Why is compression not recommended in OpenVPN?

compression vpn encryption openvpn

Compression is not recommended because it makes the connection vulnerable to oracle attacks, specifically Compression Oracle Attacks. This is mentioned in the OpenVPN docs in the "openvpn" manpage, under "Protocol Options":

Security Considerations

Compression and encryption is a tricky combination. If an attacker knows or is able to control (parts of) the plain-text of packets that contain secrets, the attacker might be able to extract the secret if compression is enabled. [...]

Basically, if an attacker can influence the plaintext data being sent via the VPN, they can observe the change in compressed size (due to the data being more or less compressible) and find out something about the data, even though it is encrypted.

See e.g. Compression Oracle Attacks on VPN Networks (Nafeez) for details, and commit a59fd147 in the OpenVPN Github repository.

Related

Windows Media Player 12 thinks tracks from the same album are from seperate albums
Protecting a cell, but allowing the drop down list to work
disable spell check when sending code in Outlook
Public Network to AWS (VPC or anything else) to Home Lab Network
Windows 10: how to uninstall a program that I (unwisely) removed from the Programs and Features list?
Cannot ping a Windows 11 machine
Can I do a fresh/reinstall of an OEM PC with the bought Product Key? [duplicate]
SSDP replies from 192.168.1.1. What exactly is at this ip address?
Firefox re-allow `alerts`?
Is there a .k5login equivalent on Windows?
Separating nested RDP sessions
How to delete all files that don't have a certain string in their name