I recently upgrade to Debian 12 (bookworm), which was a really smooth upgrade overall. But when I tried to use my OpenVPN client I couldn’t connect to the server, which uses a fairly outdated version.
The problem is two-fold: for one, previous versions of OpenVPN used a cipher that is now deprecated (so now you need to explicitly enable it) and that cipher is no longer part of the “default” ones loaded by OpenSSL.
To solv this, you might need to add this to your .ovpn config file:
cipher BF-CBC data-ciphers-fallback BF-CBC data-ciphers BF-CBC tls-cipher "DEFAULT:@SECLEVEL=0" providers legacy default
- Lines 1-3 explictly use the deprecated
- Since that is an insecure cipher, OpenVPN will issue a
VERIFY ERRORwhen trying to connect to the server. Line 4 lets you silence that error.
- Line 5 enables the
legacyprovider for OpenSSL, which is the one that includes the BF-CBC cipher. You should also include
defaultfor it to work correctly.
This is just a workaround, remember that it is in fact an insecure connection so reach out to the server admin to push for the upgrade.