OpenVPN: remove deprecated comp-lzo option

[gsanchietti]

Since OpenVPN 2.4 the comp-lzo option is deprecated in favor of compress option.

From the man openvpn:

   --compress [algorithm]
          Enable a compression algorithm.

          The algorithm parameter may be "lzo", "lz4", or empty.  LZO and LZ4 are different compression algorithms, with LZ4 generally offering the best performance with least CPU usage.  For backwards
          compatibility with OpenVPN versions before v2.4, use "lzo" (which is identical to the older option "--comp-lzo yes").

          If the algorithm parameter is empty, compression will be turned off, but the packet framing for compression will still be enabled, allowing a different setting to be pushed later.

   --comp-lzo [mode]
          DEPRECATED This option will be removed in a future OpenVPN release.  Use the newer --compress instead.

Proposed solution

Switch to compress option and allow to select alternative compression algorithms. Also change default compression value to disable to prevent VORACLE attack.

See also

• https://community.nethserver.org/t/nethservers-openvpn-configuration-not-liked-by-tunnelblick-comp-lzo-depecrated/10614
• https://openvpn.net/security-advisory/the-voracle-attack-vulnerability/
• https://hamy.io/post/0003/optimizing-openvpn-throughput/

---

Thanks to EddiA and pagaille

[nethbot]

in 7.5.1804/testing:

• nethserver-openvpn-1.6.15-1.4.gc9e1a28.ns7.noarch.rpm

[nethbot]

in 7.5.1804/testing:

• nethserver-openvpn-1.6.15-1.5.g066e5dd.ns7.noarch.rpm

[gsanchietti]

Note This issue should be tested using a 7.6.1810 machine. Before starting the testing:

• install a clean NethServer 7.5.1804
• upgrade it to 7.6.1810: yum --enablerepo=cr update

Test case 1

• Enable the roadwarrior server under "OpenVPN roadwarrior" page
• Check compression is disabled by default

Test case 2

• Create a new tunnel server from "OpenVPN tunnel" page
• Check compression is disabled by default
• Download the client configuration, check the compression is disabled

Test case 3

• Enable the roadwarrior server under "OpenVPN roadwarrior" page
• Set the compression from command line:

  config setprop openvpn@host-to-net Compression lz4
  signal-event nethserver-openvpn-update

• Check the compression protocol has been reported inside the configuration

Test case 4

• Create a new tunnel server from "OpenVPN tunnel" page
• Set the compression from command line:

  db vpn setprop mytunnel Compression lz4
  signal-event nethserver-openvpn-update

• Check the compression protocol has been reported inside the configuration
• Download the client configuration, check the compression is the correct one

[stephdl]

VERIFICATION

# rpm -qa | grep -i openvpn
nethserver-openvpn-1.6.15-1.5.g066e5dd.ns7.noarch
openvpn-2.4.6-1.el7.x86_64

Test case 1

openvpn@host-to-net=service
    AuthMode=password
    BridgeEndIP=192.168.56.200
    BridgeName=br0
    BridgeStartIP=192.168.56.20
    Cipher=
    ClientToClient=disabled
                                      **Compression=disabled**
    Digest=
    Mode=bridged
    Netmask=
    Network=
    PushDns=
    PushDomain=
    PushExtraRoutes=enabled
    PushNbdd=
    PushWins=
    Remote=
    RouteToVPN=disabled
    TapInterface=tap0
    TlsVersionMin=
    UDPPort=1194
    access=green,red
    status=enabled

[root@localhost ~]# grep -srni 'comp' /etc/openvpn/host-to-net.conf 
[root@localhost ~]#

compression disabled -> test1 OK

Test case 2

• check the compression to the vpn tunnel server is disabled -> OK

[root@localhost ~]# db vpn show plop1 
plop1=openvpn-tunnel-server
    Cipher=
    Compression=disabled
    Digest=
    LocalNetworks=192.168.56.0/24
    Network=10.118.52.0/24
    Port=1274
    Protocol=udp
    PublicAddresses=90.55.182.200
    RemoteNetworks=90.55.182.100/24
    TlsVersionMin=
    Topology=subnet
    status=enabled

[root@localhost ~]# grep -srni 'comp' /etc/openvpn/plop1.conf 
[root@localhost ~]#

• check compression is disabled in the client settings -> OK

cat /home/stephdl/Téléchargements/openvpn-tunnel-client-plop1.json 
{"name":"cplop1","type":"tunnel","Mode":"routed","status":"enabled","Compression":"disabled","RemotePort":"1274","RemoteHost":"90.55.182.200","Digest":"","Cipher":"","Topology":"subnet","AuthMode":"certificate",

Test case 3

[root@localhost ~]# config setprop openvpn@host-to-net Compression lz4
[root@localhost ~]# signal-event nethserver-openvpn-update
[root@localhost ~]# grep -srni 'lz4' /etc/openvpn/
/etc/openvpn/host-to-net.conf:36:compress lz4

the lz4 is only accessible in the configuration file, the compression checkbox is not enable in the panel....do not know if it is good @gsanchietti, maybe a tiny drop box could be done :)

Test case 4

[root@localhost ~]# db vpn setprop plop2 Compression lz4
[root@localhost ~]# signal-event openvpn-tunnel-modify plop2
[root@localhost ~]# grep -srni 'lz4' /etc/openvpn/plop2.conf 
54:compress lz4

the lz4 compression is used in the tunnel -> OK

Let check for the tunnel client side

cat /home/stephdl/Téléchargements/openvpn-tunnel-client-plop2.json| grep lz4                                                                 1 ↵
{"name":"cplop2","type":"tunnel","Mode":"routed","status":"enabled","Compression":"lz4","RemotePort":"1271","RemoteHost":"90.55.182.200","Digest":"","Cipher":"","Topology":"subnet","AuthMode":"certificate",

the tunnel configuration got the lz4 compression setting -> OK

[stephdl]

set verified

[nethbot]

in 7.6.1810/updates:

• nethserver-openvpn-1.7.0-1.ns7.noarch.rpm