2

I recently upgraded from Ubuntu 20.04 (which ships OpenVPN 2.4.7) to Ubuntu 22.04 (which ships OpenVPN 2.5.5), and in OpenVPN 2.5.0 changelog i find

Removal of BF-CBC support in default configuration:

By default OpenVPN 2.5 will only accept AES-256-GCM and AES-128-GCM as data ciphers. OpenVPN 2.4 allows AES-256-GCM,AES-128-GCM and BF-CBC when no --cipher and --ncp-ciphers options are present. Accepting BF-CBC can be enabled by adding

data-ciphers AES-256-GCM:AES-128-GCM:BF-CBC

and when you need to support very old peers also

data-ciphers-fallback BF-CBC

To offer backwards compatibility with older configs an explicit

cipher BF-CBC

in the configuration will be automatically translated into adding BF-CBC to the data-ciphers option and setting data-ciphers-fallback to BF-CBC (as in the example commands above). We strongly recommend to switching away from BF-CBC to a more secure cipher.

and I can no longer connect to an OpenVPN server at work. Hence the question, how do I enable OpenVPN's BF-CBC in 22.04?

I did some googling, and allegedly in Fedora Linux, you enable it by adding providers legacy default to /etc/openvpn/client.conf , but that file does not exist in Ubuntu, instead there is an (empty) directory path /etc/openvpn/client

muru
  • 207,228
hanshenrik
  • 565
  • 1
  • 6
  • 21

2 Answers2

1

Adding the following line: providers legacy default in my conf.vpn file solves the issue for me.

Geo Angelopoulos
  • 111
  • 3
0

Try the solution for this post https://askubuntu.com/a/1436542/849570

Or wait for this PR to merge https://gitlab.gnome.org/GNOME/NetworkManager-openvpn/-/merge_requests/70

Or add this parameter data-ciphers-fallback BF-CBC https://github.com/OpenVPN/openvpn/blob/master/Changes.rst

puz_zle
  • 111