Issues with compression settings (comp-lzo)

aleksap · Jan 24, 2021, 1:51 PM

Hi Everyone!

I'm trying to setup one of my VLANs to route all traffic to VPN tunnel.
I have OpenVPN server running and I'm connecting to it from my pfsense.
Connection get's established (it does reset every 120 sec but that's different problem).
For now I would like to focus to this frustrating comp-ltzo setting.

I have tried literally every possible combination and somehow client is always sending that.
This is what I'm seeing on server side:


Jan 23 00:47:24 ip-172-26-2-10 openvpn[25071]: xxxxxxx:44543 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1601', remote='link-mtu 1602'
Jan 23 00:47:24 ip-172-26-2-10 openvpn[25071]: xxxxx:44543 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'

This is what I'm seeing on my client side:

Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'

I have NO idea where comp-lzo is coming from. As I mentioned, I have tried every possible combination but it almost looks like it's embedded into client without an option to override it?

client version:

OpenVPN 2.4.9 amd64-portbld-freebsd11.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on May  4 2020
library versions: OpenSSL 1.0.2u-freebsd  20 Dec 2019, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=yes enable_strict_options=no enable_systemd=no enable_werror=no enable_win32_dll=yes enable_x509_alt_username=no with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no

server version is:


root@ip-172-26-2-10:/home/ubuntu# openvpn --version
OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep  5 2019
library versions: OpenSSL 1.1.1f  31 Mar 2020, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no

Thanks!

viragomann · Jan 24, 2021, 1:51 PM

@aleksap
Post your server and client configuration.

aleksap · Jan 26, 2021, 10:14 PM

@viragomann thanks for replying.

here is server:


local xx.xx.xx.xx
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
log /var/log/openvpn/openvpn.log
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.255.0
server-ipv6 fdxxx1194:1194:1194::/64
push "redirect-gateway def1 ipv6 bypass-dhcp"
ifconfig-pool-persist ipp.txt
keepalive 10 600
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem
explicit-exit-notify

client config (pfsense)

dev ovpnc1
verb 4
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-256-CBC
auth SHA512
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local xx.xx.xx.xx
tls-client
client
lport 0
management /var/etc/openvpn/client1.sock unix
remote xx.xx.xx.xx 1194 udp4
ifconfig 10.0.1.2 10.0.1.1
ca /var/etc/openvpn/client1.ca
cert /var/etc/openvpn/client1.cert
key /var/etc/openvpn/client1.key
tls-crypt /var/etc/openvpn/client1.tls-crypt
ncp-ciphers AES-128-GCM:AES-256-GCM
compress
resolv-retry infinite
topology subnet
route-noexec

I have tried all kind of combinations and always get same error.
As you can see, I do not have compress-ltzo on my client side but somehow it keeps sending that parameter.

I would appreciate any help or guide.

Thanks!

aleksap · Jan 27, 2021, 2:01 PM

I have to add, I tried removing compress from client, I tried "comp-lzo no", I tried to run different type of compression on both server and client and it's always same.

viragomann · Jan 27, 2021, 2:01 PM

@aleksap
Seems there is no compress setting on the Server, but on the client. You can use 'comp-lzo adaptive' and 'push "comp-lzo adaptive"' on the server. This you should not need any compress setting on the client, but should also work with 'compress'.

On the client there are two directives which you should remove, cause these settings are given by the server:
ifconfig
topology subnet

johnpoz · Jan 27, 2021, 2:11 PM

You should really be moving away from compress or compress-lzo

These options have both been deprecated.. And will not function going forward.

https://community.openvpn.net/openvpn/wiki/DeprecatedOptions

Also see
https://community.openvpn.net/openvpn/wiki/VORACLE

spinx · Feb 11, 2021, 12:54 PM

Hi,
Can you tell me how to disable compress in pfsense?

Regards

chrcoluk · May 24, 2021, 9:35 AM

@johnpoz What is interesting when adding the 'compress stub-v2' and the push setting as well on the server in that article, I still see in both pfsense client logs and server logs that the server is setting comp-lzo on server side.

I can only conclude its a openvpn bug of some sort and doesnt give confidence that compression is disabled, the dev's need to get a move on and gut compression out of openvpn. :(

server log -> WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'

client log also reports but opposite way saying comp-lzo is in remote (server).

PTZ-M · May 24, 2021, 2:22 PM

similarly, I ignore it

chrcoluk · May 24, 2021, 4:55 PM

@ptz-m Server's were still on openvpn 2.4, which seems not capable of fully disabling it, after updating to 2.5 and setting 'allow-compression no' the warning is gone.