MP70 compression error with OpenVPN 2.4.7

IoT Modules
1

I have an openvpn server 2.4.7 with the following config:
port 1194
proto udp
dh dh2048.pem
server 10.8.0.0 255.255.252.0
ifconfig-pool-persist ipp.txt
keepalive 10, 120
ca ca.crt
cert server.crt
key server.key
crl-verify crl.pem
dev tun
tun-mtu 1500
tls-auth ta.key 0
route 10.11.0.0 255.255.0.0
push route 10.11.0.0 255.255.0.0
client-config-dir ccd
cipher AES-128-CBC
auth SHA256
comp-lzo
verb 3

When I try to have a sierra router connect to the vpn server, it can connect but then the server logs show this:
Bad LZO decompression header byte: 0

I have compression LZO set in my vpn configuration. I am also running the latest firmware version for the MP70.

2

Hi @rdesai,
Can you also please share below information to understand the problem

image
image1001×792 31.8 KB

  • Configuration on MP70 as screenshot
  • Log files on the router MP70 and OpenVPN server
    Thanks
3

These are the server logs:

2020/07/23 18:47:40 DEBUG [openvpn-proc] Stdout: Thu Jul 23 18:47:40 2020 rishi-sierra/70.168.153.252:45926 Bad LZO decompression header byte: 0
2020/07/23 18:47:49 DEBUG [openvpn-proc] Stdout: Thu Jul 23 18:47:49 2020 rishi-sierra/70.168.153.252:45926 Bad LZO decompression header byte: 0
2020/07/23 18:48:00 DEBUG [openvpn-proc] Stdout: Thu Jul 23 18:48:00 2020 rishi-sierra/70.168.153.252:45926 Bad LZO decompression header byte: 0

These are the client logs:

