wiki:CipherNegotiation

OpenVPN Cipher Negotiation (Quick reference)

This wiki defines the expected behaviour of Cipher Negotiation between common configurations of OpenVPN servers and clients.

Important note: CHACHA-POLY1305 is widely recognised as a suitable alternative to an AES based cipher.

  • OpenVPN would like to know about any:
    1. Unexpected behaviour.
    2. Errors on this page.

For full details please see:
https://github.com/OpenVPN/openvpn/blob/master/doc/man-sections/cipher-negotiation.rst

Effective directives and terms

2.5: --data-ciphers ALG:ALG - Data channel ciphers. Default ALG AES-256-GCM:AES-128-GCM
2.5: --data-ciphers-fallback ALG:ALG - Essentially the same as --cipher


Use of --data-ciphers-fallback is limited to:

  • Openvpn Clients which do not support --data-ciphers (Openvpn 2.4, 2.3)

    Solution: Upgrade
    Or, use --data-ciphers-fallback in your Server configuration.

  • Openvpn Clients using --ncp-disable DEPRECATED (Openvpn 2.4)

    Solution: Do NOT use --ncp-disable
    EVER

  • Openvpn built with --enable-small: See below

  • Openvpn Server that does not support Cipher Negotiation:

    Solution: Upgrade
    Otherwise, both Client and Server will DEFAULT to an INSECURE BF-CBC cipher.
    ... Unless both Client and Server have a secure --cipher configured.
    ... otherwise, the VPN connection will fail.

The Point:

 @cron2_ | for clients calling in without NCP                                                               │
 @cron2_ | could be a 2.5 client called with --ncp-disable "because someone on the Internet said so"        │
  wiscii | but that would auto-fallback to AES* ? 2.5 .. no ?                                               │
       * | wiscii checks                                                                                    │
  wiscii | --ncp-disable is deprecated ..                                                                   │
  wiscii | and using it is currently a total fail FATAL error                                               │
  wiscii | ok ,, that is 2.6                                                                                │
  wiscii | i have clearly misunderstood the use of the data-cipher-fallback bit, it's just to convoluted    |
 @cron2_ | the point is that 2.5 and up do not select BF-CBC "by default" anymore, just because it was the  │
         | cipher in earlier times                                                                          │
 @cron2_ | *if* NCP is active, this is a non-issue, because AES                                             │
 @cron2_ | but if *no* NCP is active (old client or --ncp-disable), openvpn does not know what to do, and   │
         | on purpose does not "just use BF-CBC".  So it tells you: if you really want the old behaviour,   │
         | put it into your config.                                                                         │
  wiscii | yep .. i can see that logic                                                                      │

All: --cipher ALG - Data channel cipher. Will be deprecated.

In OpenVPN 2.5 --cipher does not have a default ALG.
In OpenVPN up to 2.4 the default ALG is BF-CBC.

2.4: --ncp-disable - Disable NCP - Deprecated.

In this Wiki cipher negotiation comes in four flavours:

  • Full negotiation: Both server and client support NCP
  • Partial negotiation: Only the client supports NCP (Known as "Poor man's NCP")
  • No negotiation: The client does not support NCP (The server NCP has no effect).
  • When the server supports NCP but has a mixture of clients then NCP is defined as 'Yes'.

Cipher negotiation was originally named "Negotiated Cipher Protocol" NCP

Common configurations

Commonly expected configurations of the Effective directives above.

Servers

  • Version 2.5
    1. Default configuration: No effective directives specified.
    2. Configuring: --data-ciphers
  • Version 2.4
    1. Default configuration: No effective directives specified.
    2. Configuring: --cipher
    3. Configuring: --cipher and --ncp-disable
  • Version 2.3
    1. Default configuration: No effective directives specified.
    2. Configuring: --cipher
  • Version 2.2
    1. Default configuration: No effective directives specified.
    2. Configuring: All bets are off - Upgrade now!

Clients

  • Version 2.5
    1. Default configuration: No effective directives specified.
  • Version 2.4
    1. Default configuration: No effective directives specified.
    2. Configuring: --cipher
  • Version 2.3
    1. Default configuration: No effective directives specified.
    2. Configuring: --cipher
  • Version 2.2
    1. Default configuration: No effective directives specified.
    2. Configuring: All bets are off - Upgrade now!

Expected Behaviour indexed by Server version

Server version 2.5

Default configuration: No effective directives specified.

--data-ciphers NCP
- Yes
  • Client version 2.5
--data-ciphers NCP Connection
- Full OK. AES-256-GCM
AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC Full OK. AES-256-GCM
AES-256-CBC Full Fail (no shared cipher)
  • Client version 2.4
--cipher NCP Connection
- Full OK. AES-256-GCM
AES-256-CBC Full OK. AES-256-GCM
BF-CBC Full OK. AES-256-GCM
  • Client version 2.3
--cipher NCP Connection
- No Fail (no shared cipher)
AES-256-CBC No Fail (no shared cipher)
BF-CBC No Fail (no shared cipher)
  • Client version 2.2
--cipher NCP Connection
- No Fail (no shared cipher)
AES-256-CBC No Fail (no shared cipher)
BF-CBC No Fail (no shared cipher)

Server version 2.5 Configuring: --data-ciphers

--data-ciphers NCP
AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC Yes
  • Client version 2.3
--cipher NCP Connection
- No Weak BF-CBC
AES-256-CBC No OK. AES-256-CBC
BF-CBC No Weak BF-CBC
  • Client version 2.2
--cipher NCP Connection
- No Weak BF-CBC
AES-256-CBC No OK. AES-256-CBC
BF-CBC No Weak BF-CBC

Server version 2.4

Default configuration: No effective directives specified.

