How to rescue? Can't reach the vpn server after changing comp - lzo adaptive to none

[xlarge]

I have an Asus 68u with a camera in my cabin 300 km away from home. At home now I managed to get the vpn to work from home (IE) but due to the ADSL on my cabin with less than 1 Mips upwards I tried to speed up. Reading some advise about compression I changed from comp -lzo adaptive to none. Without thinking to change client1.ovpn (or export a new one).

After that I can't reach my camera or my remote asus 68u (198.168.1.1) on my cabin.
When starting the OpenVPN attatched client1 at home I get "Bad LZO decompression header byte: 251" in red - several times before it quit.

I hope a correct change of the line comp -lzo adaptive to "none" in my client1.ovpn on my home computer can save me (get me back online). The question is how should the comp choice changing to "none" be written exactly? Or will it work if I remove the comp -lzo adaptive line?

 

[Jack Yaz]

I have an Asus 68u with a camera in my cabin 300 km away from home. At home now I managed to get the vpn to work from home (IE) but due to the ADSL on my cabin with less than 1 Mips upwards I tried to speed up. Reading some advise about compression I changed from comp -lzo adaptive to none. Without thinking to change client1.ovpn (or export a new one).

After that I can't reach my camera or my remote asus 68u (198.168.1.1) on my cabin.
When starting the OpenVPN attatched client1 at home I get "Bad LZO decompression header byte: 251" in red - several times before it quit.

I hope a correct change of the line comp -lzo adaptive to "none" in my client1.ovpn on my home computer can save me (get me back online). The question is how should the comp choice changing to "none" be written exactly? Or will it work if I remove the comp -lzo adaptive line?

View attachment 15067

Set to no, I think

If that doesn't work, remove the line altogether (depending if you set None or Disabled at the server)

–comp-lzo [mode]
DEPRECATED This option will be removed in a future OpenVPN release. Use the newer –compress instead.Use LZO compression — may add up to 1 byte per packet for incompressible data. mode may be “yes”, “no”, or “adaptive” (default).
In a server mode setup, it is possible to selectively turn compression on or off for individual clients.

First, make sure the client-side config file enables selective compression by having at least one –comp-lzo directive, such as –comp-lzo no. This will turn off compression by default, but allow a future directive push from the server to dynamically change the on/off/adaptive setting.

https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/

 

[xlarge]

Thank you for reply and suggestions, but may be I did not got it:

comp -lzo no did not work. I attach two pics (clie0.jpg and clie.jpg).
Removing the line did not work either (no line.jpg .
Trying 2 lines (comp -lzo no and push "comp lzo-no" as to the reference manual did not work either (push0.jpg and push.jpg.

Hope for more help.

 

[Jack Yaz]

Which f/w version running on the router, and what version of OpenVPn client?

 

[xlarge]

I have win 10 64 bit pro and use IE as browser. The vpn version shows on version.jpg.
Ovenvpn version 2.4.6 -1602.

The asus router is RT-AC68U, firmware 3.0.0.4.384.7-2.

 

[xlarge]

Success! I changed the comp-line to compress without any algorithm or mode and then I reached the router and camera.
Now I am able make a new client1.ovpn and can see the "dirty" line comp -lzo no, se attatched pics.

I must ask if I do wrong when i dismiss the compression. I hope to get faster transfer, but not sure it will do.
Another question on the way. The WARNING: This configuration may cache password in memory - use the auth-nocache option to prevent this. May be not important as I never use my computer another place than home or in my cabin. But what is the command to prevent the warning / get it right?

Thank very much for help.

 

[martinr]

Just experimented with mine by turning off compression, exortimg the .ovpn file and then opening it:

cipher AES-128-CBC
comp-lzo no
keepalive 15 60

 

[elorimer]

Deleting a comp-lzo line corresponds to "Disabled", and comp-lzo no corresponds to "None". Mind the gap, though: comp-lzo no, not comp -lzo no or comp lzo-no .

I've read here that openvpn compression doesn't do much on data that is already compressed. If I understand it correctly, the difference between "disabled" and "none" is that "none" will frame traffic with compression headers, allowing the server to push a particular compression, client by client. "Disabled" doesn't frame traffic or allow the server to push a compression, which is why a mismatch will establish a connection but fail to transmit data across it.

I've also read that there is a security issue with compression and VPN tunnels: a message seeded with a known word will be shorter when compressed, in a known way that can lead to a crack. For both those reasons I've changed to "Disabled".

I haven't used stock firmware in a long while, but do you have two OpenVPN servers going? A problem with making a change in a server where you don't have easy physical access is you can get locked out. One advantage of two servers, if you have to meddle, is you can change one while connected to the other, then test it while still being able to access the other. And then vice versa.

Also, suggest you set up a DDNS so you can access your servers with a name rather than a fixed IP.

I don't think the cached password is a problem where you have physical control over both ends. If you access from a laptop, be sure to have a strong password on the laptop in the first place, and don't store the password in the config.

 

[Martineau]

The WARNING: This configuration may cache password in memory - use the auth-nocache option to prevent this.

But what is the command to prevent the warning / get it right?

As per the red message, simply edit the appropriate 'C:\Program Files\OpenVPN\config\xxxx.ovpn' client configuration to include:

auth-nocache

 

[xlarge]

Thank you very much, elorimer.

