wiki:CipherNegotiation

OpenVPN Cipher Negotiation (Quick reference)

This wiki defines the expected behaviour of Cipher Negotiation between common configurations of OpenVPN servers and clients.

Important note: CHACHA20-POLY1305 is widely recognised as a suitable alternative to an AES based cipher.

  • OpenVPN would like to know about any:
    1. Unexpected behaviour.
    2. Errors on this page.

For full details please see:
https://github.com/OpenVPN/openvpn/blob/master/doc/man-sections/cipher-negotiation.rst

Effective directives and terms

2.5: --data-ciphers ALG:ALG - Data channel ciphers list. Default: AES-256-GCM:AES-128-GCM
2.5: --data-ciphers-fallback ALG - Single ALG (Essentially the same as --cipher)


Use of --data-ciphers-fallback is limited to:

  • Openvpn Clients which do not support --data-ciphers (Openvpn 2.4, 2.3)

    Solution: Upgrade
    Or, use --data-ciphers-fallback in your Server configuration.

  • Openvpn Clients using --ncp-disable DEPRECATED (Openvpn 2.4)

    Solution: Do NOT use --ncp-disable
    EVER

  • Openvpn built with --enable-small: See below

  • Openvpn Server that does not support Cipher Negotiation:

    Solution: Upgrade
    Otherwise, both Client and Server will DEFAULT to an INSECURE BF-CBC cipher.
    ... Unless both Client and Server have a secure --cipher configured.
    ... otherwise, the VPN connection will fail.

The Point:

 @cron2_ | for clients calling in without NCP                                                               │
 @cron2_ | could be a 2.5 client called with --ncp-disable "because someone on the Internet said so"        │
  wiscii | but that would auto-fallback to AES* ? 2.5 .. no ?                                               │
       * | wiscii checks                                                                                    │
  wiscii | --ncp-disable is deprecated ..                                                                   │
  wiscii | and using it is currently a total fail FATAL error                                               │
  wiscii | ok ,, that is 2.6                                                                                │
  wiscii | i have clearly misunderstood the use of the data-cipher-fallback bit, it's just to convoluted    |
 @cron2_ | the point is that 2.5 and up do not select BF-CBC "by default" anymore, just because it was the  │
         | cipher in earlier times                                                                          │
 @cron2_ | *if* NCP is active, this is a non-issue, because AES                                             │
 @cron2_ | but if *no* NCP is active (old client or --ncp-disable), openvpn does not know what to do, and   │
         | on purpose does not "just use BF-CBC".  So it tells you: if you really want the old behaviour,   │
         | put it into your config.                                                                         │
  wiscii | yep .. i can see that logic                                                                      │

All: --cipher ALG - Data channel cipher. Will be deprecated.

In OpenVPN 2.5 --cipher does not have a default ALG.
In OpenVPN up to 2.4 the default ALG is BF-CBC.

2.4: --ncp-disable - Disable Negotiated Cipher Protocol - Deprecated.
Note: This document does not cover the use of --ncp-disable.

In this Wiki cipher negotiation comes in four flavours:

  • Full negotiation: Both server and client support NCP
  • Partial negotiation: Only the client supports NCP (Known as "Poor man's NCP", See note below)
  • No negotiation: The client does not support NCP (The server NCP has no effect).
  • When the server supports NCP but has a mixture of clients then NCP is defined as 'Yes'.

Cipher negotiation was originally named "Negotiated Cipher Protocol" NCP

Poor Man's NCP

Poor Man's NCP is a term used to describe when either peer does not support cipher negotiation, directly. And the subsequent configurations which can be used to get full AEAD cipher support, without the need to negotiate it.

This wiki fully expands the server side variety of Poor Man's NCP, which means this wiki does not apply that term to the server. This wiki only applies the term to mean the client because it is easier to understand. Also, clients which suffer from Poor Man's NCP can be more easily upgraded than an old server. So this wiki fully explains the server side, while encouraging the user to upgrade their client OpenVPN version.

Common configurations

Commonly expected configurations of the Effective directives above.

Servers

  • Version 2.5
    1. Default configuration: No effective directives specified.
    2. Configuring: --data-ciphers
  • Version 2.4
    1. Default configuration: No effective directives specified.
    2. Configuring: --cipher
    3. Configuring: --cipher and --ncp-disable
  • Version 2.3
    1. Default configuration: No effective directives specified.
    2. Configuring: --cipher
  • Version 2.2
    1. Default configuration: No effective directives specified.
    2. Configuring: All bets are off - Upgrade now!

