OpenVPN can't connect after upgrade to F38

Ask Fedora
,
1

After recent upgrade to F38 I noticed I can’t connect to my custom VPN server running on a router.
The VPN server still works fine, I was still able to connect to it using other systems, but F38 gives me this error.

[phalkon@aerie ~]$ sudo openvpn --config vpn.ovpn 
2023-10-01 09:35:11 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2023-10-01 09:35:11 DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations. 
2023-10-01 09:35:11 OpenVPN 2.6.6 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
2023-10-01 09:35:11 library versions: OpenSSL 3.0.9 30 May 2023, LZO 2.10
2023-10-01 09:35:11 DCO version: N/A
2023-10-01 09:35:11 OpenSSL: error:0A00018F:SSL routines::ee key too small:
2023-10-01 09:35:11 Cannot load inline certificate file
2023-10-01 09:35:11 Exiting due to fatal error

I noticed the warning about cipher being missing from --data-ciphers so I added it in, but the issue remains.

[phalkon@aerie ~]$ sudo openvpn --data-ciphers AES-128-CBC --config vpn.ovpn 
2023-10-01 09:35:54 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2023-10-01 09:35:54 OpenVPN 2.6.6 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
2023-10-01 09:35:54 library versions: OpenSSL 3.0.9 30 May 2023, LZO 2.10
2023-10-01 09:35:54 DCO version: N/A
2023-10-01 09:35:54 OpenSSL: error:0A00018F:SSL routines::ee key too small:
2023-10-01 09:35:54 Cannot load inline certificate file
2023-10-01 09:35:54 Exiting due to fatal error

Here’s vpn config file (without the keys and IP addresses).

client
dev tun
proto udp
float
nobind
cipher AES-128-CBC
comp-lzo adaptive
resolv-retry infinite
remote-cert-tls server
persist-key
persist-tun
remote xxx.xxx.xxx.xxx 1194
<ca>
-----BEGIN CERTIFICATE-----
x
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
x
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
x
-----END PRIVATE KEY-----
</key>
2

Looks like the version of OpenSSL and the algorithms used to generate your PKI are no longer considered secure, so it would be best to regenerate the PKI on Fedora and upgrade the firmware on the router if possible.
In addition, remove the compression-relates options from both client and server configs.
Also consider migrating to WireGuard for higher performance and easier configuration.

3

Unfortunately there’s no firmware upgrade available for the router.

I wonder, is there’s any other way I might still be able to use it?
I tried playing with the --compat-mode option in openvpn but I’m not sure that’s the solution.
Downgrading openssl also didn’t work.

I realise I probably shouldn’t be using unsecure VPN but I think the only real solution would be to flash the router with openwrt and that’s not an option… at least not until I get physical access to the router, I don’t want to be playing with something like that over ssh. :]