OpenVPN 2.6, cipher vs data-ciphers: need more info

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
giox969
OpenVpn Newbie
Posts: 2
Joined: Thu Oct 27, 2022 5:28 am

OpenVPN 2.6, cipher vs data-ciphers: need more info

Post by giox969 » Thu Oct 27, 2022 8:11 am

I just upgraded my kubuntu from 22.04 (OpenVPN 2.5.5) to 22.10 (OpenVPN 2.6), and some OpenVPN client connections stopped working. OpenVPN connections are handled via NetworkManager and configured in KDE GUI.
The error is:

Code: Select all

ott 27 08:30:10 t470s-gio nm-openvpn[3235]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations.
ott 27 08:30:17 t470s-gio nm-openvpn[3235]: OPTIONS ERROR: failed to negotiate cipher with server.  Add the server's cipher ('AES-256-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305') if you want to connect to this server.
Is really "cipher" a deprecated option? Googling around I cannot find an official declaration of this, and an official way/how-to to migrate it to data-ciphers.

And there are still some bad user experience problem:
  • many firewalls, I'm using Watchguard Firebox, are still exporting .ovpn profiles that contains "cipher" and are not useable on OpenVPN
  • frontend to OpenVPN configuration are still not supporting this, for example under KDE plasma 5.26 settings I cannot change data-ciphers field

Could someone point me to a document that explains what is deprecated and how to migrate?
Is the full "cipher" option deprecated, or, as the error log says, or only having "cipher" not being part of "data-ciphers" in the client config ?

Thank you.

remre
OpenVpn Newbie
Posts: 15
Joined: Wed Dec 09, 2020 12:15 am

Re: OpenVPN 2.6, cipher vs data-ciphers: need more info

Post by remre » Mon Oct 31, 2022 7:43 am

Is really "cipher" a deprecated option? Googling around I cannot find an official declaration of this, and an official way/how-to to migrate it to data-ciphers.
Maybe there's something in the code and its commentaries ?
many firewalls, I'm using Watchguard Firebox, are still exporting .ovpn profiles that contains "cipher" and are not useable on OpenVPN
frontend to OpenVPN configuration are still not supporting this, for example under KDE plasma 5.26 settings I cannot change data-ciphers field
Make your own .ovpn profile. It's a simple text file with the options and with :
* the certificate of the certificate authority incorporated with <ca> </ca>
* the certificate of the client with <cert> </cert>
* the private key of the client with <key> </key>
* an openvpn static key with <tls-crypt> </tls-crypt>

giox969
OpenVpn Newbie
Posts: 2
Joined: Thu Oct 27, 2022 5:28 am

Re: OpenVPN 2.6, cipher vs data-ciphers: need more info

Post by giox969 » Mon Oct 31, 2022 11:49 am

I'm a technician, and I'm able to change my own .ovpn profiles.
But an end user which is following a setup guide and downloading a pre-cooked .ovpn profile from one of our firewall, is NOT able to edit a .ovpn profile. Luckily they are using other openvpn compatible clients under mac & win that are a bit more careful to preserve backward compatibility, for example the watchguard vpn client itself or Viscosity.

My problem is still remaining with users using recent Ubuntu/Kubuntu distributions: an upgrade to Ubuntu 22.10 (OpenVPN 2.6) will make an .ovpn profile not work, breaking user workflow. It will cost money to create a separate .ovpn file, resend to all users, help them at the phone to fix it. Before investing money on this job, I would like to have a document from OpenVPN that explains what happened and why it happened.

blistovmhz
OpenVpn Newbie
Posts: 1
Joined: Mon Dec 05, 2022 6:11 pm

Re: OpenVPN 2.6, cipher vs data-ciphers: need more info

Post by blistovmhz » Mon Dec 05, 2022 6:18 pm

Same here. network-manager-openvpn and network-manager-openvpn-gnome are out of date and need to support the newer "data-ciphers" option. Currently, when they import the ovpn profile with data-ciphers, the option is ignored. Manually setting your cipher sets the "cipher" option, which is no longer expected by openvpn-2.6.
Bug has been submitted: https://bugs.launchpad.net/ubuntu/+sour ... ug/1993634

Confirm that modifying /etc/NetworkManager/system-connections/foo.nmconnection and replacing "cipher" with "data-ciphers", and then logging out and back in (I can't figure out how to get NM to reload entirely), does hack around the issue.

User avatar
ordex
OpenVPN Inc.
Posts: 444
Joined: Wed Dec 28, 2016 2:32 am
Location: IRC #openvpn-devel @ libera.chat

Re: OpenVPN 2.6, cipher vs data-ciphers: need more info

Post by ordex » Tue Dec 06, 2022 1:00 pm

Unfortunately several frontends are slow to upgrade. --data-ciphers has been around since a while...but always ignored..
However 2.6 was just released as beta and we hope frontends will now get up to pace.

Post Reply