foris-controller-openvpn-module issueshttps://gitlab.nic.cz/turris/foris-controller/foris-controller-openvpn-module/-/issues2019-03-01T00:14:00+01:00https://gitlab.nic.cz/turris/foris-controller/foris-controller-openvpn-module/-/issues/5Disable compress option by default2019-03-01T00:14:00+01:00Josef SchlehoferDisable compress option by defaultCan we disable compress option at all in our plugin?
It seems that we use compress lzo from here:
https://gitlab.labs.nic.cz/turris/foris-controller-openvpn-module/blob/master/foris_controller_backends/openvpn/__init__.py#L265
On supp...Can we disable compress option at all in our plugin?
It seems that we use compress lzo from here:
https://gitlab.labs.nic.cz/turris/foris-controller-openvpn-module/blob/master/foris_controller_backends/openvpn/__init__.py#L265
On support, we received ticket #2861, which says:
> there is a vulnerability with OpenVPN with 'compress lzo' enable and with this vulnerability, it's possible to decrypt parts of HTTP traffic. HTTPS is not affected.
>
> More details can be found here:
> https://www.bleepingcomputer.com/news/security/voracle-attack-can-recover-http-data-from-vpn-connections/
>
> The only downside of disabling that option is that it can reduce the speed of OpenVPN.
>
> The OpenVPN doc was also updated. See more details from their mail list:
> https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg16919.htmlTurris OS 3.11.3Štěpán HenekŠtěpán Henekhttps://gitlab.nic.cz/turris/foris-controller/foris-controller-openvpn-module/-/issues/6can't connect to openvpn using client configuration files from Foris2019-03-01T00:14:01+01:00Tony Quancan't connect to openvpn using client configuration files from ForisI'm using the Foris OpenVPN module in TurrisOS 3.11.1. When I generate a new client configuration and try to use that with an OpenVPN client, OpenVPN connects successfully but the client can't reach anything on the internet (even by pin...I'm using the Foris OpenVPN module in TurrisOS 3.11.1. When I generate a new client configuration and try to use that with an OpenVPN client, OpenVPN connects successfully but the client can't reach anything on the internet (even by pinging IP address) However, if I use the same/identically configured OpenVPN client with one of my OpenVPN client configurations that Foris generated before 3.11.1, it works properly. I'm not sure when this problem got introduced as it has been a while since I added any new client configurations.Turris OS 3.11.3Štěpán HenekŠtěpán Henekhttps://gitlab.nic.cz/turris/foris-controller/foris-controller-openvpn-module/-/issues/7comp-lzo is missing in generated client config2019-02-11T14:23:19+01:00Vojtech Mysliveccomp-lzo is missing in generated client config`comp-lzo` option was present in the generated configuration file in the past. From some 3.11.x on this option is no longer present in generated config (I can see this diff when I compare new config with old one).
However, openvpn serve...`comp-lzo` option was present in the generated configuration file in the past. From some 3.11.x on this option is no longer present in generated config (I can see this diff when I compare new config with old one).
However, openvpn server is still configured to use `comp-lzo` option. This leads to broken openvpn connection: client successfully connects to server but no data can pass through the tunnel. If I add `comp-lzo` to the client config, everything starts to work well.
Part of the openvpn UCI config file (`/etc/config/openvpn`):
```
config openvpn 'server_turris'
...
option comp_lzo 'yes'
```
Probably related to #4 #5Turris OS 3.11.3