Opened 5 months ago

Closed 5 months ago

#1126 closed Bug / Defect (fixed-external)

iOS 12 and 3.0.2 - enabling compression breaks connectivity

Reported by: cbx Owned by: yuriy
Priority: major Milestone:
Component: OpenVPN Connect Version:
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

Had the same issue as this one: https://forums.openvpn.net/viewtopic.php?f=36&t=27195

Basically, the connection is established, the traffic seems to be flowing through the server but the client doesn't receive anything. I see lots of "TCP Dup ACK" and "TCP Retransmission" on both the external interface and tun0 (ran the tcpdump on a server).

It seems to be related to this change: "Disabled "Compression" by default (because it is insecure)", although I can't find more details on what is specifically insecure because the server and other clients do support compression.

Enabling compression in iOS app settings doesn't help.

What helps is to completely disable compression in the server config. For me it was these two lines:

# compress lz4-v2
# push "compress lz4-v2"

I see several possible scenarios (there may be more, of course):

  1. If the compression is inherently insecure, disable it across all products (server, desktop client, mobile client) and document this properly in all changelogs.
  2. Revert the change and enable compression on the client by default, initiate gradual deprecation procedure
  3. Fix the option on the client, so if I set "Allow Compression (insecure)" to "Full" or "Downlink only" it actually works with my server.
  4. As a minimum, you need to add a warning in the logs, if server uses the compression, pushes it to a client and the compression option is disabled.

Change History (1)

comment:1 Changed 5 months ago by plaisthos

Resolution: fixed-external
Status: newclosed

For the whole compression discussion, please see https://community.openvpn.net/openvpn/wiki/VORACLE

We will look into adding a more prominent warning.

Note: See TracTickets for help on using tickets.