Clients

  • Version 2.5
    1. Default configuration: No effective directives specified.
  • Version 2.4
    1. Default configuration: No effective directives specified.
    2. Configuring: --cipher
  • Version 2.3
    1. Default configuration: No effective directives specified.
    2. Configuring: --cipher
  • Version 2.2
    1. Default configuration: No effective directives specified.
    2. Configuring: All bets are off - Upgrade now!

Expected Behaviour indexed by Server version

Server version 2.5

Default configuration: No effective directives specified.

--data-ciphers NCP
- Yes
  • Client version 2.5
--data-ciphers NCP Connection
- Full OK. AES-256-GCM
AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC Full OK. AES-256-GCM
AES-256-CBC Full Fail (no shared cipher)
  • Client version 2.4
--cipher NCP Connection
- Full OK. AES-256-GCM
AES-256-CBC Full OK. AES-256-GCM
BF-CBC Full OK. AES-256-GCM
  • Client version 2.3
--cipher NCP Connection
- No Fail (no shared cipher)
AES-256-CBC No Fail (no shared cipher)
BF-CBC No Fail (no shared cipher)
  • Client version 2.2
--cipher NCP Connection
- No Fail (no shared cipher)
AES-256-CBC No Fail (no shared cipher)
BF-CBC No Fail (no shared cipher)

Server version 2.5 Configuring: --data-ciphers

--data-ciphers NCP
AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC Yes
  • Client version 2.3
--cipher NCP Connection
- No Weak BF-CBC
AES-256-CBC No OK. AES-256-CBC
BF-CBC No Weak BF-CBC
  • Client version 2.2
--cipher NCP Connection
- No Weak BF-CBC
AES-256-CBC No OK. AES-256-CBC
BF-CBC No Weak BF-CBC

Server version 2.4

Default configuration: No effective directives specified.

--cipher --ncp-ciphers NCP
- - Yes
  • Client version 2.5
--data-ciphers NCP Connection
- Full OK. AES-256-GCM
AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC Full OK. AES-256-GCM
AES-256-CBC Full Fail (no shared cipher)
  • Client version 2.4
--cipher --ncp-ciphers NCP Connection
- - Full OK. AES-256-GCM
AES-256-CBC - Full OK. AES-256-GCM
BF-CBC - Full OK. AES-256-GCM
  • Client version 2.3
--cipher NCP Connection
- No Weak BF-CBC
AES-256-CBC No Fail (no shared cipher)
BF-CBC No Weak BF-CBC
  • Client version 2.2
--cipher NCP Connection
- No Weak BF-CBC
AES-256-CBC No Fail (no shared cipher)
BF-CBC No Weak BF-CBC

Server version 2.4 Configuring: --cipher

--cipher --ncp-ciphers NCP
AES-256-CBC - Yes
  • Client version 2.5
--data-ciphers NCP Connection
- Full OK. AES-256-GCM
AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC Full OK. AES-256-GCM
AES-256-CBC Full OK. AES-256-CBC
  • Client version 2.4
--cipher --ncp-ciphers NCP Connection
- - Full OK. AES-256-GCM
AES-256-CBC - Full OK. AES-256-GCM
BF-CBC - Full OK. AES-256-GCM
  • Client version 2.3
--cipher NCP Connection
- No Fail (no shared cipher)
AES-256-CBC No OK. AES-256-CBC
BF-CBC No Fail (no shared cipher)
  • Client version 2.2
--cipher NCP Connection
- No Fail (no shared cipher)
AES-256-CBC No OK. AES-256-CBC
BF-CBC No Fail (no shared cipher)

Server version 2.4 Configuring: --cipher and --ncp-disable

--cipher --ncp-ciphers NCP
AES-256-CBC - No --ncp-disable
  • Client version 2.5
--data-ciphers NCP Connection
- Partial Fail (no shared cipher)
AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC Partial OK. AES-256-CBC
  • Client version 2.4
--cipher --ncp-ciphers NCP Connection
- - Partial Fail (no shared cipher)
AES-256-CBC - Partial OK. AES-256-CBC
BF-CBC - Partial Fail (no shared cipher)
  • Client version 2.3
--cipher NCP Connection
- No Fail (no shared cipher)
AES-256-CBC No OK. AES-256-CBC
BF-CBC No Fail (no shared cipher)
  • Client version 2.2
--cipher NCP Connection
- No Fail (no shared cipher)
AES-256-CBC No OK. AES-256-CBC
BF-CBC No Fail (no shared cipher)

Server version 2.3

Default configuration: No effective directives specified.

