Error in ovpn file

Hello,
We use OpenVPN for our remote connections. With the OpenVPN-2.6.6-I001-amd64 version of the client, the file generated by IpFire contains an error at the line :
cipher AES-256-CBC
To work must be changed to :
data-ciphers AES-256-CBC
Is this a bug or should I use another version of the OpenVPN client ?

Thank you for your answers :smile:

The cipher directive was traditionally used to specify the encryption cipher. However, recent versions of OpenVPN have started to encourage the use of the data-ciphers directive instead to provide better security by allowing a fallback list of ciphers.

I would recommend waiting a few days to see if you receive any updates from users who closely follow IPFire development. If there’s no response or update on this matter, I suggest submitting a bug report to the IPFire developers. This will bring the issue to their attention and potentially facilitate a resolution or clarification.

The current setup in IPFire is still using ncp and therefore no data cipher negotiation so the data-ciphers entry is not used.

Work is currently ongoing to update the IPFire OpenVPN WUI code to use data cipher negotiation, which will allow usage of openvpn-2.6.x versions of the server.
That is not a simple change as we have to ensure that any change to the new approach continues to support all the people with 100’s of existing client connections, so that they continue working and allow a progressive change to the new approach.

If AES-256-CBC is not working with your openvpn-2.6.6 clients try using AES-256-GCM. That is what I have been using for years and it is working fine with all the openvpn-2.6.7 clients I currently have and also worked in the past when my clients were using 2.6.6 and earlier.

In your systems did AES-256-CBC work with earlier versions of openvpn-2.6.x?

3 Likes

When you say this is an error, what message is getting provided by the openvpn client. Is that message an actual error that is stopping the connection from being run or is it a deprecation warning about the use of cipher as opposed to the use of data-ciphers.
ciphers is deprecated but is still accepted as a command by openvpn, at this point in time. That looks likely to change in the 2.7 series of openvpn server.

Here is the message:

Error: Negotiated encryption not allowed - AES-256-CBC not in AES-256-GCM: AES-128-GCM
OPTIONS ERROR: Failed to import encryption options
Failed to open Tun/Tap interface

The password is automatically refused.
It is resolved once the ovpn file is corrected with data-ciphers

Yes, with versions 2.5.x

I just changed the encryption cipher on my vm testbed system from AES-GCM (256 bit) to AES-CBC (256 bit).

I then created a new client connection using that cipher and added it into my network manger openvpn-plugin client on my laptop (currently using openvpn-2.6.7) and made a connection.

It connected with no problems. Confirmed that I could connect to a machine on the green network with the laptop.

Checked the config file in Network Manager and it has cipher=AES-256-CBC

No error messages in the laptop log and the connection worked with no problems.

I will look at also doing a test with making the connection on the laptop command line directly with the openvpn client and not via the network-maqnager openvpn plugin using the openvpn client.

Ran the same test but directly with openvpn-2.6.7 as the client from the command line and I got the same error message.

I confirm what you have reported.

From what I can tell openvpn made the default for data-ciphers on the client (when data-ciphers is not defined in the profile) to be

AES-256-GCM
AES-128-GCM
CHACHA20-POLY1305

So openvpn client doesn’t accept AES-256-CBC as it is not one of the default recommended ciphers.

The openvpn-plugin for Network Manager takes any cipher defined with ciphers=xxxx and adds it to the default data-ciphers list.

It looks like the OpenVPN for Android app does the same thing.

So until the updated IPFire WUI is released to use the data-ciphers command and data cipher negotiation, it looks like your best option is to add
data-ciphers AES-256-CBC
to the profile.
Just adding it so that both data-ciphers``` and cipher```` are present works fine on my vm testbed.

While CBC is still currently accepted by openvpn you may need to think about moving at some time from CBC to GCM ciphers as those are obviously the preferred ones in OpenVPN. At some time in the future the CBC ones may become deprecated and eventually removed.

Hello everyone.

The problem that I have seen in some scenarios is the use of both PCs and Tablets/Phones, the latter with IOS and I, the latter I have not been able to make work with GCM and yes with CBC.

Encryption must be applied to all of them the same, regardless of the platform.

That’s my experience. Maybe I’m wrong.