"Automatic" OpenVPN Version Setting Creates TCP Probs

Got a problem with Viscosity or need help? Ask here!

quist

Posts: 1
Joined: Wed Jul 26, 2017 1:09 am

Post by quist » Wed Jul 26, 2017 1:20 am
I am using Viscosity v 1.7.3 on Mac OS X El Capitain version 10.11.6

After upgrading to 1.7.3 I experienced problems connecting (specifically ssh and http connections) to the remote LAN.
I could ping hosts but TCP connections experienced hand-shake problems.
The remote server was running OpenVPN 2.3.2 under OpenBSD. When I set Preferences -> Advanced -> OpenVPN Version explicitly to version 2.3 rather than the default "Automatic" all worked normally.

Comments?

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Mon Jul 31, 2017 7:49 am
Hi quist,

You're running into a compression mismatch between the OpenVPN server and client under OpenVPN 2.4. Automatic will select version 2.4 unless your connection contains commands that are only available in OpenVPN 2.3. OpenVPN 2.4 is perfectly capable of connecting to servers running older versions of OpenVPN.

Essentially one side of your connection has compression enabled, and the other side doesn't (or has a different compression variant enabled). In theory this should be failing under OpenVPN 2.3 as well, however due to a bit of a fluke in the way compression headers are set up such a compression mis-match will still work under 2.3.

However under OpenVPN 2.4 this is no longer the case and compression settings *must* match. Unfortunately it can be difficult to realise this is the case as in most instances as OpenVPN will not log any information about the mismatch, and some network packets will still make it through (as OpenVPN will selectively compress packets, for example by not compressing small packets or highly compressed packets).

The solution is to simply edit your client configuration and change the compression settings to match that of your server (or edit the server's configuration and have it push out the correct setting). The correct setting client-side depends on what is set on the server. You can find more information on how to resolve the issue at:
https://www.sparklabs.com/support/kb/ar ... ader-byte/

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
2 posts Page 1 of 1