wiki:Compression

Version 23 (modified by tct, 2 years ago) (diff)

--

OpenVPN verses Compression

Background

  • The Vast Majority of Data sent across the Internet is already compressed, before it passes over a Virtual Private Network [VPN].
  • The VORACLE Attack proves that mixing compression and encryption, without great care, can have disastrous side-effects.
  • OpenVPN is a single threaded process, which is very busy encrypting and decrypting data. Why does adding compressing and decompressing to the same process sound like a good idea ? Oh, wait .. No, I mean "why does that not sound like a good idea ?"
    ........ confused ? you will be.

The general consensus is that OpenVPN should not include compression, except under unusual circumstances.

  • That translates to: "You do not need compression, unless you know why you need it.."

And really, that is the truth.

Because most data is already highly compressed and even optimised (eg. Video stream), there is no need for OpenVPN to sort through the entire data stream looking for compressible data .. that is wasting your CPU time on a totally pointless task.

By "Unusual Circumstances" what I mean is this: You control both Server and Client nodes AND you know that you are transmitting a lot of uncompressed data (eg. Live video stream from a cheap "security" camera) over that VPN link. In such a case, you can use compression to your advantage. If you are just some "jock-on-the-road" then you do not need or want to use compression at your end.

TL;DR OpenVPN are not removing compression but it must be made secure. You do not need it.

Make Compression Secure

Because only upstream packets are vulnerable to the VORACLE Attack, OpenVPN has implemented Asynchronous Compression.

This means that:

  • underpants gnomes have made off with your lucky pants.. and seek profit.

Asynchronous Compression is the default behaviour in OpenVPN 2.5

Options like --comp-lzo and --compress are ALL now deprecated, so do not use them.

The option you must use is --allow-compression and it comes in three flavours:

  • asym (default) - Use this. (underpants gnomes have families too)
  • no - Use this if your CPU seems over loaded or you are really paranoid!
  • yes - Use this if you really do need compression AND you understand the Risk you are taking.

Bottom line

TL;DR

Update to OpenVPN 2.6 and remove comp-lzo and compress from ALL of your configuration files.

OpenVPN will do the rest for you, securely.

Free form replies ... hmmmm ... oh yeah:

  • 1) What happens when I run out of under pants ? [Scared of Mashedonia]