fix(vpnsecure): upgrade Openvpn key encryption if needed (#1471)

internal/provider/utils/openvpn.go

@@ -8,6 +8,7 @@ import (
 	"github.com/qdm12/gluetun/internal/constants"
 	"github.com/qdm12/gluetun/internal/constants/openvpn"
 	"github.com/qdm12/gluetun/internal/models"
+	"github.com/qdm12/gluetun/internal/openvpn/pkcs8"
 )
 
 type OpenVPNProviderSettings struct {
@@ -196,8 +197,20 @@ func OpenVPNConfig(provider OpenVPNProviderSettings,
 	}
 
 	if *settings.EncryptedKey != "" {
+		encryptedBase64DERKey := *settings.EncryptedKey
+		if settings.Version != openvpn.Openvpn24 {
+			// OpenVPN above 2.4 does not support old encryption schemes such as
+			// DES-CBC, so decrypt and reencrypt the key.
+			// This is a workaround for VPN secure.
+			var err error
+			encryptedBase64DERKey, err = pkcs8.UpgradeEncryptedKey(encryptedBase64DERKey, *settings.KeyPassphrase)
+			if err != nil {
+				// TODO return an error instead.
+				panic(fmt.Sprintf("upgrading encrypted key: %s", err))
+			}
+		}
 		lines.add("askpass", openvpn.AskPassPath)
-		lines.addLines(WrapOpenvpnEncryptedKey(*settings.EncryptedKey))
+		lines.addLines(WrapOpenvpnEncryptedKey(encryptedBase64DERKey))
 	}
 
 	if *settings.Cert != "" {