[JackPollack]

I have OpenVPN setup on my router.
I am seeing the flowing entries in the status/log and not sure if it is an issue of concern.

At the top of the log after it connects I see the following warnings:

W WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.

So is encryption being used?


W WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure

Is this something I can set a PW for or is it set by the VPN host (so have no control over this)?

[eibgrad]

It's best to NOT use compression unless the server insists on it. There are known vulnerabilities.

OpenVPN provides a management UI (iirc, running as localhost (127.0.0.1), port 16) that you can call when it's running. The router is calling it to get updated statistics from OpenVPN, then updating the OpenVPN status page. Every time you visit that page or refresh it, you'll see these messages in the syslog as it connects, issues the state command, and disconnects. OpenVPN is complaining that access to the UI is NOT using a password. But the router is always running as root anyway, and only accessible as root. Password protecting it is pointless. Once someone has access to the router, it's game over. But OpenVPN doesn't know this. It assumes there are other NON root users on the platform, so it complains.

In a nutshell, you can ignore these messages.