OpenVPN Client stopped working after recent update

[thefunkygibbon]

was connecting fine before. now it never connects.

log files say

Code: [Select]

2022-03-08T12:22:17 Notice openvpn UDP link remote: [AF_INET]1xx.1xx.6x.98:8888
2022-03-08T12:22:17 Notice openvpn UDP link local (bound): [AF_INET]86.x.x.24:0
2022-03-08T12:22:17 Notice openvpn TCP/UDP: Preserving recently used remote address: [AF_INET]1xx.1xx.6x.98:8888
2022-03-08T12:22:17 Warning openvpn NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2022-03-08T12:22:17 Warning openvpn WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2022-03-08T12:22:17 Notice openvpn library versions: OpenSSL 1.1.1m 14 Dec 2021, LZO 2.10
2022-03-08T12:22:17 Notice openvpn OpenVPN 2.5.5 amd64-portbld-freebsd13.0 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jan 24 2022
2022-03-08T12:22:17 Warning openvpn WARNING: file '/var/etc/openvpn/client1.up' is group or others accessible
2022-03-08T12:22:17 Warning openvpn DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2022-03-08T12:22:17 Notice openvpn SIGTERM[hard,] received, process exiting
2022-03-08T12:22:17 Error openvpn event_wait : Interrupted system call (code=4)
nothing has changed config-wise.

any ideas?

[chrishh]

HI,

here the same.
After Update 23.1 to 23.1.3 openvpn stop work.
Failure Log:
 PUSH: No common cipher between server and client. Server data-ciphers: 'AES-256-GCM:AES-128-GCM', client supports cipher 'AES-256-CBC'
Log on Windows Client:
WARNING: 'cipher' is present in local config but missing in remote config, local='cipher AES-256-CBC'

I think the Problem is this in the changelog for Version 23.1.3
openvpn: replace authentication handler to prepare for upcoming OpenVPN 2.6 with deferred authentication
openvpn: rename -cipher option to --data-ciphers-fallback and adjust GUI accordingly


The Bug ist here:
openVPn Server Config:
" Encryption algorithm (fallback)   " dosn't work.


My work around:
Set  "Encryption algorithm (fallback)" to NONE
and set in  Advanced:
--cipher AES-256-CBC


With this setting my clients can reconnect and it works!

[Adramyttium]

I'm having the same issue. Will try the server config changes here and will report back.

[franco]

My work around:
Set  "Encryption algorithm (fallback)" to NONE
and set in  Advanced:
--cipher AES-256-CBC

So OpenVPN doesn't translate its own deprecations? What OpenVPN version is used on the client end?


Cheers,
Franco

[chrishh]

So OpenVPN doesn't translate its own deprecations? What OpenVPN version is used on the client end?

For Test reasons I used an old Client (Sophos SSL) ist based on OpenVPN 2.3.8

With OpenVPN connect Client 3.3.6 it will use 'cipher AES-256-GCM' (with set  Encryption algorithm (fallback) to 'AES-256-CBC') an the connection works.

I think the Server setting 'Encryption algorithm (fallback)' don't work correct.

Kind rgds,
Chris

[franco]

If that's true this will likely stop working with OpenVPN 2.6 anyway as per their "future" warning. I don't think we will be keeping 2.5 much longer.

Keep in mind that 2.3.8 is from 2015.

In any case we will discuss this internally if other workarounds will apply.


Cheers,
Franco

[ivoruetsche]

Hi

We struggling with the similar problems. All new exported client configs doesn't work:

Code: [Select]

Options error: Unrecognized option or missing or extra parameter(s) in xxxx_xx01_fw01_openvpn01__Superadmins__xxx.ovpn:4: data-ciphers-fallback (2.4.7)
Use --help for more information.

