Ubuntu 22.10. OpenVPN cannot connect as a client

After updating to Ubuntu 22.10, openvpn cannot connect to the server as a client using the same old working ovpn profile from Ubuntu 22.04 LTS.

I constantly get an error:

2022-10-20 20:10:04 TCPv4_CLIENT link remote: [AF_INET]xx.xxx.xxx.xxx:1194
2022-10-20 20:10:04 Connection reset, restarting [0]
2022-10-20 20:10:04 SIGUSR1[soft,connection-reset] received, process restarting

I tried to reinstall openvpn but it had not helped.

My configuration:

client
dev tun
proto tcp
remote xx.xxx.xxx.x 1194
user nobody
group nogroup
persist-key
persist-tun
pkcs12 /home/dyedfox/openvpn/opvn-client1.p12
auth-user-pass /home/dyedfox/openvpn/auth.cfg
askpass /home/dyedfox/openvpn/keypass.cfg
remote-cert-tls server
route 10.0.0.0 255.255.0.0 10.8.8.1
route 10.176.64.16 255.255.255.248 10.8.8.1
route 10.210.4.200 255.255.255.248 10.8.8.1
cipher AES-256-CBC

Would you please help me with this issue?

P.S. Complete output:

2022-10-20 21:36:40 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations. 
2022-10-20 21:36:40 WARNING: file '/home/dyedfox/openvpn/opvn-client1.p12' is group or others accessible
2022-10-20 21:36:40 WARNING: file '/home/dyedfox/openvpn/keypass.cfg' is group or others accessible
2022-10-20 21:36:40 WARNING: file '/home/dyedfox/openvpn/auth.cfg' is group or others accessible
2022-10-20 21:36:40 OpenVPN 2.6_git x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
2022-10-20 21:36:40 library versions: OpenSSL 3.0.5 5 Jul 2022, LZO 2.10
2022-10-20 21:36:40 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2022-10-20 21:36:40 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:40 Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:40 TCP connection established with [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:40 TCPv4_CLIENT link local: (not bound)
2022-10-20 21:36:40 TCPv4_CLIENT link remote: [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:40 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
2022-10-20 21:36:41 Connection reset, restarting [0]
2022-10-20 21:36:41 SIGUSR1[soft,connection-reset] received, process restarting
2022-10-20 21:36:46 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:46 Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:46 TCP connection established with [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:46 TCPv4_CLIENT link local: (not bound)
2022-10-20 21:36:46 TCPv4_CLIENT link remote: [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:47 Connection reset, restarting [0]
2022-10-20 21:36:47 SIGUSR1[soft,connection-reset] received, process restarting
2022-10-20 21:36:52 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:52 Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:52 TCP connection established with [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:52 TCPv4_CLIENT link local: (not bound)
2022-10-20 21:36:52 TCPv4_CLIENT link remote: [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:53 Connection reset, restarting [0]
2022-10-20 21:36:53 SIGUSR1[soft,connection-reset] received, process restarting
2022-10-20 21:36:58 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:58 Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:58 TCP connection established with [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:58 TCPv4_CLIENT link local: (not bound)
2022-10-20 21:36:58 TCPv4_CLIENT link remote: [AF_INET]xxx.xxx.xxx.x:1194
2022-10-20 21:36:58 Connection reset, restarting [0]
2022-10-20 21:36:58 SIGUSR1[soft,connection-reset] received, process restarting

This is caused by a bug in network-manager-openvpn.

Ubuntu 22.10 updated to a newer version of OpenVPN (2.6), which doesn't support the cipher option, ignores it, and expects the newer data-ciphers option, as seen in your output here:

2022-10-20 21:36:40 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations.

The problem is that the old option is hardcoded in network-manager-openvpn, so rewriting to the new one won't work, except if you pass it using the command line.

For the time being, you should downgrade to OpenVPN 2.5.5. Here are the steps, based on this answer, which also helped me a lot: https://askubuntu.com/a/1406472/1589545

1. Uninstall the current OpenVPN version if installed: sudo apt remove openvpn

2. Install OpenVPN 2.5.5

• Go to https://launchpad.net/ubuntu/jammy/amd64/openvpn/2.5.5-1ubuntu3
• Download the openvpn_2.5.5-1ubuntu3_amd64.deb file in the "Downloadable files" section
• Double-click on the file and open with Software Install (GUI)

3. Optional: mark OpenVPN not to update: sudo apt-mark hold openvpn

4. Reinstall NetworkManager OpenVPN GUI: sudo apt install network-manager-openvpn-gnome

I just added

data-ciphers=AES-128-CBC

below the original chipher entry in

/etc/NetworkManager/system-connections/MYVPN.nmconnection

and it's working.

cipher=AES-128-CBC
data-ciphers=AES-128-CBC

I have found a way to make it work without downgrading the OpenVPN version, using OpenVPN 2.6.

It looks like NetworkManager doesn't read all options (like data-ciphers option) from the ovpn file. The idea is to put the required options manually, directly into the NetworkManager config file.

Here are the instructions:

1. Your OpenVPN connection should be already presented in the VPN connections list in the Network manager. If your OpenVPN connection is not presented in the NetworkManager, you can create it using the "Import from file..." menu item (Settings-> Network -> VPN -> VPN + -> Import from file...)

