Re: [Openvpn-users] OpenVPN stopped working after upgrade from 2.5.6 to 2.6.3

Mon, 14 Aug 2023 02:41:30 -0700 

On 13/08/2023 10:58, Martin wrote:

On 2023-08-13 08:52, Gert Doering wrote:

Run the client with --verb 3 or 4, have a close look at the logfile.

If there is nothing obvious to you, show us the log.


/var/log/openvpn/ is empty.
Probably I need to use journalctl <something>?


If the server runs 2.3.10 (which is, like, "ancient") then my guess is
that the server also runs "cipher BF-CBC", which is not considere a secure
cipher anymore - so 2.6 will not use that by default.

In this case, try adding

   cipher BF-CBC
   compat-mode 2.3.10


Adding

     cipher=BF-CBC
     compat-mode=2.3.10

to the [vpn] section of
/etc/NetworkManager/system-connections/MyConnection
did not help. Maybe this should go in my .opvn file.
Yes, this must go into the .ovpn file. And it might very much be that the NetworkManager-openvpn does not grok the compat-mode option - so you can't run it via NetworkManager. 


Now I try to use `openvpn` at the shell, and it complains about:

Options error: Unrecognized option or missing or extra parameter(s) in
u...@myconnection.ovpn:47: tls-remote (2.6.3)


The --tls-remote option was removed in OpenVPN 2.4.
<https://community.openvpn.net/openvpn/wiki/DeprecatedOptions#Option:--tls-remoteStatus:RemovedinOpenVPNv2.4>


to your client config (... and get company to upgrade to at least 2.5.x
as soon as possible).


Thanks for the headsup! I'll push them to do so as hard as I can :-)


Tell your IT folks about this page:
<https://community.openvpn.net/openvpn/wiki/SupportedVersions>

Make some fuzz about the the "End of life" date for OpenVPN 2.3.
No Linux/*BSD distribution which is valid (supported by the vendor) ships with OpenVPN 2.3. RHEL/CentOS 7 + RHEL-8 are those shipping with OpenVPN 2.4.12 (via Fedora EPEL) - which are the oldest releases I'm aware of. For RHEL/CentOS we also have separate Fedora Copr repos which ships both OpenVPN 2.5 [1] and OpenVPN 2.6 [2].
Even though OpenVPN 2.4 is from the OpenVPN community perspective EOL, I do support this release for the lifetime of RHEL-7 and RHEL-8 (I am the official Fedora/EPEL package manager for OpenVPN). When needed security fixes are required - the OpenVPN 2.4 releaes will be updated as needed. But only highly critical issues are being considered. 

[1] <https://copr.fedorainfracloud.org/coprs/dsommers/openvpn-release/>
[2] <https://copr.fedorainfracloud.org/coprs/dsommers/openvpn-release-2.6/>


--
kind regards,

David Sommerseth
OpenVPN Inc




_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to