openVPN 3.4.0 problem

Hi Jimmy Karnaby

Please try link :  Sophos Firewall: Temporary Fix OpenVPN (3.4.0) Unsupported Options error  and keep compression turned ON and keep the 'Legacy' mode under OpenvPN under Settings > Advanced Settings > Lecagy.

Regards

Genuine question - Why compression ON? What is the reasoning here?

Isn't compression OFF by default in OpenVPN (and hence, openvpn client is best suited to handle it OFF) and isn't Sophos SSL VPN OpenVPN based, in which case compression is advised against because it can be exploited by VORACLE attack?

Even if we consider only bandwith saving measures it's not something that needs to be ON. Most traffic is not compressible since it is already compressed or it is already encrypted and can't be compressed. On small porton of thet traffic that can be compressed on vpn layer the issue is that lzo based vpn encryption is fairly inefficient since it works on one packet at a time. Higher protocol layers offer much better efficiency with compression and save more bandwith overall.

Genuine question - Why compression ON? What is the reasoning here?

Isn't compression OFF by default in OpenVPN (and hence, openvpn client is best suited to handle it OFF) and isn't Sophos SSL VPN OpenVPN based, in which case compression is advised against because it can be exploited by VORACLE attack?

Even if we consider only bandwith saving measures it's not something that needs to be ON. Most traffic is not compressible since it is already compressed or it is already encrypted and can't be compressed. On small porton of thet traffic that can be compressed on vpn layer the issue is that lzo based vpn encryption is fairly inefficient since it works on one packet at a time. Higher protocol layers offer much better efficiency with compression and save more bandwith overall.

Hi  Amilmar 

The above suggestion is a workaround as of now, it seems there issue with “comp-lzo no” and legacy mode too, which is highlighted in the OpenVPN community at https://forums.openvpn.net/viewtopic.php?t=43571.

Thanks and Regards

Hi Amilmar Please find the below latest RR which summarizes all the details on the this:

Sophos Firewall: Temporary Fix OpenVPN (3.4.0) No Compression (Android Devices)

community.sophos.com/.../sophos-firewall-temporary-fix-openvpn-3-4-0-no-compression-android-devices

would editing config template to comment out comp-lzo no (same as commenting out route-delay 4, which is inserted by default into config file) also work?

Why do we even have to do workarounds like this? Can Sophos just align it's SSL VPN implementation with latest best practices and develop fully featured Sophos Connect client for macOS, Android and iOS? Doesn't seem like that big of an ask.

@Amilmar, commenting out comp-lzo will not help having data path (traffic) working from Android devices; route-delay is a different issue where its presence on .ovpn file creates .ovpn file import issue into OpenVPN Connect. The issue with the compression is only with the Android devices and that to tunnel comes UP, but data traffic sent from Client to Server (SFOS) has mismatched settings and server indicates with the log - 'Bad compression stub decompression header byte'.