0

pfSense makes it quite easy to set up a site-site VPN, using an OpenVPN Server/Client arrangement, as long as the versions of pfSense are broadly the same.

But at some point in recent pfSense history (around 2.4?), the set of options, and some of the defaults have changed. Many of these are easy to match up, but the compression settings seem to have been reworded, and more options have been added.

Old pfSense (e.g. 2.3.5)

  • No Preference
  • No Preference and Adaptive Compression Disabled
  • Disabled - No Compression
  • Enabled with Adaptive Compression
  • Enabled without Adaptive Compression pfSense 2.2.6 OpenVPN Compression

New pfSense (e.g. 2.4.5)

  • Disable Compression, retain compression packet framing [compress]
  • LZ4 Compression [compress lz4]
  • LZ4 Compression v2 [compress lz4-v2]
  • LZO Compression [compress lzo, equivalent to comp-lzo yes for compatibility]
  • Enable Compression (stub) [compress stub]
  • Enable Compression (stub v2) [compress stub-v2]
  • Omit Preference (Use OpenVPN Default)
  • Omit Preference, + Disable Adaptive LZO Compression [Legacy style, comp-noadapt]
  • Adaptive LZO Compression [Legacy style, comp-lzo adaptive]
  • LZO Compression [Legacy style, comp-lzo yes]
  • No LZO Compression [Legacy style, comp-lzo no]

pfSense 2.4.0 OpenVPN Compression How can I marry up this option to get compatible compression settings?

Improve this question

1 Answer 1

Reset to default
0

Inspecting the Select Option elements on the configuration page, reveals that the names still correspond to each other, so will probably lead to compatible compression options.

Type      Old pfSense                           New pfSense                                            Config syntax (as described by new pfSense)
none                                            Disable Compression, retain compression packet framing [compress]
lz4                                             LZ4 Compression                                        [compress lz4]
lz4-v2                                          LZ4 Compression v2                                     [compress lz4-v2]
lzo                                             LZO Compression                                        [compress lzo, equivalent to comp-lzo yes for compatibility]
stub                                            Enable Compression (stub)                              [compress stub]
stub-v2                                         Enable Compression (stub v2)                           [compress stub-v2]
(blank)   No Preference                         Omit Preference (Use OpenVPN Default)
noadapt                                         Omit Preference, + Disable Adaptive LZO Compression    [Legacy style, comp-noadapt]
adaptive  Enabled with Adaptive Compression     Adaptive LZO Compression                               [Legacy style, comp-lzo adaptive]
yes       Enabled without Adaptive Compression  LZO Compression                                        [Legacy style, comp-lzo yes]
no        Disabled - No Compression             No LZO Compression                                     [Legacy style, comp-lzo no]

(The OpenVPN default has likely changed, so the blank entry may correspond to different methods in different versions.)

Since OpenVPN now advise against using compression, it is probably best to use Disabled - No Compression on the old pfSense, and No LZO Compression on the new pfSense, if you are concerned about security.

Note also that the default Auth digest algorithm has changed in recent versions from SHA1 (which has known vulnerabilities) to SHA256.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .