feat: remove compression support (#1418)

## Summary - Remove compression support from the script (CLI option, interactive prompts, config generation) - Compression is unsafe due to the VORACLE attack and OpenVPN is deprecating it - Simplify DCO compatibility check (no longer needs compression condition) Closes https://github.com/angristan/openvpn-install/issues/872
2025-12-16 08:57:03 +01:00 · 2025-12-15 10:04:02 +01:00
parent 898489f3c9
commit 15ca74639c
2 changed files with 5 additions and 70 deletions
--- a/README.md
+++ b/README.md
@@ -51,7 +51,6 @@ That said, OpenVPN still makes sense when you need:
 - Choice to use a self-hosted resolver with Unbound (supports already existing Unbound installations)
 - Choice between TCP and UDP
 - NATed IPv6 support
- Compression disabled by default to prevent VORACLE. LZ4 (v1/v2) and LZ0 algorithms available otherwise.
 - Unprivileged mode: run as `nobody`/`nogroup`
 - Block DNS leaks on Windows 10
 - Randomised server certificate name
@@ -302,7 +301,6 @@ The `install` command supports many options for customization:

 **Other Options:**

- `--compression <alg>` - Compression (default: `none`). Options: `none`, `lz4-v2`, `lz4`, `lzo`
 - `--multi-client` - Allow same cert on multiple devices (default: disabled)

 #### Automation Examples
@@ -404,12 +402,9 @@ Certificate and PKI management is handled by [Easy-RSA](https://github.com/OpenV

 ### Compression

-> [!NOTE]
-> OpenVPN 2.6+ defaults `--allow-compression` to `no`, which blocks even server-pushed compression. Prior versions allowed servers to push compression settings to clients.
+This script used to support LZ4 and LZO compression algorithms, but discouraged their use due to the [VORACLE attack](https://community.openvpn.net/Security%20Announcements/VORACLE) vulnerability.

-By default, OpenVPN doesn't enable compression. This script provides support for LZ0 and LZ4 (v1/v2) algorithms, the latter being more efficient.
-
-However, it is discouraged to use compression since the [VORACLE attack](https://protonvpn.com/blog/voracle-attack/) makes use of it.
+OpenVPN 2.6+ defaults `--allow-compression` to `no`, blocking even server-pushed compression. Now that OpenVPN is removing compression support entirely, this script no longer supports it.

 ### TLS version

@@ -575,9 +570,8 @@ DCO was merged into the Linux kernel 6.16 (April 2025).
 - Linux kernel 6.16+ (built-in) or `ovpn-dco` kernel module
 - UDP protocol (TCP is not supported)
 - AEAD cipher (`AES-128-GCM`, `AES-256-GCM`, or `CHACHA20-POLY1305`)
- Compression disabled

-The script's default settings (AES-128-GCM, UDP, no compression) are DCO-compatible. When DCO is available and the configuration is compatible, OpenVPN will automatically use it for improved performance.
+The script's default settings (AES-128-GCM, UDP) are DCO-compatible. When DCO is available and the configuration is compatible, OpenVPN will automatically use it for improved performance.

 **Note:** DCO must be supported on both the server and the client for full acceleration. Client support is available in OpenVPN 2.6+ (Linux, Windows, FreeBSD) and OpenVPN Connect 3.4+ (Windows). macOS does not currently support DCO, but clients can still connect to DCO-enabled servers with partial performance benefits on the server-side.

--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -235,7 +235,6 @@ show_install_help() {
 			--server-cert-days <n>  Server cert validity in days (default: 3650)

 		Other Options:
-			--compression <alg>   Compression: lz4-v2, lz4, lzo, none (default: none)
 			--multi-client        Allow same cert on multiple devices

 		Initial Client Options:
@@ -579,26 +578,6 @@ cmd_install() {
 			DNS2="$2"
 			shift 2
 			;;
-		--compression)
-			[[ -z "${2:-}" ]] && log_fatal "--compression requires an argument"
-			case "$2" in
-			none) COMPRESSION_ENABLED=n ;;
-			lz4-v2)
-				COMPRESSION_ENABLED=y
-				COMPRESSION_ALG=lz4-v2
-				;;
-			lz4)
-				COMPRESSION_ENABLED=y
-				COMPRESSION_ALG=lz4
-				;;
-			lzo)
-				COMPRESSION_ENABLED=y
-				COMPRESSION_ALG=lzo
-				;;
-			*) log_fatal "Invalid compression: $2. Use 'none', 'lz4-v2', 'lz4', or 'lzo'." ;;
-			esac
-			shift 2
-			;;
 		--multi-client)
 			MULTI_CLIENT=y
 			shift
@@ -761,9 +740,6 @@ cmd_install() {
 		# DNS
 		DNS=${DNS:-3}

-		# Compression
-		COMPRESSION_ENABLED=${COMPRESSION_ENABLED:-n}
-
 		# Multi-client
 		MULTI_CLIENT=${MULTI_CLIENT:-n}

