Using OpenVPN with deprecated CF-CBC ciphers on Debian 12

I recently upgrade to Debian 12 (bookworm), which was a really smooth upgrade overall. But when I tried to use my OpenVPN client I couldn’t connect to the server, which uses a fairly outdated version.

The problem is two-fold: for one, previous versions of OpenVPN used a cipher that is now deprecated (so now you need to explicitly enable it) and that cipher is no longer part of the “default” ones loaded by OpenSSL.

To solv this, you might need to add this to your .ovpn config file:

cipher BF-CBC
data-ciphers-fallback BF-CBC
data-ciphers BF-CBC
tls-cipher "DEFAULT:@SECLEVEL=0"
providers legacy default
  • Lines 1-3 explictly use the deprecated BF-CBC cipher.
  • Since that is an insecure cipher, OpenVPN will issue a VERIFY ERROR when trying to connect to the server. Line 4 lets you silence that error.
  • Line 5 enables the legacy provider for OpenSSL, which is the one that includes the BF-CBC cipher. You should also include default for it to work correctly.

This is just a workaround, remember that it is in fact an insecure connection so reach out to the server admin to push for the upgrade.