Issues with compression settings (comp-lzo)
-
Hi Everyone!
I'm trying to setup one of my VLANs to route all traffic to VPN tunnel.
I have OpenVPN server running and I'm connecting to it from my pfsense.
Connection get's established (it does reset every 120 sec but that's different problem).
For now I would like to focus to this frustrating comp-ltzo setting.I have tried literally every possible combination and somehow client is always sending that.
This is what I'm seeing on server side:Jan 23 00:47:24 ip-172-26-2-10 openvpn[25071]: xxxxxxx:44543 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1601', remote='link-mtu 1602' Jan 23 00:47:24 ip-172-26-2-10 openvpn[25071]: xxxxx:44543 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
This is what I'm seeing on my client side:
Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
I have NO idea where comp-lzo is coming from. As I mentioned, I have tried every possible combination but it almost looks like it's embedded into client without an option to override it?
client version:
OpenVPN 2.4.9 amd64-portbld-freebsd11.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on May 4 2020 library versions: OpenSSL 1.0.2u-freebsd 20 Dec 2019, LZO 2.10 Originally developed by James Yonan Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net> Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=yes enable_strict_options=no enable_systemd=no enable_werror=no enable_win32_dll=yes enable_x509_alt_username=no with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no
server version is:
root@ip-172-26-2-10:/home/ubuntu# openvpn --version OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 5 2019 library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10 Originally developed by James Yonan Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net> Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no
Thanks!
-
@aleksap
Post your server and client configuration. -
@viragomann thanks for replying.
here is server:
local xx.xx.xx.xx port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key dh dh.pem auth SHA512 log /var/log/openvpn/openvpn.log tls-crypt tc.key topology subnet server 10.8.0.0 255.255.255.0 server-ipv6 fdxxx1194:1194:1194::/64 push "redirect-gateway def1 ipv6 bypass-dhcp" ifconfig-pool-persist ipp.txt keepalive 10 600 cipher AES-256-CBC user nobody group nogroup persist-key persist-tun status openvpn-status.log verb 3 crl-verify crl.pem explicit-exit-notify
client config (pfsense)
dev ovpnc1 verb 4 dev-type tun dev-node /dev/tun1 writepid /var/run/openvpn_client1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp4 cipher AES-256-CBC auth SHA512 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local xx.xx.xx.xx tls-client client lport 0 management /var/etc/openvpn/client1.sock unix remote xx.xx.xx.xx 1194 udp4 ifconfig 10.0.1.2 10.0.1.1 ca /var/etc/openvpn/client1.ca cert /var/etc/openvpn/client1.cert key /var/etc/openvpn/client1.key tls-crypt /var/etc/openvpn/client1.tls-crypt ncp-ciphers AES-128-GCM:AES-256-GCM compress resolv-retry infinite topology subnet route-noexec
I have tried all kind of combinations and always get same error.
As you can see, I do not have compress-ltzo on my client side but somehow it keeps sending that parameter.I would appreciate any help or guide.
Thanks!
-
I have to add, I tried removing compress from client, I tried "comp-lzo no", I tried to run different type of compression on both server and client and it's always same.
-
@aleksap
Seems there is no compress setting on the Server, but on the client. You can use 'comp-lzo adaptive' and 'push "comp-lzo adaptive"' on the server. This you should not need any compress setting on the client, but should also work with 'compress'.On the client there are two directives which you should remove, cause these settings are given by the server:
ifconfig
topology subnet -
You should really be moving away from compress or compress-lzo
These options have both been deprecated.. And will not function going forward.
https://community.openvpn.net/openvpn/wiki/DeprecatedOptions
Also see
https://community.openvpn.net/openvpn/wiki/VORACLE -
Hi,
Can you tell me how to disable compress in pfsense?Regards
-
@johnpoz What is interesting when adding the 'compress stub-v2' and the push setting as well on the server in that article, I still see in both pfsense client logs and server logs that the server is setting comp-lzo on server side.
I can only conclude its a openvpn bug of some sort and doesnt give confidence that compression is disabled, the dev's need to get a move on and gut compression out of openvpn. :(
server log -> WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
client log also reports but opposite way saying comp-lzo is in remote (server).
-
similarly, I ignore it
-
@ptz-m Server's were still on openvpn 2.4, which seems not capable of fully disabling it, after updating to 2.5 and setting 'allow-compression no' the warning is gone.