Openvpn is not able to connect after update

hi after update openvpn from 2.5.7 to 2.5.8 i m unable to connect to my work vpn
here is the log from journal

nov 15 11:47:14 nm-openvpn[1608]: --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
nov 15 11:47:14 nm-openvpn[1608]: WARNING: file '/home/xxxx/OpenVPN/pfSense-UDP4-1194-xxx.xxx.p12' is group or others accessible
nov 15 11:47:14 nm-openvpn[1608]: OpenVPN 2.5.8 [git:makepkg/0357ceb877687faa+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov  1 2022
nov 15 11:47:14 nm-openvpn[1608]: library versions: OpenSSL 3.0.7 1 Nov 2022, LZO 2.10
nov 15 11:47:15 nm-openvpn[1608]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
nov 15 11:47:15 nm-openvpn[1608]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
nov 15 11:47:15 nm-openvpn[1608]: OpenSSL: error:0308010C:digital envelope routines::unsupported
nov 15 11:47:15 nm-openvpn[1608]: OpenSSL: error:11800071:PKCS12 routines::mac verify failure
nov 15 11:47:15 nm-openvpn[1608]: Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption
nov 15 11:47:15 nm-openvpn[1608]: SIGUSR1[soft,private-key-password-failure] received, process restarting
nov 15 11:47:20 nm-openvpn[1608]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.

i suppose i have to downgrade to 2.5.7 but if i do it ( using the downgrade script) i receive the message that a library is missing and i don’t have any idea how to rebuild the package

1 Like

I have the same problem but with Eddie (OpenVPN) client.

Did you follow the literally first line from the log?

nope, as i was not able to find a way of setting it.

Where did you search?

Try it as cli parameter.

it is present in the .ovpn file from wich i imported the .ovpn by cli

it was working before the update why now not?
the --data-cipher is present in the ovpn file from which i created the connection,
i also added them in the nmconnection file but no difference…

The security was improved so old insecure ciphers are disabled.

perfect, how i can add them to the nmconnection file?
i already try to recreate the connection importing the ovpn file, but no luck,
if i try to add them manualy to the nmconnection file , the file get cleaned after restart

You could try this here: Openvpn connection fails after openssl 3 update / [testing] Repo Forum / Arch Linux Forums

Meaning, re-encrypt your keyfile with a proper algorithm.

mv /home/xxxx/OpenVPN/pfSense-UDP4-1194-xxx.xxx.p12 /home/xxxx/OpenVPN/pfSense-UDP4-1194-xxx.xxx.p12.bak

openssl pkcs12 -in /home/xxxx/OpenVPN/pfSense-UDP4-1194-xxx.xxx.p12.bak -out /home/xxxx/OpenVPN/pfSense-UDP4-1194-xxx.xxx.p12 -aes256 -legacy

it keep saying

Enter Import Password:
MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8
Mac verify error: invalid password?

but i m using the right password… ( the same that i m using for connecting)

Are you sure the certificate password is the same as the connection password?

You just need a custom certification from your VPN Service, with OpenSSL 3.0 you need to create your own cert with sha512, sha1 no longer works.

I could solve it, when i logged into my account on the webpage from my VPN and created my own device to generate my certification.

I think it works differendly for each VPN Service… but maybe something like this:

I have 40 openvpn connexions who i can’t change all of them. Is there a solution to downgrade or anything else?

You just need a custom certification from your VPN Service, with OpenSSL 3.0 you need to create your own cert with sha512, sha1 no longer works.

i will ask the manager about it, not sure if that is possible as he use same rule for many people in the company ( they are mostly using windows)

nope i m going to ask
EDIT
this was the solution…

Meaning, re-encrypt your keyfile with a proper algorithm.

the only problem was the PEM passphrase that i didn’t know,
but this is the actual password that i typed in the field “Password for the private key”
instead the

Enter Import Password:

i should live it empty
as i get those info everything went ok

i tried this link and it work :

Below is the proper way to restore back OpenVPN to the previous version (2.5.7):

# remove openvpn and networkmanager-openvpn
sudo pacman -R openvpn networkmanager-openvpn

# install openssl-1.1. This won't override openssl-3.0
sudo pacman -S openssl-1.1

# download and install openvpn-2.5.7
cd ~/Downloads
wget https://archive.archlinux.org/packages/o/openvpn/openvpn-2.5.7-1-x86_64.pkg.tar.zst
sudo pacman -U ./openvpn-2.5.7-1-x86_64.pkg.tar.zst

# install networkmanager-openvpn
sudo pacman -S networkmanager-openvpn

To mask openvpn package from upgrading:

sudo nano /etc/pacman.conf

Uncomment IgnorePkg and add openvpn:

IgnorePkg   = openvpn

Save the change.

1 Like

thank you for your reply, but i wasn’t lucky
i receive this error

nov 17 10:34:10 nm-openvpn[7107]: --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
nov 17 10:34:10 nm-openvpn[7107]: WARNING: file '/home/XXX/OpenVPN/SIAT/pfSense-UDP4-1194-xxx.xxx.p12' is group or others accessible
nov 17 10:34:10 nm-openvpn[7107]: OpenVPN 2.5.7 [git:makepkg/a0f9a3e9404c8321+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 31 2022
nov 17 10:34:10 nm-openvpn[7107]: library versions: OpenSSL 1.1.1s  1 Nov 2022, LZO 2.10
nov 17 10:34:11 nm-openvpn[7107]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
nov 17 10:34:11 nm-openvpn[7107]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
nov 17 10:34:11 nm-openvpn[7107]: TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xx:1194
nov 17 10:34:11 nm-openvpn[7107]: UDP link local: (not bound)
nov 17 10:34:11 nm-openvpn[7107]: UDP link remote: [AF_INET]xx.xx.xx.xx:1194
nov 17 10:34:11 nm-openvpn[7107]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
nov 17 10:34:14 NetworkManager[7070]: <info>  [1668677654.3925] audit: op="statistics" interface="wlp0s20f3" ifindex=2 args="0" pid=847 uid=1000 result="success"
nov 17 10:35:10 NetworkManager[7070]: <warn>  [1668677710.5693] vpn[0x5569a7a4c1f0,28e016eb-caac-434f-bdae-a570aff8f986,"Siat"]: connect timeout exceeded
nov 17 10:35:10 nm-openvpn-serv[7102]: Connect timer expired, disconnecting.
nov 17 10:35:10 nm-openvpn[7107]: event_wait : Interrupted system call (code=4)

I also downgrade to previuos version of openssl

I think you are changed the original .ovpn file or you must change it. Error in the first line :

--cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.

i was about to think the same, but then i discover that this line is present in the journal even before upgrading, but in that case the vpn was starting…