OpenVPN and backwards compatibility

To be clear, I am not an expert and this is really making my brain hurt.

I updated my PFSense and discovered this by accident due to my commercial VPN provider no longer being compatible with the new OpenVPN standards.

Rather than even attempting to explain it, here’s a link Community Downloads | OpenVPN

Look at the 2.5 section for details.

Connecting with an OpenVPN 2.5 client to at least one commercial VPN service that implemented their own cipher negotiation method that always reports back that it is using BF-CBC to the client is broken in v2.5. This has always caused warning about mismatch ciphers. We have been in contact with some service providers and they are looking into it. This is not something the OpenVPN community can fix. If your commercial VPN does not work with a v2.5 client, complain to the VPN service provider.

I have linked this info to my VPN Provider to try and get them to make the required changes ASAP.

That’s so strange, what is it that makes them incompatible? OpenVPN is usually fairly good with backwards compatibility.

Again, I am not an expert

But, if I am reading this correctly and following the complaints on the netgate forums etc the issue seems to be the way the ciphers were changed. Leading to commercial VPNs that have not updated to OpenVPN 2.5 to need to rewrite/reissue new configs to stay compatible with any clients that have been updated.

Cipher handling for the data channel cipher has been significantly changed between OpenVPN 2.3/2.4 and v2.5, most notably there are no “default cipher BF-CBC” anymore because it is no longer considered a reasonable default. BF-CBC is still available, but it needs to be explicitly configured now.

If you really need to use an unsupported OpenVPN 2.3 (or even older) release and need to stay on BF-CBC (not recommended), the OpenVPN 2.5 based client will need a config file change to re-enable BF-CBC. But be warned that BF-CBC and other related weak ciphers will be removed in coming OpenVPN major releases.

You can still connect to 10 year old servers running 2.2, using a 2.5 client, just might need a config change in case the server is using weak crypto.

To my eyes, the fact you can connect at all sounds impressive.

I suspect it is due to the provider using their own cipher but reporting back to the client something that isn’t exactly true; the client tries to negotiate it’s own interpretation of the out-of-official-spec provider response and fails. Because it is out of spec.

crypto ciphers for like… everything appear to be un-necessarily complicated IMHO.

there’s a whole world of weird incompatibility bugs. Win10 vs. pfsense ikev2 VPN for example; windows just breaks after 8 hours due to a re-keying problem - I haven’t been able to fix yet, advice to end users is “take a break for lunch”