CU 178 - Error: negotiated cipher not allowed - AES-256-CBC

it seems this is the latest thread on this subject:
To day I am using IPFire 2.27 (x86_64) - Mise à jour du noyau 178
I have just upgraded the client openvpn to 2.6.6 and I have the same error

2023-08-21 08:25:23 Error: negotiated cipher not allowed - AES-256-CBC not in AES-256-GCM:AES-128-GCM
2023-08-21 08:25:23 OPTIONS ERROR: failed to import crypto options
2023-08-21 08:25:23 Failed to open tun/tap interface

I am under windows 10 and have in the config

providers legacy default

any suggestions please ?

thanks in advance !

1 Like

I think that in your case you can try

  1. on IPFire WUI->Services->OpenVPN
    change Encryption: to AES-GCM(256 bit)

  1. then on the client
    in the .ovpn configuration file
    change the cipher AES-256-CBC to cipher AES-256-GCM


1 Like

thanks but when I change this config, it allways go back to its default
AES-CBC (256 bit)
did I miss something please ?

You need to stop the vpn server, then change the cipher, then press save and then start the server again.


A little addition to @bonnietwin post


thanks !

I did have to reboot the sever to see a scree nrefresh when you change this value

1 Like

Just refresh your browser page.

yes but the server was still showing as red not started :wink:

Sorry, I misunderstood what your refresh problem was. I thought you meant the status of the client connection.

If the server is failing to start then you need to look in the logs to see what the problem is.

Go to Logs - System Logs in the WUI menu.

Then select OpenVPN in the dropdown box labelled Section: and then press the Update button.

We misunderstood each other:

  • first problem was the ‘save’ and thank you foryour help I miss it
  • second problem is when you start the server you do not have the text+light which change from red to green => in this case I have to restart the server

Will it be possible to change setting cipher AES-256-CBC to cipher AES-256-GCM in file \var\ipfire\ovpn\server.conf, while openvpn server is up and running, so the new cipher setting will be fetched during the next reboot? Obviously I want to do this via an OpenVPN session, so I cannot stop the OpenVPN Server :wink:

I don’t know, without testing or going through the code.

Maybe @ummeegge can give feedback on your question.

1 Like

Hi all,
i think this should then also be changed in the settings file.




I think there is a problem with the status refreshing on the OpenVPN main page. Happens with the connection status too ie need to reboot the server to get the correct status to display.

I solve this error by modifying the .OVPN file with this:

Where it says “cipher AES-256-CBC”, put “data-ciphers AES-256-CBC”.


1 Like

For Windows 10 I had to use OpenVPN version 2.6.8 and amend the .ovpn file to include two additional lines:
data-ciphers AES-256-CBC
data-ciphers-fallback AES-256-CBC

In Windows 10 I couldn’t get it to negotiate the ciphers correctly when I tested with OpenVPN versions 2.7 and above.

Could you please show where this version 2.7 is available?

Version 2.6.8 is available on the official website.

Release is roughly planned for two years after OpenVPN 2.6. So end of 2024 or beginning of 2025.


Sorry, I should have been more explicit. Version 2.6.8 is the community version. I also tested this version
which is OpenVPN Connect version 2.7.1. It didn’t work for me.
I couldn’t get OpenVPN Connect v3 to work (using the .p12, ta.key and .ovpn files from IPFire) on Windows 10.

I do not use OpenVPN Connect.
Today for a test:
I installed OpenVPN Connect v 3.4.4 (3412) on Windows 10 Pro 22H2.
I added an OpenVPN test connection on the IPFire CU182.

I configured according to the information available in the Documentation and on the Forum

It seems to be working :smiley: