Ubuntu 22.10. OpenVPN cannot connect as a client

Question

After updating to Ubuntu 22.10, openvpn cannot connect to the server as a client using the same old working ovpn profile from Ubuntu 22.04 LTS.

I constantly get an error:

2022-10-20 20:10:04 TCPv4_CLIENT link remote: [AF_INET]xx.xxx.xxx.xxx:1194
2022-10-20 20:10:04 Connection reset, restarting [0]
2022-10-20 20:10:04 SIGUSR1[soft,connection-reset] received, process restarting

I tried to reinstall openvpn but it had not helped.

My configuration:

client
dev tun
proto tcp
remote xx.xxx.xxx.x 1194
user nobody
group nogroup
persist-key
persist-tun
pkcs12 /home/dyedfox/openvpn/opvn-client1.p12
auth-user-pass /home/dyedfox/openvpn/auth.cfg
askpass /home/dyedfox/openvpn/keypass.cfg
remote-cert-tls server
route 10.0.0.0 255.255.0.0 10.8.8.1
route 10.176.64.16 255.255.255.248 10.8.8.1
route 10.210.4.200 255.255.255.248 10.8.8.1
cipher AES-256-CBC

Would you please help me with this issue?

P.S. Complete output:

2022-10-20 21:36:40 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations. 
2022-10-20 21:36:40 WARNING: file '/home/dyedfox/openvpn/opvn-client1.p12' is group or others accessible
2022-10-20 21:36:40 WARNING: file '/home/dyedfox/openvpn/keypass.cfg' is group or others accessible
2022-10-20 21:36:40 WARNING: file '/home/dyedfox/openvpn/auth.cfg' is group or others accessible
2022-10-20 21:36:40 OpenVPN 2.6_git x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
2022-10-20 21:36:40 library versions: OpenSSL 3.0.5 5 Jul 2022, LZO 2.10
2022-10-20 21:36:40 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2022-10-20 21:36:40 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:40 Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:40 TCP connection established with [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:40 TCPv4_CLIENT link local: (not bound)
2022-10-20 21:36:40 TCPv4_CLIENT link remote: [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:40 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
2022-10-20 21:36:41 Connection reset, restarting [0]
2022-10-20 21:36:41 SIGUSR1[soft,connection-reset] received, process restarting
2022-10-20 21:36:46 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:46 Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:46 TCP connection established with [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:46 TCPv4_CLIENT link local: (not bound)
2022-10-20 21:36:46 TCPv4_CLIENT link remote: [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:47 Connection reset, restarting [0]
2022-10-20 21:36:47 SIGUSR1[soft,connection-reset] received, process restarting
2022-10-20 21:36:52 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:52 Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:52 TCP connection established with [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:52 TCPv4_CLIENT link local: (not bound)
2022-10-20 21:36:52 TCPv4_CLIENT link remote: [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:53 Connection reset, restarting [0]
2022-10-20 21:36:53 SIGUSR1[soft,connection-reset] received, process restarting
2022-10-20 21:36:58 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:58 Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:58 TCP connection established with [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:58 TCPv4_CLIENT link local: (not bound)
2022-10-20 21:36:58 TCPv4_CLIENT link remote: [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:58 Connection reset, restarting [0]
2022-10-20 21:36:58 SIGUSR1[soft,connection-reset] received, process restarting

wolfmanFP · Answer 1 · 2022-10-21T11:36:11.283

This is caused by a bug in network-manager-openvpn.

Ubuntu 22.10 updated to a newer version of OpenVPN (2.6), which doesn't support the cipher option, ignores it, and expects the newer data-ciphers option, as seen in your output here:

2022-10-20 21:36:40 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations.

The problem is that the old option is hardcoded in network-manager-openvpn, so rewriting to the new one won't work, except if you pass it using the command line.

