Thread Info
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Compression "comp-lzo no" in openVPN client file not supported

fink

Hi there.

Using XG Home with latest SFOS 19.5.3 MR-3-Build652 exporting the openVPN SSL file and using it on iOS 17.0.3 openVPN App V. 3.4.0. In advanced settings of the openvpn is an option of recommended secuity level. If I choose it, I get an error message: 

Fullscreen
1
server pushed compression settings that are not allowed and will result in a non-working connection
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

and the connection fails. I had try to delete this line (comp-lzo no) in the openvpn-file and achieve to connect without an error but there is no connection. I've also tried to put a semicolon before this line in client-config-template.ovpn over ssh. Again no chance to connect properly.

Any point to the solution would be fine.

Thanks

btw: Some more info regarding the comp-lzo option.



This thread was automatically locked due to age.
  • 0

    Hey  ,

    Thank you for reaching out to the community, following are parameters options you can opt for:

    client                                                                         
    dev tun                                                                        
    proto [<OPENVPN_PROTOCOL>]                                                     
    verify-x509-name "[<OPENVPN_SERVER_DN>]"                                       
    ;route remote_host 255.255.255.255 net_gateway                                 
    resolv-retry infinite                                                          
    nobind                                                                         
    persist-key                                                                    
    persist-tun                                                                    
    ca [<OPENVPN_CA_FILE>]                                                         
    cert [<OPENVPN_CLIENT_CERT>]                                                   
    key [<OPENVPN_CLIENT_KEY>]                                                     
    auth-user-pass                                                                 
    cipher [<OPENVPN_CIPHER>]                                                      
    auth [<OPENVPN_AUTH>]                                                          
    comp-lzo [<OPENVPN_COMPRESSION>]                                               
    ;can_save [<OPENVPN_SEVECREDENTIAL>]                                           
    ;otp [<OPENVPN_TWOFATOKEN>]                                                    
    ;run_logon_script [<OPENVPN_ADLOGON>]                                          
    ;auto_connect [<OPENVPN_AUTOCONNECT>]                                          
    ;route-delay 4                                                                 
    verb 3                                                                         
    reneg-sec 0

     XG - RR  Temporary Fix OpenVPN (3.4.0)

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case  | Security Advisories 
    Compare Sophos next-gen Firewall | Fortune Favors the prepared
    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

    • 0 in reply to Vivek Jagad

      I didn' change comp-lzo to yes because this option is no longer supported. There are known vulnerabilities on compression with OpenVPN since 2018 according to this OpenVPN-Site. So better not to use.

    • 0

       I've the same problem, can you please tell me how did you solve this issue?

      Thanks

      • 0 in reply to Angelone

        Use only following parameter and delete all the rest. it works for me:

        Fullscreen
        1
        2
        3
        4
        5
        6
        7
        8
        9
        10
        client
        dev tun
        proto udp
        explicit-exit-notify
        verify-x509-name "xxxxxxxxx"
        route remote_host 255.255.255.255 net_gateway
        resolv-retry infinite
        nobind
        persist-key
        persist-tun
        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

    • 0

      Hello, I got rid of this message after changing the security level in the openvpn app (3.4.1) to "Legacy".

      It's under settings -> advanced settings -> security level

      Sophos should remove deprecated seetings or implament Wireguard :-)

      SFOS v20

      • +1 in reply to UThomas

        We are looking into this actively, currently “comp-lzo” is the attribute causing some issues in making it work with the “preferred” security level.

        With the latest release of Android (3.4.0), there seems some issue with “comp-lzo no” and legacy mode too, which is highlighted in the OpenVPN community at https://forums.openvpn.net/viewtopic.php?t=43571.

        The current workaround to make Android-based OpenVPN connect clients to work is by enabling “compression” on SFOS global settings and reimport of configuration.

        Openvpn Connect version

        Security Level

        Compression on SFOS

        Tunnel status

        Data plane

        Android Phone
        Openvpn Connect 3.4.0

        Legacy

        ON

        Up

        Up

        OFF

        Up

        Down

        Error: 2024-01-30 10:18:08Z [7565]   user1/xx:

        35854 Bad compression stub decompression

        header byte:251

        iOS Phone
        Openvpn Connect 3.4.1

        Legacy

        ON/OFF

        Up

        Up

        MacOS
        Openvpn Connect 3.4.8

        Legacy

        ON/OFF

        Up

        Up

        Windows
        Openvpn Connect 3.4.3

        Legacy

        ON/OFF

        Up

        Up

        Windows
        Sophos Connect Client

         -

        ON/OFF

        Up

        Up