19

2 days ago I updated my Ubuntu Distro from 20.04 LTS to 22.04 LTS.

After the update, I've noticed that my private OpenVPN tunnel is not working anymore in the new update, in Ubuntu 20.04 was working flawlessly. Trying the same imported configuration on Windows or on my other machine with Ubuntu 20.04 I'm still able to connect.

When I try to start a connection from my terminal I get the following errors:

2022-04-26 08:36:55 OpenSSL: error:0A0C0103:SSL routines::internal error
2022-04-26 08:36:49 TLS_ERROR: BIO read tls_read_plaintext error
2022-04-26 08:36:49 TLS Error: TLS object -> incoming plaintext read error
2022-04-26 08:36:49 TLS Error: TLS handshake failed
2022-04-26 08:36:49 Fatal TLS error (check_tls_errors_co), restarting
2022-04-26 08:36:49 SIGUSR1[soft,tls-error] received, process restarting

Has anybody encountered the same issue?

Pablo Bianchi
  • 15,657
Gianlu28
  • 191
  • Are you running an OpenVPN server or connecting to someone else's server? – Organic Marble Apr 27 '22 at 16:55
  • Hi! I'm trying to connect to my home server (self hosted) with my laptop when I'm not at home, I've tried to downgrade again to 20.04 LTS with the same .ovpn profile and server setting and it works, when I upgrade again to 22.04 LTS then I have the issue again – Gianlu28 Apr 29 '22 at 07:28
  • I'm seeing the exact same issue when connecting to an (up-to-date) Draytek Vigor2962's VPN server. Unfortunately, the 'DEFAULT:@SECLEVEL=0' trick doesn't seem to work ini this case. I've found this: https://www.ibm.com/mysupport/s/question/0D50z000062ktWGCAY/why-ssl-handshake-fails-with-unsafe-legacy-renegotiation-disabled?language=en_US. – Martijn May 14 '22 at 07:10
  • Me too. This is truly regression. My vpn config running fine in 20.04 (openvpn 2.4.7) but unable to connect when upgrade to 22.04 – kholis Jun 28 '22 at 23:15
  • I know this isn't a 'new' post, but one thing to consider is 22.04 has a LOT of changes to OpenSSL under the hood and older hash protocols like SHA1 or older will fail to authenticate properly. A lot of OpenVPN servers still use old certificates and ciphers and that causes issues like this. – Thomas Ward Apr 13 '23 at 01:58
  • In my case I cannot connect from GUI anymore, but connecting from CLI works. Previously the GUI worked perfectly. In Ubuntu 22.04 the GUI just keeps asking my password. – juzzlin Aug 16 '23 at 13:19

6 Answers6

10

Method 1:

  1. Uninstall the current OpenVPN version if installed: sudo apt remove OpenVPN

  2. Install libssl1.1 binary

  1. Install OpenVPN 2.4.7
  1. Reinstall NetworkManager OpenVPN GUI: sudo apt install network-manager-openvpn-gnome

Please note that steps 1 and 4 should be run as a command in the terminal. This requires you to have appropriate permissions and you must know the username and password for your local machine.

Additionally, for steps 2 and 3, after downloading the .deb packages, you can double-click them in Nautilus/file manager and select "Software Install" as a required option to open the package.

Finally, these steps must be followed in the order that they are given, or else the process will fail.

  • 1
    Am I correct in understanding that this in fact downgrades openvpn back to versions used in ubuntu 20.04? – Bass850 May 04 '22 at 14:28
  • 1
    The system works, but I've noticed when you run an update the latest version of Openvpn get installed, and the problem presents itself again – Gianlu28 May 06 '22 at 09:52
  • 5
    You can mark OpenVPN to be held back: sudo apt-mark hold openvpn. Not a good solution, but as a temporary measure will do. – thefish May 11 '22 at 06:51
  • I have a server that after the upgrade, disconnects users after a short while Tried this and unfortunately no luck! On Ubuntu 22.0, I have OpenVPN 2.4.7 with Openssl 1.1 installed but still keeps disconnecting (getting Inactivity timeout on server and network_eof_error on the client). Tried adding that 2 lines to client config and no change there either. I guess I have to role back :( – Saeid Hosseini Aug 28 '22 at 12:25
  • Works for me! Was trying to run openvpn from a clean install of Ubuntu 22.04 LTS .... the OpenVPN version was 2.6 and OpenSSL 3.X. Did all the steps here and solved the issue! – Hajar Razip Aug 17 '23 at 21:56
6