For the time being, you should downgrade to OpenVPN 2.5.5. Here are the steps, based on this answer, which also helped me a lot: https://askubuntu.com/a/1406472/1589545

Uninstall the current OpenVPN version if installed: sudo apt remove openvpn
Install OpenVPN 2.5.5

Go to https://launchpad.net/ubuntu/jammy/amd64/openvpn/2.5.5-1ubuntu3
Download the openvpn_2.5.5-1ubuntu3_amd64.deb file in the "Downloadable files" section
Double-click on the file and open with Software Install (GUI)

Optional: mark OpenVPN not to update: sudo apt-mark hold openvpn
Reinstall NetworkManager OpenVPN GUI: sudo apt install network-manager-openvpn-gnome

score 12 · Answer 2 · answered Nov 02 '22 at 15:53

12

I just added

data-ciphers=AES-128-CBC

below the original chipher entry in

/etc/NetworkManager/system-connections/MYVPN.nmconnection

and it's working.

cipher=AES-128-CBC
data-ciphers=AES-128-CBC

answered Nov 02 '22 at 15:53

Jan Kunzmann

121

score 9 · Answer 3 · edited Mar 24 '23 at 13:59

I have found a way to make it work without downgrading the OpenVPN version, using OpenVPN 2.6.

It looks like NetworkManager doesn't read all options (like data-ciphers option) from the ovpn file. The idea is to put the required options manually, directly into the NetworkManager config file.

Here are the instructions:

Your OpenVPN connection should be already presented in the VPN connections list in the Network manager. If your OpenVPN connection is not presented in the NetworkManager, you can create it using the "Import from file..." menu item (Settings-> Network -> VPN -> VPN + -> Import from file...)
Run the gnome-terminal: Press Alt-F2 on your keyboard type gnome-terminal and press Enter
In the Terminal app please run the following command to edit the NetworkManager connection file:
```
sudo nano /etc/NetworkManager/system-connections/*your_connection_name*.nmconnection
```
Enter your password for your Ubuntu user when system will ask for it and press Enter (password or asterisks will not be displayed in the Terminal).
Add the following line to the [vpn] section :
```
data-ciphers=AES-256-CBC
```
Instead of AES-256-CBC please set data-ciphers value supported by your OpenVPN server or OpenVPN service supplier. You should be able to find this value in the ovpn file provided by the VPN service supplier.
Press F2 on the keyboard, then press y and Enter to save the file.
Restart the NetworkManager service by running the following command:
```
sudo systemctl restart NetworkManager
```
Try to connect the OpenVPN connection from the Network Manager.

score 4 · Answer 4 · answered Oct 25 '22 at 14:54

As @wolfmanFP points out, this is due to the new OpenVPN 2.6 version and an out-of-date config file.

I fixed the issue by dowgranding to OpenVPN 2.5, as wolfmanFP suggested. That works perfectly fine.

However I felt that we could go a bit further and adapt the config file to the new OpenVPN 2.6 requirements.

So basically I had to remove the line where it says:

cipher AES-256-CBC

And replace it with:

data-ciphers AES-256-CBC
data-ciphers-fallback AES-256-CBC

When you try to connect again, now you won't get any warning and the connection will succeed. Or at least it has had for me. And this way you can be on OpenVPN 2.6 or higher.

score 2 · Answer 5 · answered Nov 10 '22 at 14:36

In my case I have cipher=AES-256-CBC on new vpn profile in /etc/NetworkManager/system-connections/xxxx.nmconnection

Just below cipher=AES-256-CBC add data-ciphers=AES-256-CBC like this cipher=AES-256-CBC data-ciphers=AES-256-CBC

Restart with sudo service NetworkManager restart and VPN connection work as expected. Tested on Ubuntu 22.10 openvpn 2.6

rest2t · Answer 6 · 2022-12-16T11:09:03.010

Someone added a fix to the repository, you can download and compile the network-manager-openvpn package yourself.

In my case it works on the following environment:
Ubuntu 22.10
Kernel: 6.0.9-060009-generic
OpenVPN 2.6_git x86_64-pc-linux-gnu
OpenSSL 3.0.5 5 Jul 2022, VOC 2.10

sudo apt install autopoint autoconf libtool
cd /tmp
git clone https://gitlab.gnome.org/GNOME/NetworkManager-openvpn.git
cd NetworkManager-openvpn
git checkout 020ab0c4b872fa5415ed1a5e682acb3343c7b9f3
./autogen.sh
make -j
make -j check 
sudo make -j install

score 1 · Answer 7 · answered Feb 12 '23 at 21:18

How I connect in Ubuntu 22.10 Gnome and IPVanish VPN.

