Bad LZO decompression header byte: 69

[Kulturmensch]

After successful OpenVPN-connection between IPhone 6 (iOS 9.2) and my root server (Ubuntu LTS 14.04.3) I find the following error message in the server´s openvpn logfile:

Bad LZO decompression header byte: 69

I can also not open Internetpages on the IPhone if the connection via tunnel is enabled.

Concerning compression it is possible to choose (OpenVPN IPhone) one of these 3 options:

• No

• Full

• Downlink only

.

In the config files on either the client (IPhone) and server side I used; comp-lzo

Any idea how to fix this?

[Kulturmensch]

I could fix it and everything works now with the Apple-World, too.

[Pippin]

It would be nice if you share your solution

[Traffic]

My guess would be --comp-lzo no (both sides)

FYI, in the server conf or CCD file this is permitted:

Code: Select all

push "comp-lzo parameter"
      comp-lzo parameter

which configures both server and client globally or on a specific connection (at this time)
With the caveat that at least:

Code: Select all

comp-lzo

is used in both server and client confs. (To initialize the LZO function)

LZ4 is soon to hit the frame as well .. that should be fun !
Snappy got binned ..

[Kulturmensch]

Sorry for the late reply, I do not receive notifications and have manually to check replies.

Here we are with my working configuration

root server (Linux) <-> Iphone/IPad

I configured both server and client globally with
comp-lzo
and selected for the IPhone/IPad client the following in the APP-configuration:
Raise keyboard on
Seamless tunnel on
Connect via Any network
Reconnect on wakeup on
Protocol UDP
Compression FULL
Connection Timeout 30 seconds
Network state detection active
Advanced Settings
Force AES-CBS-ciphersuites on
Google DNS fallback on
Layer 2 reachability off

No proxy

client conf (which was installed using I-Tunes):
client
remote server.ip port
proto udp
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
ns-cert-type server
cipher AES-256-CBC
comp-lzo
verb 3
--tls-auth ta.key 1
key-direction 1
<ca>
-----BEGIN CERTIFICATE-----
....
....
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
....
....
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
....
....
-----END PRIVATE KEY-----
</key>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
....
....
-----END OpenVPN Static key V1-----
</tls-auth>

Hope, this helps

[Kulturmensch]

I just learned that client should be replaced by tls-client
Thanks to Pippin

[Kulturmensch]

and --tls-auth ta.key 1 can be deleted, it is redundant in my example.

[Traffic]

I just learned that client should be replaced by tls-client
Thanks to Pippin

--client should not be replaced by --tls-client

--client expands to --tls-client & --pull

--tls-client does not expand and so you loose --pull

[Pippin]

Yup, i stand corrected

[Kulturmensch]

Oh, that explains my fault by using tls-client.
Thank you:-)