I tried on our client:
OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022

And I also can't find an option for "data-ciphers-fallback" in (but I can't try with the ovpn file at the moment)
OpenVPN 2.6.1 [git:v2.6.1/2c2a98a0e559928c] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Mar  8 2023

The old exported configurations works fine and also, after we remove the "data-ciphers-fallback" line in the client exported .ovpn file or with the workaround from chrishh

It's a bit strange, because it should be work since 2.3: https://community.openvpn.net/openvpn/wiki/CipherNegotiation

gruss ivo

[chrishh]

HI,

With Update OPNsense 23.1.4
" openvpn: reintroduce "cipher" keyword for older clients "

Now it works without my workaround.

[franco]

It has been a bit of a back and forth. The OpenVPN upstream "deprecation" actually recommends breaking older clients and other SSL implementations out in the wild. This was learned the hard way. But it also means OpenVPN can't remove the deprecated option without complains so maybe the current state is the state it will remain in.


Cheers,
Franco

[klona]

Hi, thread is few month old, but i get the same problem with 23.1.7_3

OPTIONS ERROR: failed to negotiate cipher with server. Add the server's cipher ('AES-256-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305') if you want to connect to this server.

trick to set  'Encryption algorithm (deprecated)' to 'none'  and --data-ciphers-fallback AES-256-CBC (or -- ciphers AES-256-CBC) dont solve it

I am the only one ?

[klona]

solved with --data-ciphers AES-256-CBC

...

[franco]

Unfortunately that seems broken by OpenVPN design itself. If the other end uses --data-ciphers the local end needs to use it too, but using it breaks --cipher directive for everyone else. I'm not sure OpenVPN thought this through or it doesn't care.


Cheers,
Franco

[peterzy]

solved with --data-ciphers AES-256-CBC

...

You saved the day :-)

[benyamin]

It's likely because the compatibility behaviour for --cipher has changed over the last few OpenVPN releases. Previously, the algorithm at --cipher has been appended to the list at --data-ciphers. Also, the --data-ciphers-fallback option is really only meant to be applicable to v2.3 peers using --enable-small.

You may want to use both the --cipher AES-256-CBC and the --data-ciphers-fallback AES-256-CBC options. Depending on compatibility modes it should pick up one of them. More info in issue 6420.

If that doesn't work you should be right using --data-ciphers AES-256-GCM:AES-128-GCM:?CHACHA20-POLY1305:AES-256-CBC which will retain AEAD options should the peer upgrade from AES-256-CBC.

[JeGr]

Unfortunately that seems broken by OpenVPN design itself. If the other end uses --data-ciphers the local end needs to use it too, but using it breaks --cipher directive for everyone else. I'm not sure OpenVPN thought this through or it doesn't care.


Cheers,
Franco

Perhaps have a look at my post below in the german section? Also cipher is not the backup for data-ciphers, data-ciphers-fallback is used for that and works well enough. We had no problems making switches from OVPN2.4 to 2.5 to 2.6 on devices using data-cipher/-fallback variables setup correctly even with clients older or newer.

https://forum.opnsense.org/index.php?topic=34207.msg165896#msg165896

I know you looked into the issue but data-ciphers and data-ciphers-fallback would be the correct way to go as that's my understanding from what Gerd communicated with the OpenVPN 2.6 release going forward.

Edit:

Starting with 2.6.0, this option is always ignored in TLS mode when it comes to configuring the cipher and will only control the cipher for --secret pre-shared-key mode (note: this mode is deprecated and strictly not recommended).

Documentation states that with 2.6 forward that old cipher config variable is no longer used besides in old site2site configs that are also deprecated. That's why quite a few users run into problems when they had configured other ciphers like -CBC ones in the past, that are now no longer part of the default cipher-set of "data-ciphers" or "data-ciphers-fallback". We need a multiselect field for data-cipher selection and/or an option to mark some of those as optional (new feature of OVPN 2.6) as well as set up a value for data-ciphers-fallback to correctly set up the OVPN server and let older clients connect safely.

Cheers
\jens