I recently upgrade to Debian 12 (bookworm), which was a really smooth upgrade overall. But when I tried to use my OpenVPN client I couldn’t connect to the server, which uses a fairly outdated version.
The problem is two-fold: for one, previous versions of OpenVPN used a cipher that is now deprecated (so now you need to explicitly enable it) and that cipher is no longer part of the “default” ones loaded by OpenSSL.
To solv this, you might need to add this to your .ovpn config file:
cipher BF-CBC
data-ciphers-fallback BF-CBC
data-ciphers BF-CBC
tls-cipher "DEFAULT:@SECLEVEL=0"
providers legacy default
- Lines 1-3 explictly use the deprecated
BF-CBCcipher. - Since that is an insecure cipher, OpenVPN will issue a
VERIFY ERRORwhen trying to connect to the server. Line 4 lets you silence that error. - Line 5 enables the
legacyprovider for OpenSSL, which is the one that includes the BF-CBC cipher. You should also includedefaultfor it to work correctly.
This is just a workaround, remember that it is in fact an insecure connection so reach out to the server admin to push for the upgrade.