OpenVPN setting: Compression - No Preference

[hushcoden]

@benyamin - so which is the best (most secure) compression option to select in OPNsense?

Tia.

[benyamin]

In the current version (OPNsense 23.1.7 / OpenVPN 2.6.3) the following settings mitigate VORACLE attack vectors:

Server: --compress migrate in the Advanced configuration: Advanced box
Client: Enabled - Stub v2 algorithm (--compress stub-v2)

A Feature Request has been lodged (#6559) to add the --compress migrate option to the server configuration drop-down list, and to make several other changes, including renaming certain settings and help text, etc. I will update this post if any changes are merged.

It should be noted, some VPN providers will not respect your client options. Also, v2.6.2 clients will refuse the tunnel if a compression mismatch is detected, which is not a bug, but a failsafe.

[hushcoden]

Great, thanks (as for me, I was interested in the settings from a client perspective).

Besides, I had a look at the OpenVPN servers configuration file from ProtonVPN and they mention some additional setting such as

Code Select Expand

nobind
setenv CLIENT_CERT 0
fast-io
Should I consider to add any of those ?

[benyamin]

...I had a look at the OpenVPN servers configuration file from ProtonVPN and they mention some additional setting such as

Code Select Expand

nobind
setenv CLIENT_CERT 0
fast-io
Should I consider to add any of those ?

imho, not nobind, nor the setenv statement, but maybe fast-io.
It's a bit beyond the scope of this topic.
You can likely find some answers in the reference manual:
https://openvpn.net/community-resources/reference-manual-for-openvpn-2-6/
https://build.openvpn.net/man/openvpn-2.6/openvpn.8.html (Latest)
OPNsense is a little in between these two.