OpenVPN: unable to connect after upgrade do F38

After upgrading to F38, I cannot connect to my work’s VPN any longer. If I understood it right, OpenVPN disables compression on the client by default, and the server is trying to enforce it:

Apr 25 15:41:30 fedoracosta nm-openvpn[32331]: OpenVPN 2.6.2 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
Apr 25 15:41:30 fedoracosta nm-openvpn[32331]: library versions: OpenSSL 3.0.8 7 Feb 2023, LZO 2.10
Apr 25 15:41:30 fedoracosta nm-openvpn[32331]: DCO version: N/A
Apr 25 15:41:30 fedoracosta nm-openvpn[32331]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr 25 15:41:30 fedoracosta nm-openvpn[32331]: TCP/UDP: Preserving recently used remote address: [AF_INET]xxx
Apr 25 15:41:30 fedoracosta nm-openvpn[32331]: UDPv4 link local: (not bound)
Apr 25 15:41:30 fedoracosta nm-openvpn[32331]: UDPv4 link remote: [AF_INET]xxx
Apr 25 15:41:30 fedoracosta nm-openvpn[32331]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Apr 25 15:41:30 fedoracosta nm-openvpn[32331]: [xxx] Peer Connection Initiated with [AF_INET]xxx
Apr 25 15:41:30 fedoracosta nm-openvpn[32331]: Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:6: register-dns (2.6.2)
Apr 25 15:41:30 fedoracosta nm-openvpn[32331]: Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:7: block-outside-dns (2.6.2)
Apr 25 15:41:30 fedoracosta nm-openvpn[32331]: WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
Apr 25 15:41:30 fedoracosta nm-openvpn[32331]: Compression is not allowed since allow-compression is set to 'stub-only'
Apr 25 15:41:30 fedoracosta nm-openvpn[32331]: OPTIONS ERROR: server pushed compression settings that are not allowed and will result in a non-working connection. See also allow-compression in the manual.
Apr 25 15:41:30 fedoracosta nm-openvpn[32331]: ERROR: Failed to apply push options
Apr 25 15:41:30 fedoracosta nm-openvpn[32331]: Failed to open tun/tap interface
Apr 25 15:41:30 fedoracosta nm-openvpn[32331]: SIGUSR1[soft,process-push-msg-failed] received, process restarting

How can I configure this on the client-side? I understood that compression has been disabled by default due to security flaws, but I am willing to enable it until this is properly fixed on the server side. IT staff solution is “downgrade OpenVPN to 2.5.1”, but that’s of course not possible.

I tried adding comp-lzo yes to /etc/openvpn/client/client.conf file (which didn’t exist – is this the right place/file?), but it seemed to have no effect. The other parameters (register-dns and block-outside-dns) are meant for Windows and are mere warnings on Linux, as far as I could see.

Apparently that server is pushing vulnerable options.
It is best to fix the server side configuration, or change the server.

You can try to temporarily downgrade the client packages:
Networkmanager-openvpn bug (?) in Fedora 38 - #18 by gzickert

If necessary, also downgrade the security policy:
Changes/StrongCryptoSettings2 - Fedora Project Wiki

1 Like

Thanks a bunch @vgaetera , that worked! :clap: For the record, the solution was replacing some packages by their F37 counterparts with sudo dnf downgrade --releasever=37 NetworkManager NetworkManager-openvpn openvpn

I had to pin these packages so that dnf wouldn’t try to upgrade them every time. I followed this tip and installed the versionlock plugin. So far, it seems to be working just fine :raised_hands: It should be just a temporary solution since I don’t want to be using the old versions for too long, this might be unsustainable in the long term. Let’s see how this goes.

(and, yes, the proper solution is to fix the problem on the server side, but that’s out of my control :disappointed: )

I have the same problem … unfortunately downgrading Network Manager packages is not an option for me as it breaks the online accounts in Evolution. Any ideas if there will be a fix for this at some point (Upgrading VPN Server is also not an option as I am using my router’s VPN)

Another unfortunate side effect is that you cannot use GNOME Software anymore, since AFAIK it will ignore dnf plugins and will try to upgrade Networkmanager packages to F38 :disappointed:

Hi there,
I had the same problem, but thought that the proposed solution was not the optimal one.
In the journalctl log, I found this:

nm-openvpn[6774]: OPTIONS ERROR: failed to negotiate cipher with server. Add the server’s cipher (‘AES-256-GCM’) to --data-ciphers (currently ‘AES-256-CBC’) if you want to connect to this server.

What worked for me is this:

  • Go to Network settings
  • Click the little wheel next to your VPN configuration
  • Select Identity and then Advanced
  • On the Security tab, select AES-256-GCM in the dropdown instead of the existing AES-256-CBC

And voilá, now it works again :slight_smile:

Nice @karekubik ! I’m glad it worked for you. However, in my case, I guess the problem is not the type of the cipher, but instead the parameters the server tries to push to the client… If you happen to have any solution for that as well, I would be more than happy :wink:

Glad you got it working … when I follow those steps I get the following errors:

2023-05-09 10:27:07 OPTIONS ERROR: failed to negotiate cipher with server. Configure --data-ciphers-fallback if you want to connect to this server.
2023-05-09 10:27:07 ERROR: Failed to apply push options
2023-05-09 10:27:07 Failed to open tun/tap interface
2023-05-09 10:27:07 SIGUSR1[soft,process-push-msg-failed] received, process restarting

I think my router VPN is too old …

Note sure where to take it from there

@soellner I might be wrong, but I believe @karekubik had a different problem, yours is closer to the one I am having.

I used to use Proton VPN specially when loging-in to Spotify. I usuually had issues when moving form one release to the next, from F35 yo F36 and form F36 to F37.

Sometimes is just the service providing (Proton in this case) taking some time tu update their repos to the new verison of Fedora… it takes a couple of weeks.

In my current install (I did a clear install of F37 and updated to F38) I ceased to use Proton VPN since I’m relying more on my local music library, Rhythmbox and Gnome Podcast with RSS feeds for, well, podcast.

I discovered that my VPN provided import data specified Cipher was AES-256-CBC. I replaced it with AES-256-GCM as follows:

  1. Right click on the NetworkManager icon in the panel bar and select “Edit Connections”.
  2. Select you VPN connection and click the Wheel icon.
  3. Go to the bottom right corner of the screen (scroll may be necessary). Click on “Advanced…” button.
  4. Click on the “Security” tab.
  5. Open the “Cipher” drop down list and select “AES-256-GCM”.
  6. Click the “Apply” button.
  7. Click the “Save” button and you’re done.

Reboot and give it a try. It appears that AES-256-CBC is not secure and has been disallowed by the new openvpn client.

Good afternoon. I also had this problem. But I have 2 OpenVpn Servers. Only one had a problem. I started looking for differences and discovered that the downloaded client configuration was different. One contained only a CA certificate, the other some other certificates. I exported the OpenVpn Server certificate from a working configuration and installed this certificate on a non-working server. After that, I told OpenVpn Server to use the installed certificate. Next, I exported the client configuration and created a new connection on Fedora 38 and everything worked. When installing a new certificate on the OpenVpn server, the files ca.crt, vpn.crt, vpn.key were used.
I suspect that Fedora 38 has tightened the requirements for configuration with certificates.