Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 7 replies
  • Answers 2 answers
  • Subscribers 42 subscribers
  • Views 8537 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Compression "comp-lzo no" in openVPN client file not supported

fink

Hi there.

Using XG Home with latest SFOS 19.5.3 MR-3-Build652 exporting the openVPN SSL file and using it on iOS 17.0.3 openVPN App V. 3.4.0. In advanced settings of the openvpn is an option of recommended secuity level. If I choose it, I get an error message: 

server pushed compression settings that are not allowed and will result in a non-working connection

and the connection fails. I had try to delete this line (comp-lzo no) in the openvpn-file and achieve to connect without an error but there is no connection. I've also tried to put a semicolon before this line in client-config-template.ovpn over ssh. Again no chance to connect properly.

Any point to the solution would be fine.

Thanks

btw: Some more info regarding the comp-lzo option.



This thread was automatically locked due to age.
  • 0

    Hey  ,

    Thank you for reaching out to the community, following are parameters options you can opt for:

    client                                                                         
    dev tun                                                                        
    proto [<OPENVPN_PROTOCOL>]                                                     
    verify-x509-name "[<OPENVPN_SERVER_DN>]"                                       
    ;route remote_host 255.255.255.255 net_gateway                                 
    resolv-retry infinite                                                          
    nobind                                                                         
    persist-key                                                                    
    persist-tun                                                                    
    ca [<OPENVPN_CA_FILE>]                                                         
    cert [<OPENVPN_CLIENT_CERT>]                                                   
    key [<OPENVPN_CLIENT_KEY>]                                                     
    auth-user-pass                                                                 
    cipher [<OPENVPN_CIPHER>]                                                      
    auth [<OPENVPN_AUTH>]                                                          
    comp-lzo [<OPENVPN_COMPRESSION>]                                               
    ;can_save [<OPENVPN_SEVECREDENTIAL>]                                           
    ;otp [<OPENVPN_TWOFATOKEN>]                                                    
    ;run_logon_script [<OPENVPN_ADLOGON>]                                          
    ;auto_connect [<OPENVPN_AUTOCONNECT>]                                          
    ;route-delay 4                                                                 
    verb 3                                                                         
    reneg-sec 0

     XG - RR  Temporary Fix OpenVPN (3.4.0)

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case  | Security Advisories 
    Compare Sophos next-gen Firewall | Fortune Favors the prepared
    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    I didn' change comp-lzo to yes because this option is no longer supported. There are known vulnerabilities on compression with OpenVPN since 2018 according to this OpenVPN-Site. So better not to use.

  • 0

     I've the same problem, can you please tell me how did you solve this issue?

    Thanks

  • 0 in reply to Angelone

    Use only following parameter and delete all the rest. it works for me:

    client
dev tun
proto udp
explicit-exit-notify
verify-x509-name "xxxxxxxxx"
route remote_host 255.255.255.255 net_gateway
resolv-retry infinite
nobind
persist-key
persist-tun

  • 0 in reply to fink

    I'm able to connect but I can't reach any internal or external (internet) hosts

  • 0

    Hello, I got rid of this message after changing the security level in the openvpn app (3.4.1) to "Legacy".

    It's under settings -> advanced settings -> security level

    Sophos should remove deprecated seetings or implament Wireguard :-)

    SFOS v20

  • +1 in reply to UThomas

    We are looking into this actively, currently “comp-lzo” is the attribute causing some issues in making it work with the “preferred” security level.

    With the latest release of Android (3.4.0), there seems some issue with “comp-lzo no” and legacy mode too, which is highlighted in the OpenVPN community at https://forums.openvpn.net/viewtopic.php?t=43571.

    The current workaround to make Android-based OpenVPN connect clients to work is by enabling “compression” on SFOS global settings and reimport of configuration.

    Openvpn Connect version

    Security Level

    Compression on SFOS

    Tunnel status

    Data plane

    Android Phone
    Openvpn Connect 3.4.0

    Legacy

    ON

    Up

    Up

    OFF

    Up

    Down

    Error: 2024-01-30 10:18:08Z [7565]   user1/xx:

    35854 Bad compression stub decompression

    header byte:251

    iOS Phone
    Openvpn Connect 3.4.1

    Legacy

    ON/OFF

    Up

    Up

    MacOS
    Openvpn Connect 3.4.8

    Legacy

    ON/OFF

    Up

    Up

    Windows
    Openvpn Connect 3.4.3

    Legacy

    ON/OFF

    Up

    Up

    Windows
    Sophos Connect Client

     -

    ON/OFF

    Up

    Up
Unfiltered HTML