Migrating from OpenVPN 2.5 to OpenVPN 2.6
Viscosity 1.11 adds support for OpenVPN 2.6 connections and drops support for OpenVPN 2.5 connections. For the vast majority of users no migration changes are needed and connections will automatically work. You will still be able to connect to OpenVPN servers running 2.5 or older versions. OpenVPN 2.6 is backwards compatible and will continue to work for most setups.
As part of this migration, Viscosity has also moved to using OpenSSL 3.0. OpenSSL is the security library that Viscosity and OpenVPN use, and provides the encryption and security protocols used. Previous versions of Viscosity shipped with the OpenSSL 1.1.1 branch. OpenSSL 1.1.1 has reached end-of-life, and so it should be considered insecure moving forwards. OpenSSL 3.0 offers a number of security improvements, however it does deprecate many older encryption ciphers, digests, and protocols that are no longer considered secure.
Viscosity 1.11 also introduces a new "Compatibility" setting in the connection editor (under the Options tab) that makes it easier to connect to servers running older versions of OpenVPN. More information about this can be found below.
I've Updated to Viscosity 1.11 and Now I Can't Connect
Viscosity 1.11 will attempt to automatically detect and repair most compatibility issues between OpenVPN 2.6 and older versions of OpenVPN. However, if you were successfully connecting your VPN connections using an older version of Viscosity, but you can't after updating to Viscosity 1.11, then this likely means your VPN server is running an older version of OpenVPN.
In most cases you should be able to get your VPN connection connecting again with a couple of simple changes by following the steps below.
Step 1: Contact Your VPN Provider
We highly recommend contacting your VPN Provider first. They should be able to supply you with an up-to-date configuration for OpenVPN 2.6 which you can import and connect without needing to do any troubleshooting.
If you are a VPN server administrator, we also recommend updating your server and configuration for OpenVPN 2.6 where possible. You also need to consider regenerating certificate and keys if your existing ones used legacy digests.
Step 2: Check for Pop-up Alerts
In most instances when a VPN connection fails to connect after upgrading to Viscosity 1.11, it's caused by the OpenVPN server wanting to use an encryption cipher, digest, or TLS protocol considered insecure by OpenVPN 2.6 or OpenSSL 3.0. For example, the use of 1024 bit RSA or the SHA1 digest in certificates is no longer accepted.
Viscosity will attempt to automatically detect these failures and display an alert with more information. In most instances an "Allow" checkbox is also presented that can be used to allow the use of the deprecated cipher/digest/protocol and allow the VPN connection to connect. For more information, including about the potential security implications, please refer to the article that matches the alert:
- Error: Insecure Signature Digest Detected
- Error: Unsupported TLS Protocol Detected
- Error: Server Encryption Cipher Disallowed
- Error: Server Cipher Negotiation Not Supported
- Warning: A connection reset occurred with a legacy cipher command present
Step 3: Adjust the Compatibility Setting
Viscosity includes a new Compatibility setting, which can be found under the Options tab when editing your connection. This setting allows you to set the base OpenVPN version the connection should be compatible with. The available options are 2.3, 2.4, 2.5, and Latest. For example, choosing 2.3 should allow you to connect to an OpenVPN server running version 2.3 or later.
The Compatibility setting enables the use of ciphers, digests, TLS protocols, and compression settings commonly used by legacy versions of OpenVPN. It's analogous to the raw "compat-mode" OpenVPN command, while also adjusting OpenSSL security settings.
It isn't necessary for this option to exactly match the OpenVPN version used by the server. For example, selecting 2.3 won't prevent you from connecting to OpenVPN servers running version 2.4 or later.
Enabling support for legacy versions of OpenVPN may enable the use of encryption ciphers and protocols that are no longer considered secure. Updating the server to the latest OpenVPN version, and regenerating certificates/keys as required, is strongly recommended instead of the use of the Compatibility setting.
Step 4: Check for Removed Commands
OpenVPN 2.6 removes support for the "ncp-disable" command. Connections will this option present will not be able to connect, they instead will instantly fail. To see if this applies for your connection, check the connection log and see whether there is the message "Options error: The command "ncp-disable" or one of its parameters is invalid for this version of OpenVPN".
If the "ncp-disable" command is present it should be removed. Please see the Advanced Configuration Commands article for how to check and edit your connection's advanced commands. You can simply remove the entire line that starts with "ncp-disable", and then Save your changes. Alternatively, you can reach out to your VPN Provider and ask for an updated configuration file you can import into Viscosity.
Further Troubleshooting
If you are still having connection issues after following the above steps, the issue may not be related to updating to OpenVPN 2.6. Please try the steps listed in the Troubleshooting Connection Problems article.