Text only | Text with Images

OPNsense Forum

English Forums => Virtual private networks => Topic started by: sos_opnsense on April 28, 2023, 06:56:57 AM

Title: OpenVPN: compression error & fix (Android client)
Post by: sos_opnsense on April 28, 2023, 06:56:57 AM
Using the 23.1.6 OPNsense web GUI, I downloaded the openVPN config ("file only") for my Android client (OpenVPN Connect 3.3.2).

Connected ok, but wouldn't route traffic. Log showed a compression error.

It turns out the problem is that the GUI-generated config has the line "compress lzo", but the current Android app requires "comp-lzo" to work.

I ran into a similar error with cypher fallback option not working due to OPNsense vs OpenVPN client version changes & differences and resulting incompatibilities.

Moral of the story: carefully read the changelogs, log files, and know how to troubleshoot!

Edit: I see that compression is a deprecated option according OpenVPN: https://community.openvpn.net/openvpn/wiki/DeprecatedOptions#Option:--comp-lzoStatus:Pendingremoval
Title: Re: OpenVPN: compression error & fix (Android client)
Post by: benyamin on May 09, 2023, 07:24:13 PM
Quote from: sos_opnsense on April 28, 2023, 06:56:57 AM
It turns out the problem is that the GUI-generated config has the line "compress lzo", but the current Android app requires "comp-lzo" to work.

I'm presuming your server's Tunnel Settings configuration for Compression was set to "Enabled - LZO algorithm (--compress lzo)" and then you changed it to one of the Legacy LZO options in that drop-down list. Importing the new client configuration file should then resolve the problem.

I would suggest using "No Preference" instead to mitigate VORACLE attacks. This *should* disable compression entirely. The default compression configuration item is now --allow-compression no, which causes the server to refuse any clients attempting to use non-stub compression. So if client still tries to use compression, a stub type will be negotiated.

Quote from: sos_opnsense on April 28, 2023, 06:56:57 AM
I ran into a similar error with cypher fallback option not working due to OPNsense vs OpenVPN client version changes & differences and resulting incompatibilities.

This is because the OpenVPN Connect for Android (presently v3.3.4 (9290)) is based on openvpn3 which tracks the OpenVPN 2.x stream but presently lags behind somewhat. I do believe a workaround was provided in Github issue #6420 (https://github.com/opnsense/core/issues/6420).

That being said, you could try --cypher none which is equivalent to setting Encryption algorithm (deprecated) in your server's Cryptographic Settings to "None". I would also set TLS Authentication to "Enabled - Authentication only".

Again, importing the new client configuration file should then resolve the problem.


I use a different OpenVPN server vendor for my Android clients and it doesn't implement the --cipher none option so I am unable to properly test the client in this case. However, I can confirm that the Android client will use stub compression options for the tunnel if available.
Text only | Text with Images