Unable to connect to OpenVPN after upgrade to 22.04

[adharshgec]

Distribution (run cat /etc/os-release): Pop!_OS 22.04 LTS

Related Application and/or Package Version (run apt policy $PACKAGE NAME): openvpn 2.5.5-1ubuntu3, network-manager-openvpn-gnome 1.8.18-1

Issue/Bug Description: Connection to OpenVPN is failing with message connection failed. Deleting and re adding the configuration is also not helping. It was connecting successfully prior to the upgrade.

Steps to reproduce (if you know): Add an OpenVPN configuration in the Network settings. Connect to that OpenVPN configuration.

Expected behavior: Successful connection to the OpenVPN configuration

Other Notes:

[den7007]

Just adding I'm having same problems with my VPN connection, using Wireguard

[mmstick]

The connection you're using has to support OpenSSL 3.0, and many VPNs were unprepared for this update.

[adharshgec]

The connection you're using has to support OpenSSL 3.0, and many VPNs were unprepared for this update.

Is there any workaround in case the VPNs are not updated?

[jmbuhr]

Not as far as I know, I have the same issue. In the system log (run journalctl _SYSTEMD_UNIT=NetworkManager.service I see that the new version of nm-openvpn produces a VERIFY ERROR ... signature digest algorithm too weak, where OpenSSL says: certificate verify failed which leads to the TLS handshake failing.

So I think the only way is for the vpn server to update their certificates / digest algorithm.

[apatsche]

sudo nano /etc/NetworkManager/system-connections/.nmconnection

under vpn section: tls-cipher=DEFAULT:@SECLEVEL=0

worked for me

[jmbuhr]

This worked for me as well, after restarting the network manager (sudo systemctl restart NetworkManager)

[michelehevelop]

What if I don't have a /etc/NetworkManager/system-connections/.nmconnection file?

[craigfleming]

What if I don't have a /etc/NetworkManager/system-connections/.nmconnection file?

Change the directory so you can inspect the contents of folder system-connections. cd /etc/NetworkManager/system-connections/

Inspect the contents of system-connections: ls

Update the relevant connection files that are causing issues: sudo nano /etc/NetworkManager/system-connections/name-of-my-connection-goes-here.nmconnection

Add the fix under VPN section using Nano editor: tls-cipher=DEFAULT:@SECLEVEL=0

Save the updated connection file and restart the network manager: sudo systemctl restart NetworkManager

[michelehevelop]

Thank you. I realised that the file was missing because the connection was made with a command: sudo openvpn --config configfile.ovpn --daemon

changing it to: sudo openvpn --config configfile.ovpn --tls-cipher DEFAULT:@SECLEVEL=0 --daemon

worked like a charm!

[adharshgec]

tls-cipher=DEFAULT:@SECLEVEL=0 sudo systemctl restart NetworkManager

This worked for me. Thank you so much!

[wagnerck]

Just so folks are aware, the @SECLEVEL=0 workaround basically turns off encryption, which may defeat the purpose of using a VPN in the first place. The correct solution is for the VPN administrators to generate a new OVPN configuration and certificate file with modern ciphers/hashes and use those instead, and we don't recommend the SECLEVEL workaround unless you're willing to use an insecure connection.

[apatsche]

Basically turns off encryption? Would say it allows the same weak encryption as it was before. But yes OVPN configuration and certificates should be updated.

[wagnerck]

I should say, it allows any cipher configuration, including no encryption at all, and if your server and your client can't agree on a cipher to use, then it will just go ahead and not encrypt anything. I feel like this is a likely scenario given that we're dealing with old VPN servers here, but yes we would have to look more closely at each individual connection to see exactly what's happening.

The various security levels in OpenSSL 3 are outlined here: https://www.openssl.org/docs/man3.0/man3/SSL_CTX_set_security_level.html