OpenVPN missing ovpn-dco missing

I don’t use VPN often and it did work several months ago (possibly late 2024).

When I tried it last week (100 miles from home…) I got the following:

Error text

sudo openvpn --config macsurface-TO-IPFire.ovpn
2025-07-07 05:52:19 DEPRECATED OPTION: --cipher set to ‘AES-256-CBC’ but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations.
2025-07-07 05:52:19 Note: Kernel support for ovpn-dco missing, disabling data channel offload.
2025-07-07 05:52:19 OpenVPN 2.6.13 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
2025-07-07 05:52:19 library versions: OpenSSL 3.4.1 11 Feb 2025, LZO 2.10
2025-07-07 05:52:19 DCO version: N/A
Enter Private Key Password: ooooooo
2025-07-07 05:52:31 OpenSSL: error:11800071:PKCS12 routines::mac verify failure:
2025-07-07 05:52:31 OpenSSL: error:11800071:PKCS12 routines::mac verify failure:
2025-07-07 05:52:31 Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption
2025-07-07 05:52:31 SIGUSR1[soft,private-key-password-failure] received, process restarting
2025-07-07 05:52:31 Restart pause, 1 second(s)
Enter Private Key Password: (press TAB for no echo) 2025-07-07 05:52:35 ERROR: Failed retrieving username or password
2025-07-07 05:52:35 Exiting due to fatal error

I found this in another thread when I searched on ovpn-dco missing: OpenVPN V.2.6.3 on Clients - #3 by rowihei

There it recommends adding this to the .ovpn file keeping the AES-256-CBC bit:
--data-ciphers AES-256-GCM:AES-256-CBC:BF-CBC

Is this still applicable?

Do I need to rebuild the road warrior files?

Unfortunately, whatever I do I probably won’t be able to test it for days.

Edit: Looking at my .ovpn file it only shows:
cipher AES-256-CBC

But nothing like --data-ciphers

It is missing in IPFire as it is not used yet.

–data-ciphers is not used with OpenVPN in IPFire currently. It will come in when we release the OpenVPN-2.6 branch which introduces cipher negotiation but it is not used currently in the server.

This indicates that your client is no longer using the cipher AES-256-CBC.

The simplest thing would be to redo the roadwarrior connections using AES-256-GCM on the server. This will then be accepted by your client.

It might work but don’t add the BF-CBC cipher as that is an extremely weak and insecure cipher and really should not be specified anywhere.

When the OpenVP{N-2.6 branch of code is released in IPFire it will introduce negotiation to use the strongest cipher that both the server and client support and the sort of issue you are experiencing should no longer occur and also the insecure Blow Fish cipher should no longer get used, if users have specified it in the past.

1 Like

This means stopping the server and changing to AES-CBC (256bit) to AES-CGM(256bit), right? And then creating a new client in the “roadpool” section?

Does that mean the client I have in the “Dynamic OpenVPN IP address pool” section would also need to be recreated? (TBH, it’s been so long ago I don’t remember how I got it there…)

If you have several clients defined then when you chage the cipher in the server you would need to recreate all of them again.

It might be worth trying out just on that client you are having problems with to add the data-ciphers line in the configuration file. So add

data-ciphers AES-256-GCM:AES-256-CBC

and see if that makes the client now connect.

I assume you mean remove this:
cipher AES-256-CBC

and add:
data-ciphers AES-256-GCM:AES-256-CBC

??

I only had one dynamic and one static, so I figured I redo them both.

But, when I stop the server, set AES-GCM(256), then start it, it reverts back to AES-CBC.

Scratch I didn’t think to hit save.

1 Like