Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Issues with compression settings (comp-lzo)

    OpenVPN
    4
    7
    237
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      aleksap last edited by aleksap

      Hi Everyone!

      I'm trying to setup one of my VLANs to route all traffic to VPN tunnel.
      I have OpenVPN server running and I'm connecting to it from my pfsense.
      Connection get's established (it does reset every 120 sec but that's different problem).
      For now I would like to focus to this frustrating comp-ltzo setting.

      I have tried literally every possible combination and somehow client is always sending that.
      This is what I'm seeing on server side:

      
      Jan 23 00:47:24 ip-172-26-2-10 openvpn[25071]: xxxxxxx:44543 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1601', remote='link-mtu 1602'
      Jan 23 00:47:24 ip-172-26-2-10 openvpn[25071]: xxxxx:44543 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
      
      

      This is what I'm seeing on my client side:

      Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
      

      I have NO idea where comp-lzo is coming from. As I mentioned, I have tried every possible combination but it almost looks like it's embedded into client without an option to override it?

      client version:

      OpenVPN 2.4.9 amd64-portbld-freebsd11.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on May  4 2020
      library versions: OpenSSL 1.0.2u-freebsd  20 Dec 2019, LZO 2.10
      Originally developed by James Yonan
      Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
      Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=yes enable_strict_options=no enable_systemd=no enable_werror=no enable_win32_dll=yes enable_x509_alt_username=no with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no
      

      server version is:

      
      root@ip-172-26-2-10:/home/ubuntu# openvpn --version
      OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep  5 2019
      library versions: OpenSSL 1.1.1f  31 Mar 2020, LZO 2.10
      Originally developed by James Yonan
      Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
      Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no
      
      

      Thanks!

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @aleksap last edited by

        @aleksap
        Post your server and client configuration.

        A 1 Reply Last reply Reply Quote 0
        • A
          aleksap @viragomann last edited by

          @viragomann thanks for replying.

          here is server:

          
          local xx.xx.xx.xx
          port 1194
          proto udp
          dev tun
          ca ca.crt
          cert server.crt
          key server.key
          dh dh.pem
          auth SHA512
          log /var/log/openvpn/openvpn.log
          tls-crypt tc.key
          topology subnet
          server 10.8.0.0 255.255.255.0
          server-ipv6 fdxxx1194:1194:1194::/64
          push "redirect-gateway def1 ipv6 bypass-dhcp"
          ifconfig-pool-persist ipp.txt
          keepalive 10 600
          cipher AES-256-CBC
          user nobody
          group nogroup
          persist-key
          persist-tun
          status openvpn-status.log
          verb 3
          crl-verify crl.pem
          explicit-exit-notify
          

          client config (pfsense)

          dev ovpnc1
          verb 4
          dev-type tun
          dev-node /dev/tun1
          writepid /var/run/openvpn_client1.pid
          #user nobody
          #group nobody
          script-security 3
          daemon
          keepalive 10 60
          ping-timer-rem
          persist-tun
          persist-key
          proto udp4
          cipher AES-256-CBC
          auth SHA512
          up /usr/local/sbin/ovpn-linkup
          down /usr/local/sbin/ovpn-linkdown
          local xx.xx.xx.xx
          tls-client
          client
          lport 0
          management /var/etc/openvpn/client1.sock unix
          remote xx.xx.xx.xx 1194 udp4
          ifconfig 10.0.1.2 10.0.1.1
          ca /var/etc/openvpn/client1.ca
          cert /var/etc/openvpn/client1.cert
          key /var/etc/openvpn/client1.key
          tls-crypt /var/etc/openvpn/client1.tls-crypt
          ncp-ciphers AES-128-GCM:AES-256-GCM
          compress
          resolv-retry infinite
          topology subnet
          route-noexec
          

          I have tried all kind of combinations and always get same error.
          As you can see, I do not have compress-ltzo on my client side but somehow it keeps sending that parameter.

          I would appreciate any help or guide.

          Thanks!

          A 1 Reply Last reply Reply Quote 0
          • A
            aleksap @aleksap last edited by

            I have to add, I tried removing compress from client, I tried "comp-lzo no", I tried to run different type of compression on both server and client and it's always same.

            V 1 Reply Last reply Reply Quote 0
            • V
              viragomann @aleksap last edited by

              @aleksap
              Seems there is no compress setting on the Server, but on the client. You can use 'comp-lzo adaptive' and 'push "comp-lzo adaptive"' on the server. This you should not need any compress setting on the client, but should also work with 'compress'.

              On the client there are two directives which you should remove, cause these settings are given by the server:
              ifconfig
              topology subnet

              johnpoz 1 Reply Last reply Reply Quote 0
              • johnpoz
                johnpoz LAYER 8 Global Moderator @viragomann last edited by

                You should really be moving away from compress or compress-lzo

                These options have both been deprecated.. And will not function going forward.

                https://community.openvpn.net/openvpn/wiki/DeprecatedOptions

                Also see
                https://community.openvpn.net/openvpn/wiki/VORACLE

                1 Reply Last reply Reply Quote 0
                • S
                  spinx last edited by

                  Hi,
                  Can you tell me how to disable compress in pfsense?

                  Regards

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post

                  Products

                  • Platform Overview
                  • TNSR
                  • pfSense Plus
                  • Appliances

                  Services

                  • Training
                  • Professional Services

                  Support

                  • Subscription Plans
                  • Contact Support
                  • Product Lifecycle
                  • Documentation

                  News

                  • Media Coverage
                  • Press
                  • Events

                  Resources

                  • Blog
                  • FAQ
                  • Find a Partner
                  • Resource Library
                  • Security Information

                  Company

                  • About Us
                  • Careers
                  • Partners
                  • Contact Us
                  • Legal
                  Our Mission

                  We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                  Subscribe to our Newsletter

                  Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                  © 2021 Rubicon Communications, LLC | Privacy Policy