Results 1 to 1 of 1
  1. #1
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,095

    Default Soft Migration to Eliminate the Compress directive

    Pursuant to : https://community.openvpn.net/openvpn/wiki/VORACLE

    Anyone that has replaced their OpenVPN module and redeployed to fix MD5 recently, will find they have an OpenVPN configuration with compress lz4 in the configuration files. This exists on both the client side and the server side.

    Since we need to eliminate compression due to VORACLE as well as the fact OpenVPN will be eliminating compression support entirely at some point in the future we have a problem to manage. Admins that found these forums and followed my previous recommendations to simply exclude the compress directives in the client and server sections of OpenVPN's advanced tab can ignore all of this. Because when they pushed out their SHA based clients with compression disabled they're already set for the future.

    But what about the people that took the defaults and ran with it? Are they to be left with yet another nuke and pave? No... they aren't.

    With Untangle's default compress directives excluded in OpenVPN's Advanced tab, the next step is to add two more configuration lines to the Server Configuration section.

    (Please note, the quotes matter)

    Option Name: push
    Option Value: "compress stub-v2"

    Option Name: compress
    Option Value: stub-v2

    This configuration allows OpenVPN clients v2.4 or greater configured with compression on the client side to connect, along side clients that do NOT have compression set. Once all of the clients have been update to not have compress directives in their .OVPN files, either via manual edits or client redeployment, the admin can then safely remove the two custom lines and be in a no compression state.

    Fair warning, I only tested with the Windows client while working on this I have no idea if it cooperates with mobile clients.

    And if you've still got OpenVPN v2.3 clients kicking around... well you're SOL on those because that's like WinXP... beyond support and busted. You're probably going to have to get rid of the old comp-lzo lines manually to get them to work again. I don't have anymore around to test with. It's best to reinstall these systems with a newer OpenVPN version.
    Last edited by sky-knight; 04-01-2020 at 08:46 AM.
    Jim.Alles and mttime like this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2