reply Last reply Reply Quote 0
                • S
                  spinx
                  last edited by

                  Hi,
                  Can you tell me how to disable compress in pfsense?

                  Regards

                  1 Reply Last reply Reply Quote 0
                  • C
                    chrcoluk @johnpoz
                    last edited by chrcoluk

                    @johnpoz What is interesting when adding the 'compress stub-v2' and the push setting as well on the server in that article, I still see in both pfsense client logs and server logs that the server is setting comp-lzo on server side.

                    I can only conclude its a openvpn bug of some sort and doesnt give confidence that compression is disabled, the dev's need to get a move on and gut compression out of openvpn. :(

                    server log -> WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'

                    client log also reports but opposite way saying comp-lzo is in remote (server).

                    pfSense CE 2.8.0

                    1 Reply Last reply Reply Quote 0
                    • PTZ-MP
                      PTZ-M
                      last edited by

                      similarly, I ignore it

                      C 1 Reply Last reply Reply Quote 0
                      • C
                        chrcoluk @PTZ-M
                        last edited by

                        @ptz-m Server's were still on openvpn 2.4, which seems not capable of fully disabling it, after updating to 2.5 and setting 'allow-compression no' the warning is gone.

                        pfSense CE 2.8.0

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.