No way to specify tls-version-min or tls-version-max, please include the config options in the GUI config panel.

The OpenVPN plugin for Network Manager does not have any mechanisms to interpret tls-version-{min,max} directives for OpenVPN.

In Debian upstream, especially in Buster and Unstable, they disable TLS 1.0, 1.1, and 1.2 by default and use only TLS 1.3 by default. Therefore, with OpenVPN servers that only use TLS 1.2 or older, it is impossible to establish a tunnel to those locations *unless* you specify tls-version-{min,max} in the configurations.

This can be done in OVPN files for OpenVPN directly, but there is currently no mechanism to do this in the GUI.

This is tracked in Debian https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933177 as the original cause for TLS 1.3 support, but if Ubuntu ever defaults OpenSSL to not have TLS 1.0-1.2 support enabled by default, we will be out of luck.

Upstream, GNOME has not yet merged a merge request which would add this option to the GUI: https://gitlab.gnome.org/GNOME/NetworkManager-openvpn/merge_requests/15

Testing in Debian, the patch works against NetworkManager OpenVPN there. I am currently testing these in Focal, Eoan, and Bionic to see if this is something we can possibly include at a future date to fix this issue long-term.

In the interim, this tracks the request to get these features in.