Tunnelblick 4.0.0 not able to connect

[Philipp Schneider]

Hey everyone,

I just updated to Tunnelblick 4.0.0 and I cannot connect to my VPN anymore. I just get the message: "Tunnelblick konnte OpenVPN nicht starten, um (config file) zu verbinden. Für Details sehen Sie bitte in das VPN Details… Fenster", which translated to sth. like:

Tunnelblick couldn't start OpenVPN to connect (config file). For details check the VPN window.

But there is no VPN windows :(. Reverting back to 3.8.8b solved the issue and I cann connect normally again.

[Philipp Schneider]

Here's the error log:

```

Could not start OpenVPN (openvpnstart returned with status #251)

Contents of the openvpnstart log:
openvpnstart log:
     OpenVPN returned with status 1, errno = 0:
          Undefined error: 0
     
(truncated)
     
          XXX 1 Note: Treating option '--ncp-ciphers' as  '--data-ciphers' (renamed in OpenVPN 2.5).
         XXX 40 Unsupported cipher in --data-ciphers: BF-CBC
          XXX b000 Options error: --data-ciphers list contains unsupported ciphers or is too long.
          XXX 1040 Use --help for more information.
         
     More details may be in the Console Log's "All Messages"

```

[Tunnelblick developer]

Thanks for your report. Please see Tunnelblick 4.

[achim widmaier]

Hi,

I am using MacOS Sonoma 14.2.1

Today I updated Tunnelblick to Version 4.0.0 (build 5970)

Since then I can't connect anymore.

The Info jumps from "Lade Konfiguration" to "Autorisieren" forth and back...

Here is what the log shows in red:

2024-03-09 17:30:21.773722 OPTIONS ERROR: failed to negotiate cipher with server.  Add the server's cipher ('AES-256-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305') if you want to connect to this server.

2024-03-09 17:30:21.773842 ERROR: Failed to apply push options

I am not much of a technician to interpret the Tunnelblick Logfile...

Testing other OpenVPN Versions in the Tunnelblick-Configuration I found out, that I have to switch to an older Version (2.5.9 - OpenSSL v1.1.1w) to make Tunnelblick work again (see attachment).

What do I have to do to make it work with the latest and recommended Version 2.6.9 - OpenSSL v3.0.13?

Thanks for your help.

Cheers,

Achim W.

[Tunnelblick developer]

As it says on the Tunnelblick 4 page I linked to earlier:

If you can connect only with one or more of the other versions, your VPN setup relies on insecure algorithms or programs. Future versions of Tunnelblick will not include these algorithms and programs. Contact your VPN service provider and have them update the VPN to be compatible with OpenVPN 2.6, which is the current version of OpenVPN, and OpenSSL 3.0, which is the Long Term Support version of OpenSSL.

[Ivan]

Hi, I'm having the same problem with 4.0.0 and 5.0.0.

Thanks for the clarification. Probably the best solution is to use version 3.8.8b until all major VPN providers finally decide to switch to latest algorithms.

[Tunnelblick developer]

Ivan wrote:

     Hi, I'm having the same problem with 4.0.0 and 5.0.0.

     Probably the best solution is to use version 3.8.8b until all major VPN providers finally decide to switch to latest algorithms.

NO! The best solution is to use Tunnelblick 4 or 5 with a version of OpenVPN and OpenSSL that works for you.

You should only use 3.8.8b if none of the versions of OpenVPN/OpenSSL in Tunnelblick 4 or 5 works for you.

Please see Tunnelblick 4.

(Also, note that, as per the Release Notes, there were no changes from Tunnelblick 4.0.0 to Tunnelblick 5.0.0beta01, so they will behave the same. Using the beta version will always check for updates to later betas; using Tunnelblick 4.0.0 will not check for updates to beta versions unless you specifically ask for that, in which case Tunnelblick 5.0.0beta01 will be offered to you.)