Opened 5 years ago
Closed 5 years ago
#1126 closed Bug / Defect (fixed-external)
iOS 12 and 3.0.2 - enabling compression breaks connectivity
Reported by: | cbx | Owned by: | yuriy |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | OpenVPN Connect | Version: | |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
Cc: |
Description
Had the same issue as this one: https://forums.openvpn.net/viewtopic.php?f=36&t=27195
Basically, the connection is established, the traffic seems to be flowing through the server but the client doesn't receive anything. I see lots of "TCP Dup ACK" and "TCP Retransmission" on both the external interface and tun0 (ran the tcpdump on a server).
It seems to be related to this change: "Disabled "Compression" by default (because it is insecure)", although I can't find more details on what is specifically insecure because the server and other clients do support compression.
Enabling compression in iOS app settings doesn't help.
What helps is to completely disable compression in the server config. For me it was these two lines:
# compress lz4-v2 # push "compress lz4-v2"
I see several possible scenarios (there may be more, of course):
- If the compression is inherently insecure, disable it across all products (server, desktop client, mobile client) and document this properly in all changelogs.
- Revert the change and enable compression on the client by default, initiate gradual deprecation procedure
- Fix the option on the client, so if I set "Allow Compression (insecure)" to "Full" or "Downlink only" it actually works with my server.
- As a minimum, you need to add a warning in the logs, if server uses the compression, pushes it to a client and the compression option is disabled.
Change History (1)
comment:1 Changed 5 years ago by
Resolution: | → fixed-external |
---|---|
Status: | new → closed |
For the whole compression discussion, please see https://community.openvpn.net/openvpn/wiki/VORACLE
We will look into adding a more prominent warning.