Untangle 14.1 upgrade breaking some OpenVPN implementations

[Sky-Knight]

Untangle 14.1 upgrades are sometimes breaking OpenVPN connectivity.

If you have OpenVPN clients reporting the following error: Bad LZO decompression header byte: 251 You're affected by the bug.

To fix it, get into Untangle's admin console, OpenVPN settings, advanced tab. In the Server Configuration section, check the exclude box on the "compress" line, then add a new line, option name is comp-lzo, leave the rest default, and save.

If you use OpenVPN to connect for administration, and cannot access the UI you can repair your own client settings by editing the .ovpn file in c:\program files\openvpn\config, find the comp-lzo line and change it to compress. Beware if you perform the above you'll have to change it back later.

Be further advised that the comp-lzo directive is deprecated, and the existence of it on your server means you need to delete the module, reconfigure it from scratch, and redeploy your VPN clients to get to a "current" configuration. This message should be enough to get you to where you can schedule this, instead of doing it via a mad panic. You're welcome!

I won't mention how many mad panics I had before I discovered the above for myself.

 

[tek9]

I use OpenVPN to manage my clients' Untangle boxes, but remember than when you're in a pinch you can always login to your Untangle account's Command Center and login to your appliances from there. I believe the Command Center is included free now and is not a separate paid option.

 

[Sky-Knight]

Updates on this, a better explanation after a weekend of research and testing can be found here: https://forums.untangle.com/openvpn/41323-fyi-14-1-breaks-openvpn.html#post231142

Another breakdown that includes a screenshot:

https://forums.untangle.com/openvpn/41309-notice-long-time-openvpn-users-5.html#post231123

That should handle immediate remediation until Untangle creates an official response.

 

[Sky-Knight]

I use OpenVPN to manage my clients' Untangle boxes, but remember than when you're in a pinch you can always login to your Untangle account's Command Center and login to your appliances from there. I believe the Command Center is included free now and is not a separate paid option.

This only applies to subscribed boxes, units without a complete subscription do not get Command Center.

If you're "locked out", just edit your .ovpn file in c:\program files\openvpn\config, find the comp-lzo line and change it to compress. That will get your client in to a bugged server, so you can make the changes I suggested in my previous post, NOT my original post. The updated instructions enable clients that use comp-lzo, compress, AND compress lzo configurations. So basically no matter what this configuration is just better. It will likely be the default soon, but for now you may need this information to get back into your boxes, and enable proper connectivity without having to redeploy every client.

That being said, every single long time Untangle server needs to be ssh'd into and had this command run: openssl x509 -text -noout -in /usr/share/untangle/settings/openvpn/server.crt | grep "Signature Algo"

If that returns: md5WithRSAEncryption It's time to nuke and pave the module, your base certificate is old and weak. The only way forward is a complete reset of the module. You can export your client list, for easy re-import but they'll regenerate entirely and require re-installation on the end points anyway.

If the above command outputs: sha512WithRSAEncryption You're fine for the server certificate, but may or my not be immune to the 14.1 intermittent compression configuration bug I announced here.

So to be clear, TWO issues, not one.