Open adharshgec opened 2 years ago
Just adding I'm having same problems with my VPN connection, using Wireguard
The connection you're using has to support OpenSSL 3.0, and many VPNs were unprepared for this update.
The connection you're using has to support OpenSSL 3.0, and many VPNs were unprepared for this update.
Is there any workaround in case the VPNs are not updated?
Not as far as I know, I have the same issue. In the system log (run journalctl _SYSTEMD_UNIT=NetworkManager.service
I see that the new version of nm-openvpn
produces a VERIFY ERROR ... signature digest algorithm too weak
, where OpenSSL says: certificate verify failed
which leads to the TLS handshake failing.
So I think the only way is for the vpn server to update their certificates / digest algorithm.
sudo nano /etc/NetworkManager/system-connections/
under vpn section: tls-cipher=DEFAULT:@SECLEVEL=0
worked for me
This worked for me as well, after restarting the network manager (sudo systemctl restart NetworkManager
)
What if I don't have a /etc/NetworkManager/system-connections/.nmconnection file?
What if I don't have a /etc/NetworkManager/system-connections/.nmconnection file?
Change the directory so you can inspect the contents of folder system-connections.
cd /etc/NetworkManager/system-connections/
Inspect the contents of system-connections:
ls
Update the relevant connection files that are causing issues:
sudo nano /etc/NetworkManager/system-connections/name-of-my-connection-goes-here.nmconnection
Add the fix under VPN section using Nano editor:
tls-cipher=DEFAULT:@SECLEVEL=0
Save the updated connection file and restart the network manager:
sudo systemctl restart NetworkManager
Thank you. I realised that the file was missing because the connection was made with a command:
sudo openvpn --config configfile.ovpn --daemon
changing it to:
sudo openvpn --config configfile.ovpn --tls-cipher DEFAULT:@SECLEVEL=0 --daemon
worked like a charm!
tls-cipher=DEFAULT:@SECLEVEL=0 sudo systemctl restart NetworkManager
This worked for me. Thank you so much!
Just so folks are aware, the @SECLEVEL=0
workaround basically turns off encryption, which may defeat the purpose of using a VPN in the first place. The correct solution is for the VPN administrators to generate a new OVPN configuration and certificate file with modern ciphers/hashes and use those instead, and we don't recommend the SECLEVEL
workaround unless you're willing to use an insecure connection.
Basically turns off encryption? Would say it allows the same weak encryption as it was before. But yes OVPN configuration and certificates should be updated.
I should say, it allows any cipher configuration, including no encryption at all, and if your server and your client can't agree on a cipher to use, then it will just go ahead and not encrypt anything. I feel like this is a likely scenario given that we're dealing with old VPN servers here, but yes we would have to look more closely at each individual connection to see exactly what's happening.
The various security levels in OpenSSL 3 are outlined here: https://www.openssl.org/docs/man3.0/man3/SSL_CTX_set_security_level.html
Distribution (run
cat /etc/os-release
): Pop!_OS 22.04 LTSRelated Application and/or Package Version (run
apt policy $PACKAGE NAME
): openvpn 2.5.5-1ubuntu3, network-manager-openvpn-gnome 1.8.18-1Issue/Bug Description: Connection to OpenVPN is failing with message connection failed. Deleting and re adding the configuration is also not helping. It was connecting successfully prior to the upgrade.
Steps to reproduce (if you know): Add an OpenVPN configuration in the Network settings. Connect to that OpenVPN configuration.
Expected behavior: Successful connection to the OpenVPN configuration
Other Notes: