Add compression support

It is disabled by default.
angristan · Sep 22, 2018 · b898a99 · b898a99
1 parent 7ed823c
commit b898a99
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -43,7 +43,7 @@ In your home directory, you will have `.ovpn` files. These are the client config
 - Choice to use a self-hosted resolver with Unbound (supports already existing Unboud installations)
 - Choice between TCP and UDP
 - NATed IPv6 support
-- Compression disabled to prevent VORACLE
+- Compression disabled by default to prevent VORACLE. LZ4 and LZ0 algorithms available otherwise.
 - Unprivileged mode: run as `nobody`/`nogroup`
 - Block DNS leaks on Windows 10
 - Randomized server certificate name

diff --git a/openvpn-install.sh b/openvpn-install.sh
@@ -251,6 +251,27 @@ function installOpenVPN () {
 			fi
 	done
 	echo ""
+	echo "Do you want to use compression? It is not recommended since the VORACLE attack make use of it."
+	until [[ $COMPRESSION_ENABLED =~ (y|n) ]]; do
+		read -p "Enable compression? [y/n]: " -e -i n COMPRESSION_ENABLED
+	done
+	if [[ $COMPRESSION_ENABLED == "y" ]];then
+		echo "Choose which compression algorithm you want to use:"
+		echo "   1) LZ4 (faster)"
+		echo "   2) LZ0 (use for OpenVPN 2.3 compatibility)"
+		until [[ $COMPRESSION_CHOICE =~ [1-2] ]]; do
+			read -p "Compression algorithm [1-2]: " -e -i 1 COMPRESSION_CHOICE
+		done
+		case $COMPRESSION_CHOICE in
+			1)
+			COMPRESSION_ALG="lz4"
+			;;
+			2)
+			COMPRESSION_ALG="lzo"
+			;;
+		esac
+	fi
+	echo ""
 	echo "Do you want to customize encryption settings?"
 	echo "Unless you know what you're doing, you should stick with the default parameters provided by the script."
 	echo "Note that whatever you choose, all the choices presented in the script are safe. (Unlike OpenVPN's defaults)"
@@ -468,6 +489,10 @@ push "route-ipv6 2000::/3"
 push "redirect-gateway ipv6"' >> /etc/openvpn/server.conf
 	fi
 
+if [[ $COMPRESSION_ENABLED == "y"  ]]; then
+	echo "compress $COMPRESSION_ALG" >> /etc/openvpn/server.conf
+fi
+
 	echo "crl-verify crl.pem
 ca ca.crt
 cert $SERVER_NAME.crt
@@ -610,6 +635,10 @@ tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
 setenv opt block-outside-dns # Prevent Windows 10 DNS leak
 verb 3" >> /etc/openvpn/client-template.txt
 
+if [[ $COMPRESSION_ENABLED == "y"  ]]; then
+	echo "compress $COMPRESSION_ALG" >> /etc/openvpn/client-template.txt
+fi
+
 	# Generate the custom client.ovpn
 	newClient
 	echo "If you want to add more clients, you simply need to run this script another time!"