Closed gsanchietti closed 5 years ago
in 7.5.1804/testing
:
in 7.5.1804/testing
:
Note This issue should be tested using a 7.6.1810 machine. Before starting the testing:
yum --enablerepo=cr update
Test case 1
Test case 2
Test case 3
config setprop openvpn@host-to-net Compression lz4
signal-event nethserver-openvpn-update
Test case 4
db vpn setprop mytunnel Compression lz4
signal-event nethserver-openvpn-update
VERIFICATION
# rpm -qa | grep -i openvpn
nethserver-openvpn-1.6.15-1.5.g066e5dd.ns7.noarch
openvpn-2.4.6-1.el7.x86_64
openvpn@host-to-net=service
AuthMode=password
BridgeEndIP=192.168.56.200
BridgeName=br0
BridgeStartIP=192.168.56.20
Cipher=
ClientToClient=disabled
**Compression=disabled**
Digest=
Mode=bridged
Netmask=
Network=
PushDns=
PushDomain=
PushExtraRoutes=enabled
PushNbdd=
PushWins=
Remote=
RouteToVPN=disabled
TapInterface=tap0
TlsVersionMin=
UDPPort=1194
access=green,red
status=enabled
[root@localhost ~]# grep -srni 'comp' /etc/openvpn/host-to-net.conf
[root@localhost ~]#
compression disabled -> test1 OK
[root@localhost ~]# db vpn show plop1
plop1=openvpn-tunnel-server
Cipher=
Compression=disabled
Digest=
LocalNetworks=192.168.56.0/24
Network=10.118.52.0/24
Port=1274
Protocol=udp
PublicAddresses=90.55.182.200
RemoteNetworks=90.55.182.100/24
TlsVersionMin=
Topology=subnet
status=enabled
[root@localhost ~]# grep -srni 'comp' /etc/openvpn/plop1.conf
[root@localhost ~]#
cat /home/stephdl/Téléchargements/openvpn-tunnel-client-plop1.json
{"name":"cplop1","type":"tunnel","Mode":"routed","status":"enabled","Compression":"disabled","RemotePort":"1274","RemoteHost":"90.55.182.200","Digest":"","Cipher":"","Topology":"subnet","AuthMode":"certificate",
[root@localhost ~]# config setprop openvpn@host-to-net Compression lz4
[root@localhost ~]# signal-event nethserver-openvpn-update
[root@localhost ~]# grep -srni 'lz4' /etc/openvpn/
/etc/openvpn/host-to-net.conf:36:compress lz4
the lz4 is only accessible in the configuration file, the compression checkbox is not enable in the panel....do not know if it is good @gsanchietti, maybe a tiny drop box could be done :)
[root@localhost ~]# db vpn setprop plop2 Compression lz4
[root@localhost ~]# signal-event openvpn-tunnel-modify plop2
[root@localhost ~]# grep -srni 'lz4' /etc/openvpn/plop2.conf
54:compress lz4
the lz4 compression is used in the tunnel -> OK
Let check for the tunnel client side
cat /home/stephdl/Téléchargements/openvpn-tunnel-client-plop2.json| grep lz4 1 ↵
{"name":"cplop2","type":"tunnel","Mode":"routed","status":"enabled","Compression":"lz4","RemotePort":"1271","RemoteHost":"90.55.182.200","Digest":"","Cipher":"","Topology":"subnet","AuthMode":"certificate",
the tunnel configuration got the lz4 compression setting -> OK
set verified
in 7.6.1810/updates
:
Since OpenVPN 2.4 the
comp-lzo
option is deprecated in favor ofcompress
option.From the
man openvpn
:Proposed solution
Switch to
compress
option and allow to select alternative compression algorithms. Also change defaultcompression
value todisable
to prevent VORACLE attack.See also
Thanks to EddiA and pagaille