Test machine: Fresh install, no upgrades yet...

sudo apt-get install -y openvpn network-manager-openvpn network-manager-openvpn-gnome

The above packages were installed out of the box already, but may help someone else troubleshoot.

Speaking of troubleshooting...

tail -f /var/log/syslog

This displays errors from NetworkManager and other processes and is what clued me into the hack/fix which I found on a Kubuntu forum. https://www.kubuntuforums.net/forum/currently-supported-releases/kubuntu-22-10/network-support-bc/666945-network-manager-fails-to-connect-to-open-vpn-expressvpn-terminal-works-fine

The error I was recieving (one of) was "NetworkManager[25475]: Options error: Unrecognized option or missing or extra parameter(s) in [CMD-LINE]:1: keysize (2.6_git)"

The simple fix of commenting out the line "keysize 256" in /etc/NetworkManager/system-connections/ipvanish-US-Seattle-sea-a01.nmconnection fixed the issue.

Steps to fix...

sudo nano /etc/NetworkManager/system-connections/ipvanish-US-Seattle-sea-a01.nmconnection

Obviously this is an IPVanish specific configuration file, but the same concept may apply to other VPNs. Once you attempt to import a .ovpn file and connect, a network manager configuration file will be generated in the above directory (/etc/NetworkManager/system-connections/).

Change the line "keysize 256" to "#keysize 256" and save.

Now restart NetworkManager...

sudo systemctl restart NetworkManager

Connect to the VPN.

This is the easiest fix.

Other things I've tried...

Downgrading and holding openvpn as per wolfmanFP's instructions (this has worked in the past and is the only method I had success with, however, this stopped working for me yesterday after a fresh Ubuntu install, Kali too).

Maybe the libs got updated, maybe I missed/altered steps, but wolfmanFP's method used to work with 22.10 and now it doesn't (at least for me and this specific computer).

I've also tried Jan Kunzmann's method as well, which had no affect.

The error "nm-openvpn[26036]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations." is still present, but it still connects.

Anyway, this new method is consistent and only requires modifying one line in a config file.

Hope this helps you avoid hours of searching and troubleshooting.

score 1 · Answer 8 · answered Jun 10 '23 at 23:20

1

Enabling the legacy provider in /etc/ssl/openssl.cnf did it for me on Debian 12:

https://bbs.archlinux.org/viewtopic.php?id=280970

answered Jun 10 '23 at 23:20

Phil

11

venoel · Answer 9 · 2023-07-17T07:58:58.353

Ubuntu 23.04.

openvpn --version
OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 14 2022
library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10

For me helped these steps.

Terminal

sudo --config ./openvpn

Command outputs hint what exactly ciphers you need (something about add --data-ciphers XX-XXX ). And modifying command

sudo openvpn --data-ciphers-fallback XX-XXX --data-ciphers XX-XXX --config ./client.ovpn

establishes connection.

For GUI after unsuccessful attempts add row

cipher=XX-XXX

to the section [vpn] to the file

/etc/NetworkManager/system-connections/your_vpn_connection.nmconnection

indy99 · Answer 10 · 2024-11-05T07:58:47.387

0

On ubuntu 24.10, (OpenVPN version is 2.6.12) find your vpn configruration file on /etc/netplan/
add a line related file

vpn.data-ciphers: "AES-128-CBC"

like

vpn.cipher: "AES-128-CBC" 
vpn.data-ciphers: "AES-128-CBC"

Restart NetworkManager

sudo systemctl restart NetworkManager

you can check your logs

journalctl -u NetworkManager -f

edited Nov 05 '24 at 07:58

answered Nov 05 '24 at 07:53

indy99

1

score 0 · Answer 11 · answered Nov 27 '24 at 20:17

0

"If anyone is here in the future for this reason - > open up the opvn file and comment out keysize 256"

IE:

cipher AES-256-CBC #keysize 256

answered Nov 27 '24 at 20:17

Edenson Neto

1

Ubuntu 22.10. OpenVPN cannot connect as a client

11 Answers11

Linked