Jul 23 20:29:13 notice openvpn-1[32393]: LZO compression initialized
Jul 23 20:29:13 notice openvpn-1[32393]: Control Channel MTU parms [ L:1574 D:1172 EF:78 EB:0 ET:0 EL:3 ]
Jul 23 20:29:13 notice openvpn-1[32393]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Jul 23 20:29:13 notice openvpn-1[32393]: Data Channel MTU parms [ L:1574 D:1400 EF:74 EB:143 ET:0 EL:3 AF:3/1 ]
Jul 23 20:29:13 notice openvpn-1[32393]: Fragmentation MTU parms [ L:1574 D:1300 EF:73 EB:143 ET:1 EL:3 AF:3/1 ]
Jul 23 20:29:13 notice openvpn-1[32393]: Local Options String: 'V4,dev-type tun,link-mtu 1574,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,keydir 1,cipher AES-128-CBC,auth SHA256,keysize 128,tls-auth,key-method 2,tls-client'
Jul 23 20:29:13 notice openvpn-1[32393]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1574,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,keydir 0,cipher AES-128-CBC,auth SHA256,keysize 128,tls-auth,key-method 2,tls-server'
Jul 23 20:29:13 notice openvpn-1[32393]: Local Options hash (VER=V4): 'f420562a'
Jul 23 20:29:13 notice openvpn-1[32393]: Expected Remote Options hash (VER=V4): '01b72d33'
Jul 23 20:29:13 notice openvpn-1[32393]: UDPv4 link local: [undef]
Jul 23 20:29:13 notice openvpn-1[32393]: UDPv4 link remote: [AF_INET]54.70.149.21:1194
Jul 23 20:29:13 notice openvpn-1[32393]: TLS: Initial packet from [AF_INET]54.70.149.21:1194, sid=7e3fdb17 0688065b
Jul 23 20:29:13 notice openvpn-1[32393]: VERIFY OK: xxx serialNumber=69281242773856483725635868277931038713978645437
Jul 23 20:29:13 notice openvpn-1[32393]: Validating certificate key usage
Jul 23 20:29:13 notice openvpn-1[32393]: ++ Certificate has key usage  00a0, expects 00a0
Jul 23 20:29:13 notice openvpn-1[32393]: VERIFY KU OK
Jul 23 20:29:13 notice openvpn-1[32393]: Validating certificate extended key usage
Jul 23 20:29:13 notice openvpn-1[32393]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Jul 23 20:29:13 notice openvpn-1[32393]: VERIFY EKU OK
Jul 23 20:29:13 notice openvpn-1[32393]: VERIFY OK: xxxxx
Jul 23 20:29:13 warning openvpn-1[32393]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1574', remote='link-mtu 1570'
Jul 23 20:29:13 warning openvpn-1[32393]: WARNING: 'mtu-dynamic' is present in local config but missing in remote config, local='mtu-dynamic'
Jul 23 20:29:13 notice openvpn-1[32393]: Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Jul 23 20:29:13 notice openvpn-1[32393]: Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Jul 23 20:29:13 notice openvpn-1[32393]: Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Jul 23 20:29:13 notice openvpn-1[32393]: Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Jul 23 20:29:13 notice openvpn-1[32393]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-ECDSA-AES256-GCM-SHA384
Jul 23 20:29:13 notice openvpn-1[32393]: [server] Peer Connection Initiated with [AF_INET]54.70.149.21:1194
Jul 23 20:29:15 notice openvpn-1[32393]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Jul 23 20:29:15 notice openvpn-1[32393]: PUSH: Received control message: 'PUSH_REPLY,route 10.11.0.0 255.255.0.0,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 1'
Jul 23 20:29:15 notice openvpn-1[32393]: OPTIONS IMPORT: timers and/or timeouts modified
Jul 23 20:29:15 notice openvpn-1[32393]: OPTIONS IMPORT: --ifconfig/up options modified
Jul 23 20:29:15 notice openvpn-1[32393]: OPTIONS IMPORT: route options modified
Jul 23 20:29:15 notice openvpn-1[32393]: OPTIONS IMPORT: peer-id set
Jul 23 20:29:15 notice openvpn-1[32393]: OPTIONS IMPORT: adjusting link_mtu to 1577
Jul 23 20:29:15 notice openvpn-1[32393]: ROUTE_GATEWAY 10.1.110.1/255.255.254.0 IFACE=wlan0 HWADDR=00:14:3e:30:ad:2f
Jul 23 20:29:15 notice openvpn-1[32393]: TUN/TAP device tun0 opened
Jul 23 20:29:15 notice openvpn-1[32393]: TUN/TAP TX queue length set to 100
Jul 23 20:29:15 notice openvpn-1[32393]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Jul 23 20:29:15 notice openvpn-1[32393]: /sbin/ifconfig tun0 10.8.0.6 pointopoint 10.8.0.5 mtu 1500
Jul 23 20:29:15 notice openvpn-1[32393]: /sbin/route add -net 10.11.0.0 netmask 255.255.0.0 gw 10.8.0.5
Jul 23 20:29:15 notice openvpn-1[32393]: /sbin/route add -net 10.8.0.1 netmask 255.255.255.255 gw 10.8.0.5
Jul 23 20:29:16 notice openvpn-1[32393]: Initialization Sequence Completed
Jul 23 20:29:26 err openvpn-1[32393]: FRAG_IN error flags=0xfa2a187b: FRAG_TEST not implemented
Jul 23 20:29:35 err openvpn-1[32393]: FRAG_IN error flags=0xfa2a187b: FRAG_TEST not implemented
Jul 23 20:29:45 err openvpn-1[32393]: FRAG_IN error flags=0xfa2a187b: FRAG_TEST not implemented
Jul 23 20:29:54 info udhcpc[7260]: Sending renew...
Jul 23 20:29:54 info udhcpc[7260]: Lease of 10.1.110.76 obtained, lease time 1800
Jul 23 20:29:54 notice ALEOS_WIFI: Wi-Fi WAN: renew/bound (IP: 10.1.110.76)
Jul 23 20:29:56 err openvpn-1[32393]: FRAG_IN error flags=0xfa2a187b: FRAG_TEST not implemented
Jul 23 20:30:06 err openvpn-1[32393]: FRAG_IN error flags=0xfa2a187b: FRAG_TEST not implemented
Jul 23 20:30:08 notice ALEOS_LINKMGMT_linkmon: Current: RSSI=-64, RSRQ=-15, RSRP=-96, SINR=15.2
Jul 23 20:30:17 err openvpn-1[32393]: FRAG_IN error flags=0xfa2a187b: FRAG_TEST not implemented
Jul 23 20:30:27 err openvpn-1[32393]: FRAG_IN error flags=0xfa2a187b: FRAG_TEST not implemented
Jul 23 20:30:37 err openvpn-1[32393]: FRAG_IN error flags=0xfa2a187b: FRAG_TEST not implemented

Here is the client config:

Screen Shot 2020-07-23 at 1.34.26 PM
Screen Shot 2020-07-23 at 1.34.26 PM1462×1736 259 KB

Do you know what version of the openvpn client runs on the latest MP70 router? I got an error once and it printed 2.3.17 so I presume that is the openvpn client version.

4

I ended up solving it. I had to set the tun-mtu, mssfix, and fragment in the openvpn server config.