Jump to content
Not connected, Your IP: 18.191.107.181
psyberian

ANSWERED OpenVPN Compression VulnerabilitOpeny

Recommended Posts

I've recently read an article regarding a BlackHat presentation on a compression-related attack on some OpenVPN configurations. 

 

Are the AirVPN generated OpenVPN configurations or the Eddie client potentially vulnerable to such an attack? Or is compression disabled by default?

 

Is there anything we should do as users to prevent any potential issues?

Share this post


Link to post

comp-lzo is in configs because some devices don't seem to work with "comp-lzo no" in the config.  But, AirVPN servers push a message that includes "comp-lzo no", which disables compression.

 

That's great, thanks for the information. 

Share this post


Link to post

Once again AirVPN shines . The technical expertise of AirVPN is just extraordinary. I checked the configurations of five other providers: all use compression and are thus vulnerable.

Share this post


Link to post

I download the ovpn files via the config generator, at present all have "comp-lzo no" in them when choosing the linux versions.

 

Yeah, I see that now.   But, I know I've seen Staff comment on this topic in the past and I'm just repeating what they said to the best my memory serves me.  Shrug.  I'll look for the past discussion.

 

https://airvpn.org/topic/26051-config-generator-using-deprecated-openvpn-commands/?hl=comp-lzo&do=findComment&comment=70698

 

That's one of the threads I was thinking of.  Looks like I remembered wrong. comp-lzo no must be specified or else there might be connection failure on some devices.

Share this post


Link to post

comp-lzo is in configs because some devices don't seem to work with "comp-lzo no" in the config.  But, AirVPN servers push a message that includes "comp-lzo no", which disables compression.

Just to be clear, when OpenVPN puts "LZO compression initialized" in the log, that doesn't mean compression is enabled? I have comp-lzo no in my config file and also pushed from the server so compression should be off but that message makes me wonder.

Share this post


Link to post

Just to be clear, when OpenVPN puts "LZO compression initialized" in the log, that doesn't mean compression is enabled?

 

I don't see that message in my OpenVPN logs.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...