wiki:Compression

Version 56 (modified by tct, 7 months ago) (diff)

--

OpenVPN verses Compression

Background

  • The Vast Majority of Data sent across the Internet is already compressed, before it passes over a Virtual Private Network [VPN].
  • The VORACLE Attack proves that mixing compression and encryption, without great care, can have disastrous side-effects.
  • OpenVPN is a single threaded process, which is very busy encrypting and decrypting data.
    Why does adding compressing and decompressing data to the same process sound like a good idea ?
    Oh, wait .. No, I mean "why does that not sound like a good idea ?"
    Did you see that ? ........ confused ? you will be.

The general consensus is that OpenVPN should not include compression, except under unusual circumstances.

  • That translates to: "You do not need compression, unless you know why you need it.."

And really, that is the truth.

Because most data is already highly compressed and even optimised (eg. Video stream), there is no need for OpenVPN to sort through the entire data stream looking for compressible data .. that is wasting your CPU time on a totally pointless task.

By "Unusual Circumstances" what I mean is this: You control both Server and Client nodes AND you know that you are transmitting a lot of uncompressed data (eg. Live video stream from a cheap "security" camera) over that VPN link. In such a case, you can use compression to your advantage. Otherwise, you do not need or want to use compression.

TL;DR OpenVPN are not removing compression (yet) but it must be made secure. You do not need it.

Make Compression Secure

Because only upstream packets are vulnerable to the VORACLE Attack, OpenVPN has implemented Asymmetric Compression.

Asymmetric Compression is the default behaviour in OpenVPN 2.5

The option you must use is --allow-compression and it comes in three flavours:

  • asym (default in OpenVPN 2.5) - Use this.
  • no - Use this to completely disable compression. Note: This will become default in OpenVPN 2.6
  • yes - Use this if you really do need compression AND you understand the Risk you are taking.

Asymmetric Compression in asym mode means that:

  • This node can receive compressed data but it will not send compressed data.

Example configurations:

  • Recommended: Remove all --comp-lzo and --compress options from your Server and Client configs.
  • Disable compression: Use --allow-compression no in your Server config.
  • Asymetric compression:
    • Server use --allow-compression yes and --compress lz4
    • Client use --allow-compression asym and --compress lz4
      This will cause the Server to send compressed data but the Client will only send uncompressed data.

Note: Options like --comp-lzo and --compress are ALL now deprecated, so do not use them.

Bottom line

TL;DR

Update to OpenVPN 2.5 and remove comp-lzo and compress from ALL of your configuration files.
If you have any difficulty then add allow-compression asym to your Client config Only.
If you still have trouble then you must configure your Server correctly.
Start here: https://forums.openvpn.net/viewtopic.php?f=30&t=22603

Future changes

OpenVPN will remove ALL compression, eventually.