2. Run the gnome-terminal: Press Alt-F2 on your keyboard type gnome-terminal and press Enter

3. In the Terminal app please run the following command to edit the NetworkManager connection file:

   sudo nano /etc/NetworkManager/system-connections/*your_connection_name*.nmconnection
   

   Enter your password for your Ubuntu user when system will ask for it and press Enter (password or asterisks will not be displayed in the Terminal).

4. Add the following line to the [vpn] section :

   data-ciphers=AES-256-CBC
   

   Instead of AES-256-CBC please set data-ciphers value supported by your OpenVPN server or OpenVPN service supplier. You should be able to find this value in the ovpn file provided by the VPN service supplier.

5. Press F2 on the keyboard, then press y and Enter to save the file.

6. Restart the NetworkManager service by running the following command:

   sudo systemctl restart NetworkManager
   

7. Try to connect the OpenVPN connection from the Network Manager.

As @wolfmanFP points out, this is due to the new OpenVPN 2.6 version and an out-of-date config file.

I fixed the issue by dowgranding to OpenVPN 2.5, as wolfmanFP suggested. That works perfectly fine.

However I felt that we could go a bit further and adapt the config file to the new OpenVPN 2.6 requirements.

So basically I had to remove the line where it says:

cipher AES-256-CBC

And replace it with:

data-ciphers AES-256-CBC
data-ciphers-fallback AES-256-CBC

When you try to connect again, now you won't get any warning and the connection will succeed. Or at least it has had for me. And this way you can be on OpenVPN 2.6 or higher.

Someone added a fix to the repository, you can download and compile the network-manager-openvpn package yourself.

In my case it works on the following environment:
Ubuntu 22.10
Kernel: 6.0.9-060009-generic
OpenVPN 2.6_git x86_64-pc-linux-gnu
OpenSSL 3.0.5 5 Jul 2022, VOC 2.10

sudo apt install autopoint autoconf libtool
cd /tmp
git clone https://gitlab.gnome.org/GNOME/NetworkManager-openvpn.git
cd NetworkManager-openvpn
git checkout 020ab0c4b872fa5415ed1a5e682acb3343c7b9f3
./autogen.sh
make -j
make -j check 
sudo make -j install

In my case I have cipher=AES-256-CBC on new vpn profile in /etc/NetworkManager/system-connections/xxxx.nmconnection

Just below cipher=AES-256-CBC add data-ciphers=AES-256-CBC like this cipher=AES-256-CBC data-ciphers=AES-256-CBC

Restart with sudo service NetworkManager restart and VPN connection work as expected. Tested on Ubuntu 22.10 openvpn 2.6

How I connect in Ubuntu 22.10 Gnome and IPVanish VPN.

Test machine: Fresh install, no upgrades yet...

sudo apt-get install -y openvpn network-manager-openvpn network-manager-openvpn-gnome

The above packages were installed out of the box already, but may help someone else troubleshoot.

Speaking of troubleshooting...

tail -f /var/log/syslog

This displays errors from NetworkManager and other processes and is what clued me into the hack/fix which I found on a Kubuntu forum. https://www.kubuntuforums.net/forum/currently-supported-releases/kubuntu-22-10/network-support-bc/666945-network-manager-fails-to-connect-to-open-vpn-expressvpn-terminal-works-fine

The error I was recieving (one of) was "NetworkManager[25475]: Options error: Unrecognized option or missing or extra parameter(s) in [CMD-LINE]:1: keysize (2.6_git)"

The simple fix of commenting out the line "keysize 256" in /etc/NetworkManager/system-connections/ipvanish-US-Seattle-sea-a01.nmconnection fixed the issue.

Steps to fix...

sudo nano /etc/NetworkManager/system-connections/ipvanish-US-Seattle-sea-a01.nmconnection

Obviously this is an IPVanish specific configuration file, but the same concept may apply to other VPNs. Once you attempt to import a .ovpn file and connect, a network manager configuration file will be generated in the above directory (/etc/NetworkManager/system-connections/).

Change the line "keysize 256" to "#keysize 256" and save.

Now restart NetworkManager...

sudo systemctl restart NetworkManager

Connect to the VPN.

This is the easiest fix.

Other things I've tried...

Downgrading and holding openvpn as per wolfmanFP's instructions (this has worked in the past and is the only method I had success with, however, this stopped working for me yesterday after a fresh Ubuntu install, Kali too).

Maybe the libs got updated, maybe I missed/altered steps, but wolfmanFP's method used to work with 22.10 and now it doesn't (at least for me and this specific computer).

I've also tried Jan Kunzmann's method as well, which had no affect.

The error "nm-openvpn[26036]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations." is still present, but it still connects.

Anyway, this new method is consistent and only requires modifying one line in a config file.

Hope this helps you avoid hours of searching and troubleshooting.

Enabling the legacy provider in /etc/ssl/openssl.cnf did it for me on Debian 12:

https://bbs.archlinux.org/viewtopic.php?id=280970

Ubuntu 23.04.

openvpn --version
OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 14 2022
library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10

For me helped these steps.

Terminal

sudo --config ./openvpn

Command outputs hint what exactly ciphers you need (something about add --data-ciphers XX-XXX ). And modifying command

sudo openvpn --data-ciphers-fallback XX-XXX --data-ciphers XX-XXX --config ./client.ovpn

establishes connection.

For GUI after unsuccessful attempts add row

cipher=XX-XXX

to the section [vpn] to the file

/etc/NetworkManager/system-connections/your_vpn_connection.nmconnection