Sophos Firewall: Temporary Fix OpenVPN (3.4.0) No Compression (Android Devices)

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

Special thanks to: Giridhar Katti Sreenivasulu Naidu Alok

Overview
Background
Temporary Fix/Work Around
Additional Alternative

Overview

This recommended read describes the workaround regarding OpenVPN 3.4.x not connecting or traffic not flowing due to OpenVPN not providing any compression option in Preferred Mode.

Background

A new version 3.4.x of the OpenVPN Connect client was released recently. This version has two modes (can be selected in Advanced Settings) – Legacy and Preferred. After the upgrade, some users reported being unable to establish an SSL VPN tunnel with the Sophos Firewall, and some reported that the tunnel was established. Still, there’s no traffic going on the tunnel.

On further investigation, it was found that the new OpenVPN Connect version does not support any compression options in the configuration in the Preferred mode. This is also highlighted in the OpenVPN forum.

Temporary Fix/Work Around

For v19.5 and v20, the workaround is to use only the legacy mode of the OpenVPN Connect Client.

In OpenVPN Connect, go to Settings > Advanced Settings > Legacy.

Note: If "Preferred" mode is selected, the tunnel won’t come up

Note: If "Legacy" mode is selected, the problem is only seen when compression on the Sophos Firewall is set to OFF.

To confirm if the Sophos Firewall is using compression, go to Configure > Remote access VPN > SSL VPN > SSL VPN Global Settings > Advanced settings > Compress SSL VPN traffic.

If compression is OFF, please enable it by checking the check-box and the Users or Administrators will need to either:

Re-import/Download the OVPN file
Manually edit the OVPN file and set "comp-lzo yes" which would not require the re-download/import of the OVPN file.

This only affects Android users.


Openvpn Connect version	Security Level	Compression on SFOS	Tunnel status	Data plane
Android Phone Openvpn Connect 3.4.0	Legacy	ON	Up	Up
Android Phone Openvpn Connect 3.4.0	Legacy	OFF	Up	Down Error: 2024-01-30 10:18:08Z [7565] user1/xx: 35854 Bad compression stub decompression header byte:251
iOS Phone Openvpn Connect 3.4.1	Legacy	ON/OFF	Up	Up
MacOS Openvpn Connect 3.4.8	Legacy	ON/OFF	Up	Up
Windows Openvpn Connect 3.4.3	Legacy	ON/OFF	Up	Up
Windows Sophos Connect Client	-	ON/OFF	Up	Up

Additional Alternative

Additional alternatives shared by community members

Downgrade/Reinstall OpenVPN 3.3.4
OpenVPN for Android by Arne Schwabe (use at your own risk, but should be a safe App)

Added TAG
[edited by: Erick Jan at 8:48 AM (GMT -7) on 17 Sep 2024]

Top Replies

LuCar Toni 6 months ago in reply to FFin +2

SFOS offers multiple configs in V20.0 MR1 Based on the needs of the products you are using.

David Nienhaus 8 months ago

Shouldnt just commenting the line in the config work as well?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
Hugh D 6 months ago

Vishal_R

It appears that this issue is now present on iOS as well. OpenVPN Connect 3.4.2 on iOS is now behaving the same.

Please advise when the long term fix will be available?

Thanks,

Hugh.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
Vishal_R 6 months ago in reply to Hugh D

Hi Hugh D Fix work is already under progress and will be available with version 20.1. MR-1 which is expected to release by Q2 2024.

Regards,

Vishal Ranpariya
Technical Account Manager | Sophos Technical Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up +1 Vote Down

Sign in to reply

Cancel
Hugh D 6 months ago in reply to Vishal_R

Is there anything that is able to be manually implemented immediately? Or a hotfix that can be released? We now have a significant number of remote users effected.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
FFin 6 months ago in reply to Vishal_R

What kind of fix will that be?

I’ve raised a feature-request - might be useful to make “enable compression” not a global option, but profile-specific. So we could switch users one by one without having everyone to switch at same time. (SFSW-I-2125)
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
LuCar Toni 6 months ago in reply to FFin

SFOS offers multiple configs in V20.0 MR1

Based on the needs of the products you are using.

__________________________________________________________________________________________________________________
Cancel
Vote Up +2 Vote Down

Sign in to reply

Cancel
FFin 5 months ago in reply to Vishal_R

Will there be an update for Sophos UTM/SG as well? What's the current status on that?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
Vishal_R 5 months ago in reply to FFin

Hi FFin Currently for UTM9 OS Dev is working internally with ID NUTM-14705 to take care of such a situation on the UTM9 OS side. Workaround steps for UTM9 are documented in KBA below:

Sophos Firewall and Sophos UTM: Unable to connect or no traffic flows when using OpenVPN 3.4.0
support.sophos.com/.../KB-000045909

Regards,

Vishal Ranpariya
Technical Account Manager | Sophos Technical Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up +2 Vote Down

Sign in to reply

Cancel