I will edit in auth-nocache and am very happy to get rid of the red lines.

I only have vpn server on the asus 68u in my cabin. I reason for it is that my camera may be have been hacked two months ago as I lost contact with it through the forwarded ports and had to travel to it to reset password. Therefore I bought the asus and installed it a few days ago with vpn server there.

I had some trouble using asuscomm.com and therefore used my old no-ip DDNS which I have paid for until sept. 2019. Then it worked fine, but as mentioned earlier I run into trouble when I changed "comp".

When I now am online I shall try out "disabled".

I also want to reach my camera from ipad and android mobil, but it will not work. May be I can get help for this too. Mobil - new profile:

Access server Hostname: https://"no-ip hostname" I dont use https and that can be the problem. I found on the asus system: Https://hostname:8443, not 443 or 8013 and 'll try that. The authentication Method is already set to Both.
Port (optional): 8013 should be 8443
Username: username for access to the camera
Password: password for access to the camera

And in OVPN Profiles: "+", Import client1.ovpn

Title: 192.168.10.140 comes up automatic (that ip is in the range on my home computer but don't show when I use Fing to look over all running ip)
Username: possibly the vpn-user/client username
Password: possibly the vpn-user/client password

Does this seems OK? The camera has 192.168.01.79

 

[elorimer]

As per the red message, simply edit the appropriate 'C:\Program Files\OpenVPN\config\xxxx.ovpn' client configuration to include:

auth-nocache

I've never done this, but for someone like the OP who is using a username/password configuration is this a good idea? How often does one have to re-enter the password?

 

[elorimer]

I had some trouble using asuscomm.com and therefore used my old no-ip DDNS which I have paid for until sept. 2019. Then it worked fine, but as mentioned earlier I run into trouble when I changed "comp".

You might before next September move to the Merlin version and then a free service. Personally, I've never had an issue with asuscomm.com.

 

[elorimer]

I also want to reach my camera from ipad and android mobil, but it will not work. May be I can get help for this too. Mobil - new profile:

I assume you are using the camera app. If the port forwarding is not working for you, then I think the logic works like this.

First, use the openvpn app to form the tunnel from the android phone to the 68U. Now, the android phone acts like it is inside cabin connected wirelessly to the 68U. If that is working, then on to second step.

Then, connect to the camera the way you would if you were in the cabin. That means, I think that using the no-ip hostname would be incorrect.

 

[martinr]

You might before next September move to the Merlin version and then a free service. Personally, I've never had an issue with asuscomm.com.

I can wholeheartedly endorse this: asuscomm.com has never given me the slightest problem in at least 5 years. And it’s simplicity itself to set up. The only thing to remember is if using another Asus router as a spare, and when swapping over, you have to log out of your DDNS on the retiring router if you want to use the same DDNS address on the one coming into service. So you simply change the DDNS nane on the retiring router to eg release.asuscomm.com, and, if that gets accepted, your original DDNS address is then free to insert into the the router you’re now pressing into service.

 

[Martineau]

I've never done this, but for someone like the OP who is using a username/password configuration is this a good idea? How often does one have to re-enter the password?

Many novice users can be alarmed by 'Error/Warning' messages (more so when they appear highlighted in RED), yet how many times have they been advised by 'IT Gurus' "that's OK it ALWAYS does that! - ignore it" ?

I agree, enforcing this option does not really improve your security, nor does it fully close security leaks, but hopefully all of my non-technical family (when they use their Windows laptops and the OpenVPN Client GUI to dial-home to check their 'cat-cams/baby monitors etc.') will be more attentive to reporting RED error messages that seriously need to be analysed, so suppressing this message is, IMHO, definitely worthwhile.

NOTE: If Certificate only (i.e. not PW+Certificate) authentication is being used, the message still appears!

 

[xlarge]

Trouble again. On the remote router I changed "Compress" to disabled, but of course I lost my vpn connection. And now am not able to connect again. I have tried comp-lzo no, comp-lzo yes, comp-lzo adaptive and compress in client1.ovpn. None works.

Attach the warnings two lines:
link-mto is used inconsistently, local=link-mto 1558, remote=link-mto 1557
comp-lzo is present in local config but missing in remote config, local =comp-lzo

Suggestions? Hope and cross my fingers!

It helped to cross my fingers. I removed the line comp and then - OK.

No more changes from remote!!!
Therefore I also don't try to move to asuscomm.com before I do the next travel to my summer cabin, possibly in April.

 

[xlarge]

You might before next September move to the Merlin version and then a free service. Personally, I've never had an issue with asuscomm.com.

Had already moved to Merlin. Thank you.

 

[martinr]

Not sure if you got it hping again from your line in red, but if and when you do, do set up that second vpn server as elorimer said (on a different port of course) and tinker only with one of the servers.

 

[john9527]

Suggestions? Hope and cross my fingers!

Take out the comp-lzo line completely....

 

[DAVID LONG]

I also want to reach my camera from ipad and android mobil, but it will not work. May be I can get help for this too.

To remote access my camera from my Android camera app I first connect to my vpn server with Openvpn for android. Once that connection is established I set the IP cam viewer app to camera ip, camera port number, camera user name/password.