Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 42 subscribers
  • Views 18214 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

openVPN 3.4.0 problem

Jimmy Karnaby

Hello Dears,

I'm facing a problem with openvpn 3.4.0 (9755) on Android after the update,

My UCM is XGS2100 (SFOS 20.0.0 GA-Build222)

any help, please ??

Thank you.



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Bharat J

    Genuine question - Why compression ON? What is the reasoning here?

    Isn't compression OFF by default in OpenVPN (and hence, openvpn client is best suited to handle it OFF) and isn't Sophos SSL VPN OpenVPN based, in which case compression is advised against because it can be exploited by VORACLE attack?

    Even if we consider only bandwith saving measures it's not something that needs to be ON. Most traffic is not compressible since it is already compressed or it is already encrypted and can't be compressed. On small porton of thet traffic that can be compressed on vpn layer the issue is that lzo based vpn encryption is fairly inefficient since it works on one packet at a time. Higher protocol layers offer much better efficiency with compression and save more bandwith overall.

  • 0 in reply to Amilmar

    Hi  Amilmar 

    The above suggestion is a workaround as of now, it seems there issue with “comp-lzo no” and legacy mode too, which is highlighted in the OpenVPN community at https://forums.openvpn.net/viewtopic.php?t=43571.

    Thanks and Regards

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Amilmar

    Hi  Please find the below latest RR which summarizes all the details on the this:

    Sophos Firewall: Temporary Fix OpenVPN (3.4.0) No Compression (Android Devices)

    community.sophos.com/.../sophos-firewall-temporary-fix-openvpn-3-4-0-no-compression-android-devices

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Vishal_R

    would editing config template to comment out comp-lzo no (same as commenting out route-delay 4, which is inserted by default into config file) also work?

    Why do we even have to do workarounds like this? Can Sophos just align it's SSL VPN implementation with latest best practices and develop fully featured Sophos Connect client for macOS, Android and iOS? Doesn't seem like that big of an ask.

  • +1 in reply to Amilmar

    @Amilmar, commenting out comp-lzo will not help having data path (traffic) working from Android devices; route-delay is a different issue where its presence on .ovpn file creates .ovpn file import issue into OpenVPN Connect. The issue with the compression is only with the Android devices and that to tunnel comes UP, but data traffic sent from Client to Server (SFOS) has mismatched settings and server indicates with the log - 'Bad compression stub decompression header byte'.

Unfiltered HTML