openvpn icon indicating copy to clipboard operation
openvpn copied to clipboard

Published 20 hours ago verified publisher icon OpenVPN

Unfair treatment for "Stub" Compression push?

Open ghost opened this issue 1 year ago • 4 comments

I understand OVPN-DCO does not support any kind of compression, but it refuses to connect when compression stub is pushed by VPN provider that does not support compression. NordVPN stopped using compression as soon as VORACLE attack was discovered several years ago, but NordVPN does perform compression stub push. Pushing compression stub only enabled packet framing compression and that means there may only be a possibility compression push at a later time. NordVPN never pushes compression at any later time. Can it be that OVPN-DCO does not treat compression stub pushes fairly and just assumes that compression is eventually pushed? Why can't it just disconnect upon detecting actual compression instead of making such an assumption?

I'd also like to try some VPN providers that are known to fully support OVPN-DCO, but I don't know which ones do...

ghost avatar May 08 '24 07:05 ghost

Please send a logfile showing the connection, PUSH_REPLY, and OpenVPN's reaction to it.

(Also, this is not really a "DCO" issue, which is about the actual kernel code, and you see a userland effect - so I'll move this to "openvpn")

cron2 avatar May 08 '24 08:05 cron2

We also implemented compress migrate to allow setups that used compression to move completely away from it instead of using stub. Also dco is only enabled if the config does not contain stub compression. And when it is enabled the client does not announce stub comprssion. So please share a log since that sounds weird.

schwabe avatar May 08 '24 08:05 schwabe

Here are 2 configuration files (one with "compress migrate" and one without) and +2 logs to them (with sensitive identifiers and IP's replaced by "X".s): Migrate.log Migrate-OVPN-Config.txt NoMigrate-OVPN-Config.txt NoMigratre.log

I didn't want to spam these forums with questions and decided to just post the most important ones here as secondary side-issues, but I can move them to official OpenVPN Community forums if that's a better choice:

  • How do I make OpenVPN-GUI auto-reconnect when connection is lost? For now it asks to re-enter username and password each time I get disconnected. Does smooth silent reconnection require remembering/saving password or allowing it to be cached in memory (or both)? I assume smooth reconnect is not possible with "auth-nocache" parameter. Supposedly, OpenVPNServ2.exe can run in background and perform auto-reconnect, but that service never starts on its own or when I attempt to start it manually.
  • Is there way to override OVPN configuraiton files globally? I want to add "mute-replay-warnings" and some other parameters to all configuration files without having to edit them one by one...
  • Are there any plans to introduce WireGuard support into OpenVPN-GUI? Official WireGuard for Windows has a major issue of not hiding private keys with asterisks. It is a problem for environments where shoulder surfing attackss are part of threat model. OpenVPN-GUI is bloatware-free and is compiled with some really nice features, like CET (Kernel-Mode Hardware-Enforced Stack Protection) that WireGuard for Windows doesn't have, but I think CET only works with user-space Wintun driver, not WireGuard kernel-space driver.
  • How do I run OpenVPN Interactive Service as administrator? Wintun adapter asks for SYSTEM privileges, but that's only useful when you have one or more unprivileged users, not when you have only one user who is also administrator. OpenVPN Interactive Service should at least come with its own security descriptor that allows it only the absolute minimum privileges. I think it only needs "Query Status", "Start/Stop" , and a few other permissions.
  • Is it planned to add AppContainer support? Windows 10/11 now allows legacy Win32k programs to run in isolation in their own "Lowbox" containers (with permissions below unprivileged level), but it is up to developers to provide such support. OpenVPN-GUI.exe and OpenVPN.exe can run in Sandboxie with only basic file isolation, registry isolation, ANONYMOUS LOGON token, but they require direct access to OpenVPNServ.exe named pipes and make system calls not allowed in Security Hardened and Device Restricted Sandboxes.
  • Is it planned to make OpenVPN a multithreaded process to improve encryption/decryption performance? It may be best to leave it as a single-threaded process to prevent race conditions.
  • Are there any scripts and/or plugins that can spawn adapters on OpenVPN-GUI program start and destroy/uninstall them on exit? Each adapter gets its own static/persistent HWID that should instead be dynamic (for privacy reasons) and change each time OpenVPN-GUI is closed and started.

ghost avatar May 08 '24 12:05 ghost

compress migrate is a server option. It is something the server has to put in. In this case your VPN provider. stub compression should just not be used anymore and we provide proper tools to move away from that but if your VPN sticks to old outdated setttings there is nothing we can do.

And on the second config without migrate. Either you modify the config to remove compression settings or NordVPN is pushing comp-stub to clients that do not support it. Either way it is all working like it should and there is no bugs or unexpected behaviour.

Please sort that out with NordVPN support and have them update their configs/servers to modern standards.

There are no plans to integrate wireguard into OpenVPN.

schwabe avatar May 08 '24 12:05 schwabe