Page 7 of 8 FirstFirst ... 5678 LastLast
Results 61 to 70 of 77
  1. #61
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,184

    Default

    Yeah, if you kill NAT, you can use static routes to push traffic destined to the new OpenVPN address pool to the correct Untangle.

    Same gig for IP ranges beyond any tunnels.

    It's not hard, but it's not... easy either.
    Last edited by sky-knight; 08-13-2019 at 02:24 PM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  2. #62
    Untanglit
    Join Date
    Feb 2019
    Posts
    15

    Default

    Okay so read through this topic and tried a few suggestions but I can't turn Compression off server side. Openvpn client pushed an update today that turns compression off by default. Which is all fine I can just turn it back on in the client but I rather just turn it off server side. What's the steps to do this properly & would I have to assign new certs?

  3. #63
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,184

    Default

    Everything you need is on the advanced tab of the OpenVPN module's settings. All you're doing is excluding the compression line in the server and client settings. Just tick the box on the line you need gone, and click save.

    Now, you don't need to issue new certificates, but you will need to either redistribute the client OR manually edit the client's configuration file to reflect the removal of the compress directive.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #64
    Untanglit
    Join Date
    Feb 2019
    Posts
    15

    Default

    Quote Originally Posted by sky-knight View Post
    Everything you need is on the advanced tab of the OpenVPN module's settings. All you're doing is excluding the compression line in the server and client settings. Just tick the box on the line you need gone, and click save.

    Now, you don't need to issue new certificates, but you will need to either redistribute the client OR manually edit the client's configuration file to reflect the removal of the compress directive.
    So if I understand this all I need to do is exclude compress lz4 from server & client? That's all I have in the advanced tab if I'm not mistaken. I actually thought Lz4 was the old whatever it's called. I just want compression off because I'm tired of changing settings in the client apps because they can't make up their minds about compression. Thank you for the info

    I also like How in the updated android openvpn client they say that if I enable Compression it's insecure . True or Not True?
    Last edited by pcwatermods; 08-25-2019 at 05:39 PM.

  5. #65
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,184

    Default

    That "insecurity" basically requires the VPN server to be compromised already. It is an additional potential, but I don't think it's a realistic concern, especially considering the performance penalties associated with not compressing the traffic.

    But yes, it is a real concern, and it's not critical, more of one an abundance of caution things.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  6. #66
    Untanglit
    Join Date
    Jul 2012
    Posts
    24

    Default

    I'm SURE it's a bad idea for security alone, hopefully not some violation of something, but if you're like I am and stuck needing to install a client without blowing up all the users who are blissfully connecting without issue, you can find older OpenVPN clients on their download site: https://build.openvpn.net/downloads/releases/

  7. #67
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,192

    Default

    Quote Originally Posted by Griffon4 View Post
    I'm SURE it's a bad idea for security alone, hopefully not some violation of something, but if you're like I am and stuck needing to install a client without blowing up all the users who are blissfully connecting without issue, you can find older OpenVPN clients on their download site: https://build.openvpn.net/downloads/releases/
    this thread: https://forums.untangle.com/openvpn/...r-servers.html has both a fix to allow new clients to connect to older OpenVPN server installs with an MD5 certificate, and an effective migration procedure from MD5 to SHA without disrupting existing users. There's no reason to hunt down older clients nor continue running with MD5 forever.

  8. #68
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,184

    Default

    There's also this:https://openvpn.net/security-advisor...vulnerability/

    Followed up by this: https://community.openvpn.net/openvpn/wiki/VORACLE

    The vulnerability in question is not trivial to exploit, and if an attacker has sufficient access to exploit your network with VOracle, you've already lost your network to something else.

    Indeed, the only way it can be exploited in the wild is if you're running http traffic over a compressed OpenVPN tunnel. When I read my logs, there is almost zero TCP 80 traffic on my network in general. So there's nothing to infer. Because the user would have to be accessing a login page of some sort, operating over TCP 80, AND passing through a compressed OpenVPN tunnel to line up all the magic conditions required for VORACLE to be possible, much less actually happening.

    So... Untangle admins... do you still use ancient equipment with TCP 80 login screens? Connecting to those over OpenVPN is a risk. But, oh wait... I suspect most of you probably RDP to the network in question and connect from a browser on that machine, because that old gear also has an annoying tendency to not be very compatible with remote management anyway.

    BUT, if you read the development discussion, it's clear that OpenVPN is probably going to ditch compression entirely in the long haul.

    So, if you want to redeploy, you're free to exclude the compression directives from the client and the server and go to town. If you're patient, at some point in the future we should gain the ability for a server to service both compressed and uncompressed clients to afford a smoother migration. Now, why by default Untangle compresses with the current defaults, I do not understand at this time. I assume the decision was made using information I don't have at the moment.

    VORACLE has nothing to do with the MD5 / SHA problem. That's utterly separate, and has to be managed too. But again if you're going to pave and redeploy, and you haven't done so already, disabling compression while you're at it seems like a great way to save yourself another nuke and pave in the future. Or at very least, a bunch of busywork managing client configuration changes.
    Last edited by sky-knight; 08-27-2019 at 08:23 AM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  9. #69
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,192

    Default

    Quote Originally Posted by sky-knight View Post
    So, if you want to redeploy, you're free to exclude the compression directives from the client and the server and go to town. If you're patient, at some point in the future we should gain the ability for a server to service both compressed and uncompressed clients to afford a smoother migration. .....
    ... But again if you're going to pave and redeploy, and you haven't done so already, disabling compression while you're at it seems like a great way to save yourself another nuke and pave in the future. Or at very least, a bunch of busywork managing client configuration changes.
    The best way to handle this I think is set "Compress" on the client side (which only sets up for the possibility of compression, but does not actually enable it), then use the PUSH directive on the server side to push LZO, LZ4 or not as desired. That way you can turn compression on or off as needed from the server without messing with the clients.

  10. #70
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,192

    Default

    Indeed, it says in that openvpn security advisory in the mitigation section:
    The client connection profiles may still provide an instruction to enable compression, but it will be disabled if the server denies the use of compression.

Page 7 of 8 FirstFirst ... 5678 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2