I recently upgraded from Ubuntu 20.04 (which ships OpenVPN 2.4.7) to Ubuntu 22.04 (which ships OpenVPN 2.5.5), and in OpenVPN 2.5.0 changelog i find
Removal of BF-CBC support in default configuration:
By default OpenVPN 2.5 will only accept AES-256-GCM and AES-128-GCM as data ciphers. OpenVPN 2.4 allows AES-256-GCM,AES-128-GCM and BF-CBC when no --cipher and --ncp-ciphers options are present. Accepting BF-CBC can be enabled by adding
data-ciphers AES-256-GCM:AES-128-GCM:BF-CBC
and when you need to support very old peers also
data-ciphers-fallback BF-CBC
To offer backwards compatibility with older configs an explicit
cipher BF-CBC
in the configuration will be automatically translated into adding BF-CBC to the data-ciphers option and setting data-ciphers-fallback to BF-CBC (as in the example commands above). We strongly recommend to switching away from BF-CBC to a more secure cipher.
and I can no longer connect to an OpenVPN server at work. Hence the question, how do I enable OpenVPN's BF-CBC
in 22.04?
I did some googling, and allegedly in Fedora Linux, you enable it by adding
providers legacy default
to /etc/openvpn/client.conf
, but that file does not exist in Ubuntu, instead there is an (empty) directory path /etc/openvpn/client
systemctl start openvpn-client@<something>
? Or some other way? – muru Mar 09 '23 at 08:13sudo openvpn Hans.ovpn
and the ovpn file looks like: https://termbin.com/jfdo2 – hanshenrik Mar 09 '23 at 08:21data-ciphers AES-256-GCM:AES-128-GCM:BF-CBC
to theHans.ovpn
file. – muru Mar 09 '23 at 08:26