COMP-LZO should be disabled by default

Question

COMP-LZO should be disabled by default

ragaar opened this issue 5 years ago · 2 comments

Security researcher Ahamed Nafeez has presented a new attack vector which targets VPN tunnels which utilize compression, named VORACLE.^[1]

REFERENCE

https://community.openvpn.net/openvpn/wiki/VORACLE

Answer 1 · 2019-09-27T14:42:45.000Z

Hi.
Thanks for letting me know about this. Unfortunately I don't think I can make this a default option because if someone updates the server but not the client configs then the connections will fail.
OpenVPN Access server allows the client to request compression, but of course we're not using that.

I'll look into making compression optional via env variables and update the documentation to highlight that vulnerability.

Answer 2 · 2019-10-07T15:40:04.000Z

The option to disable compression (OVPN_ENABLE_COMPRESSION=false) has been added and the Docker container image updated.