change(openvpn): Openvpn 2.4 no longer supported

internal/provider/airvpn/openvpnconf.go

@@ -24,8 +24,6 @@ func (p *Provider) OpenVPNConfig(connection models.Connection,
 	}
 
 	switch settings.Version {
-	case openvpn.Openvpn24:
-		providerSettings.Ciphers = []string{openvpn.AES256cbc}
 	case openvpn.Openvpn25:
 		providerSettings.Ciphers = []string{
 			openvpn.AES256gcm, openvpn.AES256cbc, openvpn.AES192gcm,

internal/provider/custom/openvpnconf.go

@@ -79,7 +79,7 @@ func modifyConfig(lines []string, connection models.Connection,
 	}
 	modified = append(modified, "verb "+strconv.Itoa(*settings.Verbosity))
 	if len(settings.Ciphers) > 0 {
-		modified = append(modified, utils.CipherLines(settings.Ciphers, settings.Version)...)
+		modified = append(modified, utils.CipherLines(settings.Ciphers)...)
 	}
 	if *settings.Auth != "" {
 		modified = append(modified, "auth "+*settings.Auth)

internal/provider/slickvpn/openvpnconf.go

@@ -28,13 +28,11 @@ func (p *Provider) OpenVPNConfig(connection models.Connection,
 		},
 	}
 
-	if settings.Version == openvpn.Openvpn25 {
-		// SlickVPN's certificate is sha1WithRSAEncryption and sha1 is now
-		// rejected by openssl 3.x.x which is used by OpenVPN >= 2.5.
-		// We lower the security level to 3 to allow this algorithm,
-		// see https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_security_level.html
-		providerSettings.TLSCipher = "DEFAULT:@SECLEVEL=0"
-	}
+	// SlickVPN's certificate is sha1WithRSAEncryption and sha1 is now
+	// rejected by openssl 3.x.x which is used by OpenVPN >= 2.5.
+	// We lower the security level to 3 to allow this algorithm,
+	// see https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_security_level.html
+	providerSettings.TLSCipher = "DEFAULT:@SECLEVEL=0"
 
 	return utils.OpenVPNConfig(providerSettings, connection, settings, ipv6Supported)
 }

internal/provider/utils/cipher.go

@@ -2,25 +2,15 @@ package utils
 
 import (
 	"strings"
-
-	"github.com/qdm12/gluetun/internal/constants/openvpn"
 )
 
-func CipherLines(ciphers []string, version string) (lines []string) {
+func CipherLines(ciphers []string) (lines []string) {
 	if len(ciphers) == 0 {
 		return nil
 	}
 
-	switch version {
-	case openvpn.Openvpn24:
-		return []string{
-			"cipher " + ciphers[0],
-			"ncp-ciphers " + strings.Join(ciphers, ":"),
-		}
-	default: // 2.5 and above
-		return []string{
-			"data-ciphers-fallback " + ciphers[0],
-			"data-ciphers " + strings.Join(ciphers, ":"),
-		}
+	return []string{
+		"data-ciphers-fallback " + ciphers[0],
+		"data-ciphers " + strings.Join(ciphers, ":"),
 	}
 }

internal/provider/utils/cipher_test.go

@@ -20,14 +20,6 @@ func Test_CipherLines(t *testing.T) {
 				"data-ciphers AES",
 			},
 		},
-		"2.4": {
-			ciphers: []string{"AES", "CBC"},
-			version: "2.4",
-			lines: []string{
-				"cipher AES",
-				"ncp-ciphers AES:CBC",
-			},
-		},
 		"2.5": {
 			ciphers: []string{"AES", "CBC"},
 			version: "2.5",
@@ -42,7 +34,7 @@ func Test_CipherLines(t *testing.T) {
 		t.Run(name, func(t *testing.T) {
 			t.Parallel()
 
-			lines := CipherLines(testCase.ciphers, testCase.version)
+			lines := CipherLines(testCase.ciphers)
 
 			assert.Equal(t, testCase.lines, lines)
 		})

internal/provider/utils/openvpn.go

@@ -119,7 +119,7 @@ func OpenVPNConfig(provider OpenVPNProviderSettings,
 	}
 
 	ciphers := defaultStringSlice(settings.Ciphers, provider.Ciphers)
-	cipherLines := CipherLines(ciphers, settings.Version)
+	cipherLines := CipherLines(ciphers)
 	lines.addLines(cipherLines)
 
 	auth := defaultString(*settings.Auth, provider.Auth)
@@ -198,16 +198,14 @@ func OpenVPNConfig(provider OpenVPNProviderSettings,
 
 	if *settings.EncryptedKey != "" {
 		encryptedBase64DERKey := *settings.EncryptedKey
-		if settings.Version != openvpn.Openvpn24 {
-			// OpenVPN above 2.4 does not support old encryption schemes such as
-			// DES-CBC, so decrypt and reencrypt the key.
-			// This is a workaround for VPN secure.
-			var err error
-			encryptedBase64DERKey, err = pkcs8.UpgradeEncryptedKey(encryptedBase64DERKey, *settings.KeyPassphrase)
-			if err != nil {
-				// TODO return an error instead.
-				panic(fmt.Sprintf("upgrading encrypted key: %s", err))
-			}
+		// OpenVPN above 2.4 does not support old encryption schemes such as
+		// DES-CBC, so decrypt and reencrypt the key.
+		// This is a workaround for VPN secure.
+		var err error
+		encryptedBase64DERKey, err = pkcs8.UpgradeEncryptedKey(encryptedBase64DERKey, *settings.KeyPassphrase)
+		if err != nil {
+			// TODO return an error instead.
+			panic(fmt.Sprintf("upgrading encrypted key: %s", err))
 		}
 		lines.add("askpass", openvpn.AskPassPath)
 		lines.addLines(WrapOpenvpnEncryptedKey(encryptedBase64DERKey))

internal/provider/vpnunlimited/openvpnconf.go

@@ -2,7 +2,6 @@ package vpnunlimited
 
 import (
 	"github.com/qdm12/gluetun/internal/configuration/settings"
-	"github.com/qdm12/gluetun/internal/constants/openvpn"
 	"github.com/qdm12/gluetun/internal/models"
 	"github.com/qdm12/gluetun/internal/provider/utils"
 )
@@ -20,13 +19,11 @@ func (p *Provider) OpenVPNConfig(connection models.Connection,
 		},
 	}
 
-	if settings.Version != openvpn.Openvpn24 {
-		// VPN Unlimited's certificate is sha1WithRSAEncryption and sha1 is now
-		// rejected by openssl 3.x.x which is used by OpenVPN >= 2.5.
-		// We lower the security level to 0 to allow this algorithm,
-		// see https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_security_level.html
-		providerSettings.TLSCipher = `"DEFAULT:@SECLEVEL=0"`
-	}
+	// VPN Unlimited's certificate is sha1WithRSAEncryption and sha1 is now
+	// rejected by openssl 3.x.x which is used by OpenVPN >= 2.5.
+	// We lower the security level to 0 to allow this algorithm,
+	// see https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_security_level.html
+	providerSettings.TLSCipher = `"DEFAULT:@SECLEVEL=0"`
 
 	return utils.OpenVPNConfig(providerSettings, connection, settings, ipv6Supported)
 }