I've noticed the same issue. I couldn't connect "to someone else's server".

sudo systemctl status openvpn@client
● openvpn@client.service - OpenVPN connection to client
     Loaded: loaded (/lib/systemd/system/openvpn@.service; enabled; vendor preset: enabled)
     Active: activating (auto-restart) (Result: exit-code) since Thu 2022-04-28 10:29:10 CEST; 1s ago
       Docs: man:openvpn(8)
             https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
             https://community.openvpn.net/openvpn/wiki/HOWTO
    Process: 3542 ExecStart=/usr/sbin/openvpn --daemon ovpn-client --status /run/openvpn/client.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/client.conf --writepid /run/openvpn/client.pid (code=exited, status=1/FA>
   Main PID: 3542 (code=exited, status=1/FAILURE)
     Status: "Pre-connection initialization successful"
        CPU: 15ms

But this answer https://askubuntu.com/a/1049802/1590939 solved my problem.

vim client.conf
...
# 22.04
tls-cipher "DEFAULT:@SECLEVEL=0"
remote-cert-tls server
# 22.04
...
sudo systemctl stop openvpn@client 
sudo systemctl start openvpn@client
sudo systemctl status openvpn@client
● openvpn@client.service - OpenVPN connection to client
     Loaded: loaded (/lib/systemd/system/openvpn@.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2022-04-28 11:17:26 CEST; 9s ago
       Docs: man:openvpn(8)
             https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
             https://community.openvpn.net/openvpn/wiki/HOWTO
   Main PID: 7889 (openvpn)
     Status: "Initialization Sequence Completed"
      Tasks: 1 (limit: 19121)
     Memory: 2.0M
        CPU: 63ms
     CGroup: /system.slice/system-openvpn.slice/openvpn@client.service
             └─7889 /usr/sbin/openvpn --daemon ovpn-client --status /run/openvpn/client.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/client.conf --writepid /run/openvpn/client.pid

  • I have same issue connection to openvpn on a Cisco router. After 22.04 upgrade it will not work and displayed same error. I followed steps in: https://askubuntu.com/a/1049802/1590939 and it now works when starting VPN from command line. However when i import updated ovpn file back in to networkmanager using "nmcli c import type openvpn file myvpn.ovpn" it does create new vpn entry in network manager but it still won´t connect. Similar problem with connecting to an openvpn on an endian community fw. It seems networkmanager itself reacts differently witr same ovpn file that openvpn cli client? – Bass850 May 03 '22 at 13:48
  • 1
    Had the same issue, adding two lines in configuration resolved my problem, thanks – Lukasz Koziara May 05 '22 at 20:13
  • @richard-volstain Did you check what error your connection was giving you? I've seen a lot of reports saying that this solved their problem, but I believe it applies to the following error message: "error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak". Not the one OP is having: "error:0A0C0103:SSL routines::internal error". – Martijn May 14 '22 at 07:07
4

I finally fixed it by adding line tls-cipher=DEFAULT:@SECLEVEL=0 in vpn section to .nmconnection files in /etc/NetworkManager/system-connections and reloading network manager.

Just now saw fix Method 1. Will try that too.

