Jump to content


Photo
- - - - -

OpenVPN Compression VulnerabilitOpeny


Best Answer go558a83nk, 14 August 2018 - 02:41 PM

comp-lzo is in configs because some devices don't seem to work with "comp-lzo no" in the config.  But, AirVPN servers push a message that includes "comp-lzo no", which disables compression.

Go to the full post


  • Please log in to reply
7 replies to this topic

#1 psyberian

psyberian

    Newbie

  • New Members
  • Pip
  • 2 posts

Posted 14 August 2018 - 02:24 PM

I've recently read an article regarding a BlackHat presentation on a compression-related attack on some OpenVPN configurations. 

 

Are the AirVPN generated OpenVPN configurations or the Eddie client potentially vulnerable to such an attack? Or is compression disabled by default?

 

Is there anything we should do as users to prevent any potential issues?



#2 go558a83nk

go558a83nk

    Advanced Member

  • Members
  • PipPipPip
  • 1647 posts

Posted 14 August 2018 - 02:41 PM   Best Answer

comp-lzo is in configs because some devices don't seem to work with "comp-lzo no" in the config.  But, AirVPN servers push a message that includes "comp-lzo no", which disables compression.



#3 psyberian

psyberian

    Newbie

  • New Members
  • Pip
  • 2 posts

Posted 14 August 2018 - 02:48 PM

comp-lzo is in configs because some devices don't seem to work with "comp-lzo no" in the config.  But, AirVPN servers push a message that includes "comp-lzo no", which disables compression.

 

That's great, thanks for the information. 



#4 corrado

corrado

    Advanced Member

  • Members
  • PipPipPip
  • 195 posts

Posted 14 August 2018 - 03:15 PM

Once again AirVPN shines :good:. The technical expertise of AirVPN is just extraordinary. I checked the configurations of five other providers: all use compression and are thus vulnerable.



#5 rickjames

rickjames

    Advanced Member

  • Members
  • PipPipPip
  • 358 posts

Posted 14 August 2018 - 05:57 PM

I download the ovpn files via the config generator, at present all have "comp-lzo no" in them when choosing the linux versions. ;)



#6 go558a83nk

go558a83nk

    Advanced Member

  • Members
  • PipPipPip
  • 1647 posts

Posted 14 August 2018 - 09:31 PM

I download the ovpn files via the config generator, at present all have "comp-lzo no" in them when choosing the linux versions. ;)

 

Yeah, I see that now.   But, I know I've seen Staff comment on this topic in the past and I'm just repeating what they said to the best my memory serves me.  Shrug.  I'll look for the past discussion.

 

https://airvpn.org/topic/26051-config-generator-using-deprecated-openvpn-commands/?hl=comp-lzo#entry70698

 

That's one of the threads I was thinking of.  Looks like I remembered wrong. comp-lzo no must be specified or else there might be connection failure on some devices.



#7 wU4Z0L_GbE

wU4Z0L_GbE

    Newbie

  • New Members
  • Pip
  • 1 posts

Posted 15 August 2018 - 10:50 AM

comp-lzo is in configs because some devices don't seem to work with "comp-lzo no" in the config.  But, AirVPN servers push a message that includes "comp-lzo no", which disables compression.

Just to be clear, when OpenVPN puts "LZO compression initialized" in the log, that doesn't mean compression is enabled? I have comp-lzo no in my config file and also pushed from the server so compression should be off but that message makes me wonder.



#8 corrado

corrado

    Advanced Member

  • Members
  • PipPipPip
  • 195 posts

Posted 15 August 2018 - 11:12 AM

Just to be clear, when OpenVPN puts "LZO compression initialized" in the log, that doesn't mean compression is enabled?

 

I don't see that message in my OpenVPN logs.







Similar Topics Collapse

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Servers online. Online Sessions: 14438 - BW: 55370 Mbit/sYour IP: 54.162.159.33Guest Access.