@@ -1813,31 +1789,6 @@ function installQuestions() {
 		read -rp "Allow multiple devices per client? [y/n]: " -e -i n MULTI_CLIENT
 	done
 	log_menu ""
-	log_prompt "Do you want to use compression? It is not recommended since the VORACLE attack makes use of it."
-	until [[ $COMPRESSION_ENABLED =~ (y|n) ]]; do
-		read -rp "Enable compression? [y/n]: " -e -i n COMPRESSION_ENABLED
-	done
-	if [[ $COMPRESSION_ENABLED == "y" ]]; then
-		log_prompt "Choose which compression algorithm you want to use: (they are ordered by efficiency)"
-		log_menu "   1) LZ4-v2"
-		log_menu "   2) LZ4"
-		log_menu "   3) LZ0"
-		until [[ $COMPRESSION_CHOICE =~ ^[1-3]$ ]]; do
-			read -rp "Compression algorithm [1-3]: " -e -i 1 COMPRESSION_CHOICE
-		done
-		case $COMPRESSION_CHOICE in
-		1)
-			COMPRESSION_ALG="lz4-v2"
-			;;
-		2)
-			COMPRESSION_ALG="lz4"
-			;;
-		3)
-			COMPRESSION_ALG="lzo"
-			;;
-		esac
-	fi
-	log_menu ""
 	log_prompt "Do you want to customize encryption settings?"
 	log_prompt "Unless you know what you're doing, you should stick with the default parameters provided by the script."
 	log_prompt "Note that whatever you choose, all the choices presented in the script are safe (unlike OpenVPN's defaults)."
@@ -2095,7 +2046,6 @@ function installOpenVPN() {
 		PORT_CHOICE=${PORT_CHOICE:-1}
 		PROTOCOL_CHOICE=${PROTOCOL_CHOICE:-1}
 		DNS=${DNS:-3}
-		COMPRESSION_ENABLED=${COMPRESSION_ENABLED:-n}
 		MULTI_CLIENT=${MULTI_CLIENT:-n}
 		CUSTOMIZE_ENC=${CUSTOMIZE_ENC:-n}
 		CLIENT=${CLIENT:-client}
@@ -2118,7 +2068,6 @@ function installOpenVPN() {
 		log_info "  PORT_CHOICE=$PORT_CHOICE"
 		log_info "  PROTOCOL_CHOICE=$PROTOCOL_CHOICE"
 		log_info "  DNS=$DNS"
-		log_info "  COMPRESSION_ENABLED=$COMPRESSION_ENABLED"
 		log_info "  MULTI_CLIENT=$MULTI_CLIENT"
 		log_info "  CUSTOMIZE_ENC=$CUSTOMIZE_ENC"
 		log_info "  CLIENT=$CLIENT"
@@ -2187,10 +2136,10 @@ function installOpenVPN() {
 		# Check Data Channel Offload (DCO) availability
 		if isDCOAvailable; then
 			# Check if configuration is DCO-compatible
-			if [[ $PROTOCOL == "udp" ]] && [[ $COMPRESSION_ENABLED == "n" ]] && [[ $CIPHER =~ (GCM|CHACHA20-POLY1305) ]]; then
+			if [[ $PROTOCOL == "udp" ]] && [[ $CIPHER =~ (GCM|CHACHA20-POLY1305) ]]; then
 				log_info "Data Channel Offload (DCO) is available and will be used for improved performance"
 			else
-				log_info "Data Channel Offload (DCO) is available but not enabled (requires UDP, AEAD cipher, no compression)"
+				log_info "Data Channel Offload (DCO) is available but not enabled (requires UDP, AEAD cipher)"
 			fi
 		else
 			log_info "Data Channel Offload (DCO) is not available (requires OpenVPN 2.6+ and kernel support)"
@@ -2422,10 +2371,6 @@ push "route-ipv6 2000::/3"
 push "redirect-gateway ipv6"' >>/etc/openvpn/server/server.conf
 	fi

-	if [[ $COMPRESSION_ENABLED == "y" ]]; then
-		echo "compress $COMPRESSION_ALG" >>/etc/openvpn/server/server.conf
-	fi
-
 	if [[ $DH_TYPE == "1" ]]; then
 		echo "dh none" >>/etc/openvpn/server/server.conf
 		echo "ecdh-curve $DH_CURVE" >>/etc/openvpn/server/server.conf
@@ -2691,10 +2636,6 @@ ignore-unknown-option block-outside-dns
 setenv opt block-outside-dns # Prevent Windows 10 DNS leak
 verb 3" >>/etc/openvpn/server/client-template.txt

-	if [[ $COMPRESSION_ENABLED == "y" ]]; then
-		echo "compress $COMPRESSION_ALG" >>/etc/openvpn/server/client-template.txt
-	fi
-
 	# Generate the custom client.ovpn
 	if [[ $NEW_CLIENT == "n" ]]; then
 		log_info "No clients added. To add clients, simply run the script again."