Bass850
  • 171
1

You can also have twice openvpn versions installed (2.5 and 2.4) with update-alternatives:

wget http://archive.ubuntu.com/ubuntu/pool/main/o/openssl/libssl1.1_1.1.1f-1ubuntu2.13_amd64.deb -O package.deb
ar x package.deb data.tar.xz
rm package.deb
tar xf data.tar.xz
rm data.tar.xz
sudo cp -r usr/lib/x86_64-linux-gnu/* /usr/lib/x86_64-linux-gnu/
rm -rf usr

wget http://archive.ubuntu.com/ubuntu/pool/main/o/openvpn/openvpn_2.4.7-1ubuntu2.20.04.4_amd64.deb -O package.deb ar x package.deb data.tar.xz rm package.deb tar xf data.tar.xz rm data.tar.xz sudo cp usr/sbin/openvpn /usr/sbin/openvpn.2.4 sudo cp -r usr/lib/x86_64-linux-gnu/openvpn/* /usr/lib/x86_64-linux- gnu/openvpn.2.4/ rm -rf rm -rf etc lib usr var

sudo mv /usr/sbin/openvpn /usr/sbin/openvpn.2.5 sudo mv /usr/lib/openvpn /usr/lib/openvpn.2.5 sudo mkdir /usr/lib/openvpn.2.4 sudo ln -sf /usr/lib/x86_64-linux-gnu/openvpn.2.4/plugins/openvpn-plugin-auth-pam.so /usr/lib/openvpn.2.4/ sudo ln -sf /usr/lib/x86_64-linux-gnu/openvpn.2.4/plugins/openvpn-plugin-down-root.so /usr/lib/openvpn.2.4/

sudo update-alternatives --install /usr/sbin/openvpn openvpn /usr/sbin/openvpn.2.5 10 --slave /usr/lib/openvpn libopenvpn /usr/lib/openvpn.2.5 sudo update-alternatives --install /usr/sbin/openvpn openvpn /usr/sbin/openvpn.2.4 9 --slave /usr/lib/openvpn libopenvpn /usr/lib/openvpn.2.4

Now, you can switch between both versions with:

sudo update-alternatives --config openvpn

For rollingback changes:

sudo update-alternatives --remove-all openvpn
sudo mv /usr/sbin/openvpn.2.5 /usr/sbin/openvpn
sudo mv /usr/lib/openvpn.2.5 /usr/lib/openvpn
sudo rm -rf /usr/sbin/openvpn.2.4 /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1 /usr/lib/x86_64-linux-gnu/libssl.so.1.1 /usr/lib/x86_64-linux-gnu/engines-1.1 /usr/lib/x86_64-linux-gnu/openvpn.2.4 /usr/lib/openvpn.2.4/
Alberto
  • 11
  • New download link for Libssl -> http://archive.ubuntu.com/ubuntu/pool/main/o/openvpn/openvpn_2.4.7-1ubuntu2.20.04.4_amd64.deb – M.S.Arun Aug 08 '22 at 06:12
1

Running latest 22.10. I found that using nm-connection-editor and importing the .ovpn file worked where the default ubuntu network config failed. I'm using regolith i3 wm if that makes any difference. I did not have to change anything else on openvpn or ssl installs.

1

I solved it with Distrobox. Remember, you need first Docker or Podman, then install Distrobox.

In Ubuntu 22.04 you have OpenVPN 2.5, but in Ubuntu 20.04 you have OpenVPN 2.4.

So, the only thing you need to do is create a container with DB with Ubuntu 20.04, like this:

distrobox create --image docker.io/library/ubuntu:20.04  --name ubuntu2004

then you can access:

distrobox enter ubuntu2004

when you're inside, update, upgrade and install openvpn package:

sudo apt update && sudo apt upgrade && sudo apt install openvpn

so, the only thing that you can do now is connect with your opvn file:

sudo openvpn my_vpn_file.ovpn

now you can access to the VPN network outside the container :)

I solved it in that way because I usually use Distrobox and because it is a clean solution, you don't need to touch repos or anything of your system. It works for me. If you're familiar with container technologies or you if you're a frequent Distrobox user, this can save you. Hope this can help someone else here!

Pablo Bianchi
  • 15,657
Str3L0K
  • 11
  • 1