From: Lonnie A. <li...@lo...> - 2018-10-11 15:26:04
|
> On Oct 11, 2018, at 3:32 AM, Michael Keuter <li...@mk...> wrote: > > >> Am 11.10.2018 um 06:31 schrieb Michael Knill <mic...@ip...>: >> >> I noticed that the ‘comp-lzo’ and ‘ns-cert-type’ options are now deprecated. >> Just wondering if we could get them changed in the next release as they are disappearing soon. >> >> Regards >> Michael Knill > > Look at the latest (webinterface) commits. 'ns-cert-type' was changed to 'remote-cert-tls', and compression will default to 'off' in the next version (we still need to support 2.3.x clients!). > > For reference: > https://community.openvpn.net/openvpn/wiki/DeprecatedOptions > > Michael +1 Michael Keuter and I have been pondering this subject for the past week, prompted by the latest iOS OpenVPN Connect. In this case the exported .ovpn file, created by the AstLinux OpenVPN Server config was containing ‘comp-lzo’ and ‘ns-cert-type’ and generated warnings. We have to be careful for our .ovpn files to work with older OpenVPN versions (2.3.x). More interesting is the "comp-lzo" setting, long story short we recommend users to move to disable compression for new OpenVPN setups. This is why ... 1) The VORACLE attack on OpenVPN requires compression to be enabled. While this is a difficult to exploit attack, the fact compression is a requirement is somewhat troubling. Ref: https://nordvpn.com/blog/voracle-attack/ 2) The first release of OpenVPN was in 2001, 17 years ago, at that time 0.5 Mbps internet speeds were top-of-the-line, and non-encrypted (compressible) DNS/HTTP/FTP were the primary transports. At that time compression in OpenVPN made some sense, as in "why not". Fast forward to today, most traffic is encrypted (non-compressible), as such enabling compression in OpenVPN adds 1-byte to every frame, and for mobile devices the extra computation may use extra battery resources. 3) OpenVPN's compression configuration has always been a mess, such that "comp-lzo no" is not the same as "comp-lzo" which is not the same as not-defining "comp-lzo" at all. Adding a new "compress" option multiplies the mess. Ref: https://community.openvpn.net/openvpn/ticket/952 Summary, we recommend users to move to disable compression for new OpenVPN setups. Starting with AstLinux 1.3.5 "Compression: [Off]" will be the default, but "Compression: [LZO]" will be supported for backward compatibility in existing configurations. Lonnie |