App Support.

We're here to help.



Migrating from OpenVPN 2.4 to OpenVPN 2.5

Viscosity 1.10.5 drops support for OpenVPN 2.4, and now only supports OpenVPN 2.5 connections. For the vast majority of users no migration changes are needed and connections will automatically work.

Viscosity has defaulted to using OpenVPN 2.5 for many years, and in cases where OpenVPN 2.4 was used OpenVPN 2.5 is backwards compatible and should continue to work. You will still be able to connect to OpenVPN servers running 2.4 or older versions.

OpenVPN 2.4 is end-of-life and so it is no longer being updated or maintained by the OpenVPN team. Furthermore, the version of OpenSSL it supports will be end-of-life later this year (September 2023), and so it should be considered insecure moving forwards.

I've Updated to Viscosity 1.10.5 and Now I Can't Connect

If you were successfully connecting your VPN connections using an older version of Viscosity, but you can't after updating to Viscosity 1.10.5, then this likely means your copy of Viscosity was previously configured to use OpenVPN 2.4. Please follow the troubleshooting steps below to resolve the problem.

Step 1: Contact Your VPN Provider

We highly recommend contacting your VPN Provider first. They should be able to supply you with an up-to-date configuration for OpenVPN 2.5 which you can import and connect without needing to do any troubleshooting.

If you are a server administrator, we also recommend updating your server and configuration for OpenVPN 2.5 where possible.

Step 2: Check Your Previous Version

If you've updated from Viscosity version 1.8.6 or earlier, your connection may have been configured to use OpenVPN 2.3. If this is the case, please see the article Migrating from OpenVPN 2.3 to OpenVPN 2.4 for information before proceeding.

If you were previously using Viscosity version 1.9 or later, please proceed to the next step.

Step 3: Cipher Settings

OpenVPN 2.5 deprecates support for the BF-CBC (Blowfish) encryption cipher. BF-CBC is no longer considered secure (see the SWEET32 attack). If the OpenVPN server is still using BF-CBC, OpenVPN 2.5 and later will refuse to connect to it by default.

OpenVPN 2.3 and older versions default to using BF-CBC as the cipher. So if the OpenVPN server is running OpenVPN 2.3 or earlier, you'll likely run into this issue. The recommended solution is to update the server to OpenVPN 2.4 or later (which defaults to using AES-GCM instead).

If you're unable to update the OpenVPN server, you can still allow the use of the BF-CBC cipher by adding the command cipher BF-CBC on a new line in the advanced commands area. Please see the Advanced Configuration Commands article for information on how to add advanced commands to your VPN connection.

Further Troubleshooting

If you are still having connection issues after following the above steps, the issue may not be related to updating to OpenVPN 2.5. Please try the steps listed in the Troubleshooting Connection Problems article.