--cipher NCP
- No
  • Client version 2.5
--data-ciphers NCP Connection
- Partial Fail (no shared cipher)
AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC Partial Weak BF-CBC
  • Client version 2.4
--cipher --ncp-ciphers NCP Connection
- - Partial Fail (no shared cipher)
AES-256-CBC - Partial Fail (no shared cipher)
BF-CBC - Partial Weak BF-CBC
  • Client version 2.3
--cipher NCP Connection
- No Weak BF-CBC
AES-256-CBC No Fail (no shared cipher)
BF-CBC No Weak BF-CBC
  • Client version 2.2
--cipher NCP Connection
- No Weak BF-CBC
AES-256-CBC No Fail (no shared cipher)
BF-CBC No Weak BF-CBC

Server version 2.3 Configuring: --cipher

--cipher NCP
AES-256-CBC No
  • Client version 2.5
--data-ciphers NCP Connection
- Partial Fail (no shared cipher)
AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC Partial OK. AES-256-CBC
  • Client version 2.4
--cipher --ncp-ciphers NCP Connection
- - Partial Fail (no shared cipher)
AES-256-CBC - Partial OK. AES-256-CBC
BF-CBC - Partial Fail (no shared cipher)
  • Client version 2.3
--cipher NCP Connection
- No Fail (no shared cipher)
AES-256-CBC No OK. AES-256-CBC
BF-CBC No Fail (no shared cipher)
  • Client version 2.2
--cipher NCP Connection
- No Fail (no shared cipher)
AES-256-CBC No OK. AES-256-CBC
BF-CBC No Fail (no shared cipher)

Server version 2.2

Default configuration: No effective directives specified.

--cipher NCP
- No
  • Client version 2.5
--data-ciphers NCP Connection
- Partial Fail (no shared cipher)
AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC Partial Weak BF-CBC
  • Client version 2.4
--cipher --ncp-ciphers NCP Connection
- - Partial Weak BF-CBC
AES-256-CBC - Partial Fail (no shared cipher)
BF-CBC - Partial Weak BF-CBC
  • Client version 2.3
--cipher NCP Connection
- No Weak BF-CBC
AES-256-CBC No Fail (no shared cipher)
BF-CBC No Weak BF-CBC
  • Client version 2.2
--cipher NCP Connection
- No Weak BF-CBC
AES-256-CBC No Fail (no shared cipher)
BF-CBC No Weak BF-CBC

Server version 2.2 Configuring: --cipher

--cipher NCP
AES-256-CBC No
  • Client version 2.5
--data-ciphers NCP Connection
- Partial Fail (no shared cipher)
AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC Partial OK. AES-256-CBC
  • Client version 2.4
--cipher --ncp-ciphers NCP Connection
- - Partial Fail (no shared cipher)
AES-256-CBC - Partial OK. AES-256-CBC
BF-CBC - Partial Fail (no shared cipher)
  • Client version 2.3
--cipher NCP Connection
- No Fail (no shared cipher)
AES-256-CBC No OK. AES-256-CBC
BF-CBC No Fail (no shared cipher)
  • Client version 2.2
--cipher NCP Connection
- No Fail (no shared cipher)
AES-256-CBC No OK. AES-256-CBC
BF-CBC No Fail (no shared cipher)

Special requirement: OpenVPN built with --enable-small

When OpenVPN version 2.3 or older is built with --enable-small (Typically found in routers) then Openvpn 2.5 must use --data-ciphers-fallback ALG. The ALG must match the peers --cipher ALG. This is the only case that --data-ciphers-fallback takes effect.

2.5: --data-ciphers-fallback ALG - Fallback data channel cipher
Only to allow OpenVPN version 2.5 to connect with old peers built with --enable-small.
Will be deprecated and removed

Server version 2.3 built with --enable-small

Default configuration: No effective directives specified.

--cipher NCP
- No
  • Client version 2.5
--data-ciphers -fallback NCP Connection
- - No Fail (no shared cipher)
- BF-CBC No Weak BF-CBC

Server version 2.3 built with --enable-small

Configuring: --cipher

--cipher NCP
AES-256-CBC No
  • Client version 2.5
--data-ciphers -fallback NCP Connection
- - No Fail (no shared cipher)
- AES-256-CBC No OK. AES-256-CBC

Client version 2.3 built with --enable-small

Default configuration: No effective directives specified.

--cipher NCP
- No
  • Server version 2.5
--data-ciphers -fallback NCP Connection
- - No Fail (no shared cipher)
- BF-CBC No Weak BF-CBC

Client version 2.3 built with --enable-small

Configuring: --cipher

--cipher NCP
AES-256-CBC No
  • Server version 2.5
--data-ciphers -fallback NCP Connection
- - No Fail (no shared cipher)
- AES-256-CBC No OK. AES-256-CBC
Last modified 8 months ago Last modified on 07/20/23 10:35:36