Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unfair treatment for "Stub" Compression push? #551

Open
ghost opened this issue May 8, 2024 · 4 comments
Open

Unfair treatment for "Stub" Compression push? #551

ghost opened this issue May 8, 2024 · 4 comments

Comments

@ghost
Copy link

ghost commented May 8, 2024

I understand OVPN-DCO does not support any kind of compression, but it refuses to connect when compression stub is pushed by VPN provider that does not support compression. NordVPN stopped using compression as soon as VORACLE attack was discovered several years ago, but NordVPN does perform compression stub push. Pushing compression stub only enabled packet framing compression and that means there may only be a possibility compression push at a later time. NordVPN never pushes compression at any later time. Can it be that OVPN-DCO does not treat compression stub pushes fairly and just assumes that compression is eventually pushed? Why can't it just disconnect upon detecting actual compression instead of making such an assumption?

I'd also like to try some VPN providers that are known to fully support OVPN-DCO, but I don't know which ones do...

@cron2
Copy link
Contributor

cron2 commented May 8, 2024

Please send a logfile showing the connection, PUSH_REPLY, and OpenVPN's reaction to it.

(Also, this is not really a "DCO" issue, which is about the actual kernel code, and you see a userland effect - so I'll move this to "openvpn")

@cron2 cron2 transferred this issue from OpenVPN/ovpn-dco May 8, 2024
@schwabe
Copy link
Contributor

schwabe commented May 8, 2024

We also implemented compress migrate to allow setups that used compression to move completely away from it instead of using stub. Also dco is only enabled if the config does not contain stub compression. And when it is enabled the client does not announce stub comprssion. So please share a log since that sounds weird.

@ghost
Copy link
Author

ghost commented May 8, 2024

Here are 2 configuration files (one with "compress migrate" and one without) and +2 logs to them (with sensitive identifiers and IP's replaced by "X".s):
Migrate.log
Migrate-OVPN-Config.txt
NoMigrate-OVPN-Config.txt
NoMigratre.log

I didn't want to spam these forums with questions and decided to just post the most important ones here as secondary side-issues, but I can move them to official OpenVPN Community forums if that's a better choice:

  • How do I make OpenVPN-GUI auto-reconnect when connection is lost? For now it asks to re-enter username and password each time I get disconnected. Does smooth silent reconnection require remembering/saving password or allowing it to be cached in memory (or both)? I assume smooth reconnect is not possible with "auth-nocache" parameter. Supposedly, OpenVPNServ2.exe can run in background and perform auto-reconnect, but that service never starts on its own or when I attempt to start it manually.
  • Is there way to override OVPN configuraiton files globally? I want to add "mute-replay-warnings" and some other parameters to all configuration files without having to edit them one by one...
  • Are there any plans to introduce WireGuard support into OpenVPN-GUI? Official WireGuard for Windows has a major issue of not hiding private keys with asterisks. It is a problem for environments where shoulder surfing attackss are part of threat model. OpenVPN-GUI is bloatware-free and is compiled with some really nice features, like CET (Kernel-Mode Hardware-Enforced Stack Protection) that WireGuard for Windows doesn't have, but I think CET only works with user-space Wintun driver, not WireGuard kernel-space driver.
  • How do I run OpenVPN Interactive Service as administrator? Wintun adapter asks for SYSTEM privileges, but that's only useful when you have one or more unprivileged users, not when you have only one user who is also administrator. OpenVPN Interactive Service should at least come with its own security descriptor that allows it only the absolute minimum privileges. I think it only needs "Query Status", "Start/Stop" , and a few other permissions.
  • Is it planned to add AppContainer support? Windows 10/11 now allows legacy Win32k programs to run in isolation in their own "Lowbox" containers (with permissions below unprivileged level), but it is up to developers to provide such support. OpenVPN-GUI.exe and OpenVPN.exe can run in Sandboxie with only basic file isolation, registry isolation, ANONYMOUS LOGON token, but they require direct access to OpenVPNServ.exe named pipes and make system calls not allowed in Security Hardened and Device Restricted Sandboxes.
  • Is it planned to make OpenVPN a multithreaded process to improve encryption/decryption performance? It may be best to leave it as a single-threaded process to prevent race conditions.
  • Are there any scripts and/or plugins that can spawn adapters on OpenVPN-GUI program start and destroy/uninstall them on exit? Each adapter gets its own static/persistent HWID that should instead be dynamic (for privacy reasons) and change each time OpenVPN-GUI is closed and started.

@schwabe
Copy link
Contributor

schwabe commented May 8, 2024

compress migrate is a server option. It is something the server has to put in. In this case your VPN provider. stub compression should just not be used anymore and we provide proper tools to move away from that but if your VPN sticks to old outdated setttings there is nothing we can do.

And on the second config without migrate. Either you modify the config to remove compression settings or NordVPN is pushing comp-stub to clients that do not support it. Either way it is all working like it should and there is no bugs or unexpected behaviour.

Please sort that out with NordVPN support and have them update their configs/servers to modern standards.

There are no plans to integrate wireguard into OpenVPN.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants