Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 25 replies
  • Answers 1 answer
  • Subscribers 45 subscribers
  • Views 21680 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Android + OpenVPN 3.4.0 + SSL VPN = No Traffic

The G-Man

Hello,

Began experiencing an issue with our SSL VPN connections when some Android tablets updated OpenVPN Connect app from 3.3.4 to 3.4.0.

Symptom:
SSL VPN connections are made successfully in 3.4.0 but no traffic flows. OpenVPN 3.4.0 is configured to use the 'Legacy' setting. I tried the others to no avail. OpenVPN log will show this error repeating every minute or so:

"TUN write exception: write_some: Invalid argument"

Workaround:
After removing various deprecated options (according to OpenVPN log) and lots of trial and error with no success I eventually stumbled on a workaround. Despite "Compress SSL VPN traffic" being disabled in SSL VPN global settings the Sophos Firewall still seems to be doing something regarding compression. Only when I manually change the 'comp-lzo' parameter to 'yes' in the ovpn file does the connection start passing traffic again. This message is then displayed in the OpenVPN log:

"EVENT: COMPRESSION_ENABLED info='Asymmetric compression enabled. Server may send compressed data. This may be a potential security issue.' trans=TO_DISCONNECTED

Clearly this is not a good workaround with lots of devices/users. Is Sophos aware of this issue and will it be fixed?

Working OpenVPN 3.4.0 Config:

client
dev tun
proto udp
nobind
(keys removed)
auth-user-pass
cipher AES-128-CBC
auth SHA256
comp-lzo yes
verb 3
reneg-sec 86400
remote x.x.x.x 8443 udp




This thread was automatically locked due to age.
  • 0 in reply to Hugh D

    Hello Hugh,

    Originally, I was running an old version of OpenVPN, downloaded the configuration with Compress SSL VPN Traffic enabled in the Sophos Firewall, connected, and it worked.
    Upgraded OpenVPN to 3.4.0, connected but I wasn’t able to Ping
    In the Firewall, I disable Compress SSL VPN Traffic, and this automatically disconnected the SSL VPN user
    After the client connected automatically again, I manually disconnected OpenVPN from the mobile phone
    Connected again, and Ping started working

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Hi Emmanuel,

    What you describe still requires re-downloading profiles which is not ideal if you have lots in the field. 

    Is there not a fundamental issue here - if compression is already disabled on both the firewall and the client, why is the firewall pushing asymmetric compression? Disabled should mean disabled, and this problem should in theory not occur in the first place?

    I have opened a support case: 07203703

  • 0

    Hello Greg Lowe, I'm having the exact same issue.

    The OpenVPN Connect 3.4.0 on mobile devices have this issue, my workaround, for now (since i dont have much android clients connecting to the VPN), was to downgrade the version of OpenVPN on the clients via APK and turn off the app auto update in the app store.

    Compression is clearly disabled in the profile "comp-lzo no".

    Lets hope OpenVPN can fix this since its their issue. Make sure you open a ticket with them.

  • 0 in reply to António Carvalho

    Hi António,

    I have also disabled app auto updates for now. I'm not convinced this is solely an OpenVPN issue, they have deprecated compression features with a view to removing them at some point. It appears that Sophos Firewall is still pushing some compression features despite both firewall and client options being disabled. This is causing the connection to not work properly with 3.4.0, presumably due to the deprecation.

  • 0 in reply to The G-Man

    That can also be the case. Let's hope this can be fixed quick by either side without much trouble at our end.

    Another alternative is to use the OpenVPN for Android by Arne Schwabe, it also uses the Android VPN API and it's a safe app.

  • +1

    Hi  , We tested this internally, for now with v19.5.MR4, compression should be turned ON and keep the 'Legacy' mode on OpenVPN Connect to enable data plane. As  António Carvalho  pointed out, Openvpn should fix this issue in their later versions.

    We will also discuss internally to come out with a solution so that legacy and latest OpenVPN clients work with SFOS seamlessly.

    For now, the workaround you mentioned is the way forward. 

  • 0 in reply to The G-Man

    Hello Greg,

    As I mentioned, that worked for me, and I didn't re-download the configuration. 

    Also, ask the end users to check that in OpenvPN under Settings > Advanced Settings > Lecagy is selected.

    Thank you for the Case ID.

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to Sreenivasulu Naidu

    Hi Sreenivasulu Naidu,

    Thank you for looking into this, I look forward to the solution, and in the meantime I will use the workaround.

  • 0 in reply to emmosophos

    Hi Emmanuel,

    I just want to point out to others that may be reading that it worked for you because you downloaded your profile when Compress SSL VPN Traffic was enabled. This function sets comp-lzo to yes in the profiles. If it is disabled comp-lzo is set to no in the profiles, which I imagine will be the case for a lot of users that had already downloaded profiles months/years previously and had no issue until this point. For those users - they will have to re-download the profiles (or manually edit existing ones) for this workaround to function.

    Further information on OpenVPN and deprecated compression here: https://community.openvpn.net/openvpn/wiki/Compression 

    Sreenivasulu Naidu's post below advises a future solution will be looked at which will hopefully take this into account.

  • 0 in reply to The G-Man

    Sophos Firewall is still clearly pushing compression on connection, even though it is marked as disabled. 

    We need a fix ASAP to stop the firewall pushing compression.

Unfiltered HTML