Page 1 of 1

Struggling with new iOS client 3.4+

Posted: Sat Dec 02, 2023 11:54 pm
by rlmalisz
We have what has been a stable VPN setup. Main use case is gaining access to the home network from outside, less often for protection on public wifi.

I found the other day that OpenVPN Connect on my iPhone and iPad had gotten updated to 3.4.1 since the last time I'd used the VPN. And that it no longer worked. Launching the app would briefly give a splash screen, then just go black. Same on both device types. No getting past it.

Deleted and resinstalled the apps, loaded config files with two changes: commented out "comp-lzo" and replaced "tls-client" with client. We have two distinct OpenVPN servers with outward facing ports. Tried the first, didn't work, commented out "comp-lzo" on that server, restarted it, all good.

Did the same changes to the second. Connection happens, but the log is full of "Bad LZO decompression header byte: 69", which means the server is still expecting compressed data and the client isn't sending such. The server that is behaving is running 2.4.6, the one that isn't is running 2.4.4.

Was there a bug fixed between 2.4.4 and 2.4.6 that might explain this discrepancy?

And a different question: it seems "comp-lzo" got deprecated with predujice in the iOS apps at 3.4. I understand crypto applied to compressed data can weaken security. But what have others done? Is there some better compression option we should be using on both ends of this equation?

Thanks in advance for any insight or direction.

--Richard

Re: Struggling with new iOS client 3.4+

Posted: Sun Dec 03, 2023 9:09 pm
by rlmalisz
WRT to the two servers behaving differently, disregard. I had removed comp-lzo from the 2.4.4 machine's config file and restarted the service, or at least, told it to, with no effect. Decided I'd get brave and upgrade Ubuntu on that box and bring up a later/greater OpenVPN. First had to upgrade a pile of packages that apt-get had ben holding back. Got those done, rebooted the machine...and OpenVPN,which hadn't gotten updated, started behaving as expected...sans comp-lzo. Perhaps my "service openvpn restart" commands on that machine were not happening, but a reboot...

Having dragged a workhorse OSX box up to Sonoma from Ventura this morning and fixed all the HTTPD, Perl, PHP, CouchDB gotchas that accompany every major OSX update for us, I decided not to press my luck further. Will let a week's worth of backups pile up before burning any bridges. But things are working.

--Richard