2

I recently upgraded from Ubuntu 20.04 (which ships OpenVPN 2.4.7) to Ubuntu 22.04 (which ships OpenVPN 2.5.5), and in OpenVPN 2.5.0 changelog i find

Removal of BF-CBC support in default configuration:

By default OpenVPN 2.5 will only accept AES-256-GCM and AES-128-GCM as data ciphers. OpenVPN 2.4 allows AES-256-GCM,AES-128-GCM and BF-CBC when no --cipher and --ncp-ciphers options are present. Accepting BF-CBC can be enabled by adding

data-ciphers AES-256-GCM:AES-128-GCM:BF-CBC

and when you need to support very old peers also

data-ciphers-fallback BF-CBC

To offer backwards compatibility with older configs an explicit

cipher BF-CBC

in the configuration will be automatically translated into adding BF-CBC to the data-ciphers option and setting data-ciphers-fallback to BF-CBC (as in the example commands above). We strongly recommend to switching away from BF-CBC to a more secure cipher.

and I can no longer connect to an OpenVPN server at work. Hence the question, how do I enable OpenVPN's BF-CBC in 22.04?

I did some googling, and allegedly in Fedora Linux, you enable it by adding providers legacy default to /etc/openvpn/client.conf , but that file does not exist in Ubuntu, instead there is an (empty) directory path /etc/openvpn/client

muru
  • 197,895
  • 55
  • 485
  • 740
hanshenrik
  • 324
  • 2
  • 15
  • How are you using OpenVPN? Is it via the Network Manager GUI? Or do you run systemctl start openvpn-client@<something>? Or some other way? – muru Mar 09 '23 at 08:13
  • @muru i run the cli sudo openvpn Hans.ovpn and the ovpn file looks like: https://termbin.com/jfdo2 – hanshenrik Mar 09 '23 at 08:21
  • 1
    Try adding data-ciphers AES-256-GCM:AES-128-GCM:BF-CBC to the Hans.ovpn file. – muru Mar 09 '23 at 08:26

2 Answers2

1

Adding the following line: providers legacy default in my conf.vpn file solves the issue for me.

0

Try the solution for this post https://askubuntu.com/a/1436542/849570

Or wait for this PR to merge https://gitlab.gnome.org/GNOME/NetworkManager-openvpn/-/merge_requests/70

Or add this parameter data-ciphers-fallback BF-CBC https://github.com/OpenVPN/openvpn/blob/master/Changes.rst

puz_zle
  • 111