But before OpenSSL 3.0, BF-CBC was available. Now, BF-CBC is not available anymore. You need to specify the correct cipher that should be used.
I really hope that your VPN Provider sends after the first handshake via push a modern cipher. If not specified, BF-CBC is used, until the openvpn sever pushed other options.
Since you imported a config, make sure all settings are correct imported in your NM connection. NM often doesn’t import all options, so make sure the cipher is set. It doesn’t matter if it is available in the opvn file, it needs to be in the NM config for your connection.
I’ve got more or less the same scenario going on, and agree that the best way to fix the issue is to stop using the legacy cipher, but that is going to take a little extra time since I need to fully upgrade the openvpn server side of things to achieve that, and I need this working in the mean time.
Now that it’s openvpn 2.5.8 and openssl 3.0.7 I have added the data-ciphers option to my openvpn client config but get the following error in my journalctl output:
<warn> [1668703217.7616] vpn[0x55d7534b21b0,770a8140-8ccb-4cd7-8076-57a90d7c07d9,"fw1.bos"]: connect: failed to connect interactively: 'GDBus.Error:org.freedesktop.NetworkManager.VPN.Error.BadArguments: property “data-ciphers” invalid or not supported'
Downgrading at this point is looking like my best option, but I’m very confused as to why I would get that error when it is clearly a valid configuration parameter base on all the man page, the error message and any other documentation I’ve found.
You can do that with a real OpenVPN config, but not with a NM connection. This names for these options with a NM connection config are sometimes different and not all OpenVPN options are available. For example data-ciphers is not supported. Simply use cipher to set a cipher that should be used.
It is better to use the GUI (nm-connection-editor is the first choice, specific DE tools doesn’t let you edit everything) or nmcli .
Thank you for the quick reply. After downgrading I still had the same issue with the property “data-ciphers” invalid or not supported error. I deleted all the lines I added to the config file alone with the “cipher=…” line and reset the cipher using the GUI. Inline with what you said, the GUI re-added the cipher declaration using the “cipher=…” option instead of the “data-cipher=…” option. I re-upgraded the openvpn client and found the same behavior.
Now even with the new vpn client I no longer get the error about the invalid property, and I’m connecting successfully. At this point it seems my issue was a corrupted config file from my manual edits. Likely a bad linefeed character was intruduced from a copy past.
