diff --git a/README.md b/README.md index 8dd1f77..69b2427 100644 --- a/README.md +++ b/README.md @@ -51,7 +51,6 @@ That said, OpenVPN still makes sense when you need: - Choice to use a self-hosted resolver with Unbound (supports already existing Unbound installations) - Choice between TCP and UDP - NATed IPv6 support -- Compression disabled by default to prevent VORACLE. LZ4 (v1/v2) and LZ0 algorithms available otherwise. - Unprivileged mode: run as `nobody`/`nogroup` - Block DNS leaks on Windows 10 - Randomised server certificate name @@ -302,7 +301,6 @@ The `install` command supports many options for customization: **Other Options:** -- `--compression ` - Compression (default: `none`). Options: `none`, `lz4-v2`, `lz4`, `lzo` - `--multi-client` - Allow same cert on multiple devices (default: disabled) #### Automation Examples @@ -404,12 +402,9 @@ Certificate and PKI management is handled by [Easy-RSA](https://github.com/OpenV ### Compression -> [!NOTE] -> OpenVPN 2.6+ defaults `--allow-compression` to `no`, which blocks even server-pushed compression. Prior versions allowed servers to push compression settings to clients. +This script used to support LZ4 and LZO compression algorithms, but discouraged their use due to the [VORACLE attack](https://community.openvpn.net/Security%20Announcements/VORACLE) vulnerability. -By default, OpenVPN doesn't enable compression. This script provides support for LZ0 and LZ4 (v1/v2) algorithms, the latter being more efficient. - -However, it is discouraged to use compression since the [VORACLE attack](https://protonvpn.com/blog/voracle-attack/) makes use of it. +OpenVPN 2.6+ defaults `--allow-compression` to `no`, blocking even server-pushed compression. Now that OpenVPN is removing compression support entirely, this script no longer supports it. ### TLS version @@ -575,9 +570,8 @@ DCO was merged into the Linux kernel 6.16 (April 2025). - Linux kernel 6.16+ (built-in) or `ovpn-dco` kernel module - UDP protocol (TCP is not supported) - AEAD cipher (`AES-128-GCM`, `AES-256-GCM`, or `CHACHA20-POLY1305`) -- Compression disabled -The script's default settings (AES-128-GCM, UDP, no compression) are DCO-compatible. When DCO is available and the configuration is compatible, OpenVPN will automatically use it for improved performance. +The script's default settings (AES-128-GCM, UDP) are DCO-compatible. When DCO is available and the configuration is compatible, OpenVPN will automatically use it for improved performance. **Note:** DCO must be supported on both the server and the client for full acceleration. Client support is available in OpenVPN 2.6+ (Linux, Windows, FreeBSD) and OpenVPN Connect 3.4+ (Windows). macOS does not currently support DCO, but clients can still connect to DCO-enabled servers with partial performance benefits on the server-side. diff --git a/openvpn-install.sh b/openvpn-install.sh index 5783bf8..4ad0eb2 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -235,7 +235,6 @@ show_install_help() { --server-cert-days Server cert validity in days (default: 3650) Other Options: - --compression Compression: lz4-v2, lz4, lzo, none (default: none) --multi-client Allow same cert on multiple devices Initial Client Options: @@ -579,26 +578,6 @@ cmd_install() { DNS2="$2" shift 2 ;; - --compression) - [[ -z "${2:-}" ]] && log_fatal "--compression requires an argument" - case "$2" in - none) COMPRESSION_ENABLED=n ;; - lz4-v2) - COMPRESSION_ENABLED=y - COMPRESSION_ALG=lz4-v2 - ;; - lz4) - COMPRESSION_ENABLED=y - COMPRESSION_ALG=lz4 - ;; - lzo) - COMPRESSION_ENABLED=y - COMPRESSION_ALG=lzo - ;; - *) log_fatal "Invalid compression: $2. Use 'none', 'lz4-v2', 'lz4', or 'lzo'." ;; - esac - shift 2 - ;; --multi-client) MULTI_CLIENT=y shift @@ -761,9 +740,6 @@ cmd_install() { # DNS DNS=${DNS:-3} - # Compression - COMPRESSION_ENABLED=${COMPRESSION_ENABLED:-n} - # Multi-client MULTI_CLIENT=${MULTI_CLIENT:-n} @@ -1813,31 +1789,6 @@ function installQuestions() { read -rp "Allow multiple devices per client? [y/n]: " -e -i n MULTI_CLIENT done log_menu "" - log_prompt "Do you want to use compression? It is not recommended since the VORACLE attack makes use of it." - until [[ $COMPRESSION_ENABLED =~ (y|n) ]]; do - read -rp "Enable compression? [y/n]: " -e -i n COMPRESSION_ENABLED - done - if [[ $COMPRESSION_ENABLED == "y" ]]; then - log_prompt "Choose which compression algorithm you want to use: (they are ordered by efficiency)" - log_menu " 1) LZ4-v2" - log_menu " 2) LZ4" - log_menu " 3) LZ0" - until [[ $COMPRESSION_CHOICE =~ ^[1-3]$ ]]; do - read -rp "Compression algorithm [1-3]: " -e -i 1 COMPRESSION_CHOICE - done - case $COMPRESSION_CHOICE in - 1) - COMPRESSION_ALG="lz4-v2" - ;; - 2) - COMPRESSION_ALG="lz4" - ;; - 3) - COMPRESSION_ALG="lzo" - ;; - esac - fi - log_menu "" log_prompt "Do you want to customize encryption settings?" log_prompt "Unless you know what you're doing, you should stick with the default parameters provided by the script." log_prompt "Note that whatever you choose, all the choices presented in the script are safe (unlike OpenVPN's defaults)." @@ -2095,7 +2046,6 @@ function installOpenVPN() { PORT_CHOICE=${PORT_CHOICE:-1} PROTOCOL_CHOICE=${PROTOCOL_CHOICE:-1} DNS=${DNS:-3} - COMPRESSION_ENABLED=${COMPRESSION_ENABLED:-n} MULTI_CLIENT=${MULTI_CLIENT:-n} CUSTOMIZE_ENC=${CUSTOMIZE_ENC:-n} CLIENT=${CLIENT:-client} @@ -2118,7 +2068,6 @@ function installOpenVPN() { log_info " PORT_CHOICE=$PORT_CHOICE" log_info " PROTOCOL_CHOICE=$PROTOCOL_CHOICE" log_info " DNS=$DNS" - log_info " COMPRESSION_ENABLED=$COMPRESSION_ENABLED" log_info " MULTI_CLIENT=$MULTI_CLIENT" log_info " CUSTOMIZE_ENC=$CUSTOMIZE_ENC" log_info " CLIENT=$CLIENT" @@ -2187,10 +2136,10 @@ function installOpenVPN() { # Check Data Channel Offload (DCO) availability if isDCOAvailable; then # Check if configuration is DCO-compatible - if [[ $PROTOCOL == "udp" ]] && [[ $COMPRESSION_ENABLED == "n" ]] && [[ $CIPHER =~ (GCM|CHACHA20-POLY1305) ]]; then + if [[ $PROTOCOL == "udp" ]] && [[ $CIPHER =~ (GCM|CHACHA20-POLY1305) ]]; then log_info "Data Channel Offload (DCO) is available and will be used for improved performance" else - log_info "Data Channel Offload (DCO) is available but not enabled (requires UDP, AEAD cipher, no compression)" + log_info "Data Channel Offload (DCO) is available but not enabled (requires UDP, AEAD cipher)" fi else log_info "Data Channel Offload (DCO) is not available (requires OpenVPN 2.6+ and kernel support)" @@ -2422,10 +2371,6 @@ push "route-ipv6 2000::/3" push "redirect-gateway ipv6"' >>/etc/openvpn/server/server.conf fi - if [[ $COMPRESSION_ENABLED == "y" ]]; then - echo "compress $COMPRESSION_ALG" >>/etc/openvpn/server/server.conf - fi - if [[ $DH_TYPE == "1" ]]; then echo "dh none" >>/etc/openvpn/server/server.conf echo "ecdh-curve $DH_CURVE" >>/etc/openvpn/server/server.conf @@ -2691,10 +2636,6 @@ ignore-unknown-option block-outside-dns setenv opt block-outside-dns # Prevent Windows 10 DNS leak verb 3" >>/etc/openvpn/server/client-template.txt - if [[ $COMPRESSION_ENABLED == "y" ]]; then - echo "compress $COMPRESSION_ALG" >>/etc/openvpn/server/client-template.txt - fi - # Generate the custom client.ovpn if [[ $NEW_CLIENT == "n" ]]; then log_info "No clients added. To add clients, simply run the script again."