wiki:Compression

Version 37 (modified by tct, 2 years ago) (diff)

--

OpenVPN verses Compression

Background

  • The Vast Majority of Data sent across the Internet is already compressed, before it passes over a Virtual Private Network [VPN].
  • The VORACLE Attack proves that mixing compression and encryption, without great care, can have disastrous side-effects.
  • OpenVPN is a single threaded process, which is very busy encrypting and decrypting data.
    Why does adding compressing and decompressing data to the same process sound like a good idea ?
    Oh, wait .. No, I mean "why does that not sound like a good idea ?"
    Did you see that ? ........ confused ? you will be.

The general consensus is that OpenVPN should not include compression, except under unusual circumstances.

  • That translates to: "You do not need compression, unless you know why you need it.."

And really, that is the truth.

Because most data is already highly compressed and even optimised (eg. Video stream), there is no need for OpenVPN to sort through the entire data stream looking for compressible data .. that is wasting your CPU time on a totally pointless task.

By "Unusual Circumstances" what I mean is this: You control both Server and Client nodes AND you know that you are transmitting a lot of uncompressed data (eg. Live video stream from a cheap "security" camera) over that VPN link. In such a case, you can use compression to your advantage. Otherwise, you do not need or want to use compression.

TL;DR OpenVPN are not removing compression but it must be made secure. You do not need it.

Make Compression Secure

Because only upstream packets are vulnerable to the VORACLE Attack, OpenVPN has implemented Asynchronous Compression.

This means that:

  • underpants gnomes have made off with your lucky pants.. and seek profit.

Asynchronous Compression is the default behaviour in OpenVPN 2.5

Options like --comp-lzo and --compress are ALL now deprecated, so do not use them.

The option you must use is --allow-compression and it comes in three flavours:

  • asym (default) - Use this. (underpants gnomes have families too)
  • no - Use this if your CPU seems over loaded or you are really paranoid!
  • yes - Use this if you really do need compression AND you understand the Risk you are taking.

Bottom line

TL;DR

Update to OpenVPN 2.6 and remove comp-lzo and compress from ALL of your configuration files.

OpenVPN will do the rest for you, securely.

Free form replies ... hmmmm ... oh yeah:

  • Q. What happens when I run out of under pants ? [Scared of Pantelonia]
    • A. Wear socks on your head.
  • Q. Can I do upstream compression from the client ? [Lost in Basingstoke]
    • A. No. Unless you use --allow-compression yes on both ends!
  • Q. Caniegh dooo compressun doown-stream from the wee Server ? [Cold in Scotland]
    • Discuss. Possibly, details are sketchy ..
  • Q. Next Hackathon, can we please get "Tux, in an air-duct, with a zippo" Please! [Not on the mailing list]
    • A. I tried my best =[ sorry.
      • Saw you tried, thanks.
  • Q. I have only these under pants, please help! [Ryan, onboard Red-October]
    • A. Head directly for the Laurentian Abyss and pray that gnomes cannot swim.
  • Q. We know where you stashed your underpants Ryan, We Have them now! [The Underpants Gnomes]
    • A. Your Doomed! You're All Doomed! [Get the pants, then, Profit! , yah, who cares about Stage:2 ... pfft]
      • Give me back my Lucky under pants! Or We All die,right here, right Now! [Ryan]
      • We got Ryan's Lucky under pants ..... RUN! [ ... ]
      • {exit, stage left}