Compression being pushed by pfsense?

sinicide

I'm running into a strange issue that I'm trying to diagnose. The main gist of it is that I can connect to my vpn on mobile internet, but there seems to be an issue with transmitting data after connection. Sometimes I can reach sites like ipchicken to verify traffic is routing through the vpn, but then I get timeouts to local services like pfsense on both hostname and ip. But running something like ping shows connectivity. This used to work without issue, but I don't often need to use the vpn, so it's been a few months and a internet provider change since I last had a working setup it seems.

pfsense 2.7.2 (Server)
Android running openvpn connect 3.4.2 (Client)

OpenVPN Server has the Allow Compression option set to Refuse any non-stub compression (Most secure) which I assumed disabled compression? But from openvpn server logs I see a lot of the following when a client tries to connect.

 IP packet with unknown IP version=15 seen 

From client logs I also see

[Sep 12, 2024, 23:05:51] ----- OpenVPN Start -----
[Sep 12, 2024, 23:05:51] EVENT: CORE_THREAD_ACTIVE
[Sep 12, 2024, 23:05:51] OpenVPN core 3.8.5connectQA3(3.git::11d19f67:RelWithDebInfo) android arm64 64-bit PT_PROXY
[Sep 12, 2024, 23:05:51] Frame=512/2112/512 mssfix-ctrl=1250
[Sep 12, 2024, 23:05:51] NOTE: This configuration contains options that were not used:
[Sep 12, 2024, 23:05:51] Unsupported option (ignored)
[Sep 12, 2024, 23:05:51] 0 [persist-tun]
[Sep 12, 2024, 23:05:51] 1 [persist-key]
[Sep 12, 2024, 23:05:51] 2 [data-ciphers] [CHACHA20-POLY1305]
[Sep 12, 2024, 23:05:51] 3 [data-ciphers-fallback] [CHACHA20-POLY1305]
[Sep 12, 2024, 23:05:51] 4 [explicit-exit-notify]
[Sep 12, 2024, 23:05:51] EVENT: RESOLVE
[Sep 12, 2024, 23:05:51] Endpoint address family (IPv6) is incompatible with transport protocol (udp4)

[Sep 12, 2024, 23:05:51] Contacting REDACTED:1194 via UDP
[Sep 12, 2024, 23:05:51] Connecting to [REDACTED]:1194 (REDACTED) via UDPv4
[Sep 12, 2024, 23:05:51] EVENT: WAIT
[Sep 12, 2024, 23:05:51] EVENT: CONNECTING
[Sep 12, 2024, 23:05:51] Tunnel Options:V4,dev-type tun,link-mtu 1554,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA256,keysize 128,tls-auth,key-method 2,tls-client
[Sep 12, 2024, 23:05:51] Creds: Username/Password

[Sep 12, 2024, 23:05:51] Sending Peer Info:
IV_VER=3.8.5connectQA3
IV_PLAT=android
IV_NCP=2
IV_TCPNL=1
IV_PROTO=990
IV_MTU=1600
IV_CIPHERS=AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_GUI_VER=net.openvpn.connect.android_3.4.2-9909
IV_SSO=webauth,openurl,crtext
IV_BS64DL=1


[Sep 12, 2024, 23:05:52] VERIFY OK: depth=1, /REDACTED/CN=OpenVPNCA, signature: RSA-SHA256
[Sep 12, 2024, 23:05:52] VERIFY OK: depth=0, /REDACTED/CN=OpenVPNCert, signature: RSA-SHA256

[Sep 12, 2024, 23:05:52] SSL Handshake: peer certificate: CN=OpenVPNCert, 4096 bit RSA, cipher: TLS_AES_256_GCM_SHA384         TLSv1.3 Kx=any      Au=any   Enc=AESGCM(256)            Mac=AEAD


[Sep 12, 2024, 23:05:52] Session is ACTIVE
[Sep 12, 2024, 23:05:52] Sending PUSH_REQUEST to server...
[Sep 12, 2024, 23:05:52] EVENT: GET_CONFIG
[Sep 12, 2024, 23:05:53] Sending PUSH_REQUEST to server...

[Sep 12, 2024, 23:05:53] OPTIONS:
0 [dhcp-option] [DOMAIN] [REDACTED.local]
1 [dhcp-option] [DNS] [192.168.70.1]
2 [dhcp-option] [DNS] [1.1.1.1]
3 [redirect-gateway] [def1]
4 [redirect-gateway] [ipv6]
5 [route-gateway] [10.100.0.1]
6 [topology] [subnet]
7 [ping] [10]
8 [ping-restart] [60]
9 [ifconfig] [10.100.0.2] [255.255.255.0]
10 [peer-id] [0]
11 [cipher] [CHACHA20-POLY1305]
12 [protocol-flags] [cc-exit] [tls-ekm] [dyn-tls-crypt]
13 [tun-mtu] [1500]
14 [block-ipv6]
15 [block-ipv4]


[Sep 12, 2024, 23:05:53] PROTOCOL OPTIONS:
  cipher: CHACHA20-POLY1305
  digest: NONE
  key-derivation: TLS Keying Material Exporter [RFC5705]
  compress: LZO_STUB
  peer ID: 0
  control channel: tls-auth enabled
  control channel: dynamic tls-crypt enabled

[Sep 12, 2024, 23:05:53] EVENT: ASSIGN_IP
[Sep 12, 2024, 23:05:53] Connected via tun
[Sep 12, 2024, 23:05:53] LZO-ASYM init swap=0 asym=1
[Sep 12, 2024, 23:05:53] Comp-stub init swap=0
[Sep 12, 2024, 23:05:53] EVENT: CONNECTED info='REDACTED@REDACTED:1194 (REDACTED) via /UDPv4 on tun/10.100.0.2/ gw=[10.100.0.1/] mtu=1500'

[Sep 12, 2024, 23:05:53] Transport Error: server pushed compression settings that are not allowed and will result in a non-working connection. 
[Sep 12, 2024, 23:05:53] EVENT: COMPRESS_ERROR info='server pushed compression settings that are not allowed and will result in a non-working connection. '

I'm trying to understand why compression is even coming into play here as my ovpn config file has no mention of comp-lzo set at all. I'm assuming It's because of this LZO_STUB? I will also note that in the openvpn connect app on Android, it's currently set to Advanced Settings > Legacy, the Preferred settings doesn't even connect.

I couldn't find much online other than there being a compression mismatch is what causes the log in pfsense side, but not that it really explains the connectivity behavior either.

Gertjan

@sinicide said in Compression being pushed by pfsense?:

Android running openvpn connect 3.4.2 (Client)

A bit old, as 3.5.x is proposed these days.

You are using pfSense 2.7.2 so you have a rather recent OpenVPN server series.
Know that compression has been ditched (depreciated) for longtime now.
I can't even find that option anymore in my pfSense server settings ...

If proposed : set compression to 'none' and re export a vpn config for your VPN client, and import it into the client.

sinicide

@Gertjan Hey thanks for chiming in. 3.4.2 for android is the latest from the Google Playstore, so I don't really have control over that aspect.
This is the section I'm talking about when editing the OpenVPN Server config.

I don't really have an option to set compression to none here.
I even tried adding the compress config without a value to the ovpn config and re-importing into the client, but still same log results.

....
remote-cert-tls server
explicit-exit-notify
compress
<ca>
-----BEGIN CERTIFICATE-----

viragomann

@sinicide said in Compression being pushed by pfsense?:

Hey thanks for chiming in. 3.4.2 for android is the latest from the Google Playstore, so I don't really have control over that aspect.

You can install OpenVPN connect. This is currently on 3.8.5.

sinicide

@viragomann Where do you see 3.8.5 from? https://openvpn.net/connect-docs/android-release-notes.html

viragomann

@sinicide
Ah yes, that's just the app version.

However, I've no issues connecting my Android to CE 2.7.2.
I've this compression settings:

sinicide

@viragomann Thanks. Changing the server settings to Decompress + Disable Compression does remove the compression mismatch messages. But my strange connectivity issue still persists even with this change, which tells me that the compression mismatch was probably a redherring to my connectivity/routing issue.

Thanks for your help on the compression part!