--cipher --ncp-ciphers NCP
- - Yes
  • Client version 2.5
--data-ciphers NCP Connection
- Full OK. AES-256-GCM
AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC Full OK. AES-256-GCM
AES-256-CBC Full Fail (no shared cipher)
  • Client version 2.4
--cipher --ncp-ciphers NCP Connection
- - Full OK. AES-256-GCM
AES-256-CBC - Full OK. AES-256-GCM
BF-CBC - Full OK. AES-256-GCM
  • Client version 2.3
--cipher NCP Connection
- No Weak BF-CBC
AES-256-CBC No Fail (no shared cipher)
BF-CBC No Weak BF-CBC
  • Client version 2.2
--cipher NCP Connection
- No Weak BF-CBC
AES-256-CBC No Fail (no shared cipher)
BF-CBC No Weak BF-CBC

Server version 2.4 Configuring: --cipher

--cipher --ncp-ciphers NCP
AES-256-CBC - Yes
  • Client version 2.5
--data-ciphers NCP Connection
- Full OK. AES-256-GCM
AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC Full OK. AES-256-GCM
AES-256-CBC Full OK. AES-256-CBC
  • Client version 2.4
--cipher --ncp-ciphers NCP Connection
- - Full OK. AES-256-GCM
AES-256-CBC - Full OK. AES-256-GCM
BF-CBC - Full OK. AES-256-GCM
  • Client version 2.3
--cipher NCP Connection
- No Fail (no shared cipher)
AES-256-CBC No OK. AES-256-CBC
BF-CBC No Fail (no shared cipher)
  • Client version 2.2
--cipher NCP Connection
- No Fail (no shared cipher)
AES-256-CBC No OK. AES-256-CBC
BF-CBC No Fail (no shared cipher)

Server version 2.4 Configuring: --cipher and --ncp-disable

--cipher --ncp-ciphers NCP
AES-256-CBC - No --ncp-disable
  • Client version 2.5
--data-ciphers NCP Connection
- Partial Fail (no shared cipher)
AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC Partial OK. AES-256-CBC
  • Client version 2.4
--cipher --ncp-ciphers NCP Connection
- - Partial Fail (no shared cipher)
AES-256-CBC - Partial OK. AES-256-CBC
BF-CBC - Partial Fail (no shared cipher)
  • Client version 2.3
--cipher NCP Connection
- No Fail (no shared cipher)
AES-256-CBC No OK. AES-256-CBC
BF-CBC No Fail (no shared cipher)
  • Client version 2.2
--cipher NCP Connection
- No Fail (no shared cipher)
AES-256-CBC No OK. AES-256-CBC
BF-CBC No Fail (no shared cipher)

Server version 2.3

Default configuration: No effective directives specified.

--cipher NCP
- No
  • Client version 2.5
--data-ciphers NCP Connection
- Partial Fail (no shared cipher)
AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC Partial Weak BF-CBC
  • Client version 2.4
--cipher --ncp-ciphers NCP Connection
- - Partial Fail (no shared cipher)
AES-256-CBC - Partial Fail (no shared cipher)
BF-CBC - Partial Weak BF-CBC
  • Client version 2.3
--cipher NCP Connection
- No Weak BF-CBC
AES-256-CBC No Fail (no shared cipher)
BF-CBC No Weak BF-CBC
  • Client version 2.2
--cipher NCP Connection
- No Weak BF-CBC
AES-256-CBC No Fail (no shared cipher)
BF-CBC No Weak BF-CBC

Server version 2.3 Configuring: --cipher

--cipher NCP
AES-256-CBC No
  • Client version 2.5
--data-ciphers NCP Connection
- Partial Fail (no shared cipher)
AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC Partial OK. AES-256-CBC
  • Client version 2.4
--cipher --ncp-ciphers NCP Connection
- - Partial Fail (no shared cipher)
AES-256-CBC - Partial OK. AES-256-CBC
BF-CBC - Partial Fail (no shared cipher)
  • Client version 2.3
--cipher NCP Connection
- No Fail (no shared cipher)
AES-256-CBC No OK. AES-256-CBC
BF-CBC No Fail (no shared cipher)
  • Client version 2.2
--cipher NCP Connection
- No Fail (no shared cipher)
AES-256-CBC No OK. AES-256-CBC
BF-CBC No Fail (no shared cipher)

Server version 2.2

Default configuration: No effective directives specified.

--cipher NCP
- No
  • Client version 2.5
--data-ciphers NCP Connection
- Partial Fail (no shared cipher)
AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC Partial Weak BF-CBC
  • Client version 2.4
--cipher --ncp-ciphers NCP Connection
- - Partial Weak BF-CBC
AES-256-CBC - Partial Fail (no shared cipher)
BF-CBC - Partial Weak BF-CBC
  • Client version 2.3
--cipher NCP Connection
- No Weak BF-CBC
AES-256-CBC No Fail (no shared cipher)
BF-CBC No Weak BF-CBC
  • Client version 2.2
--cipher NCP Connection
- No Weak BF-CBC
AES-256-CBC No Fail (no shared cipher)
BF-CBC No Weak BF-CBC

Server version 2.2 Configuring: --cipher

--cipher NCP
AES-256-CBC No
  • Client version 2.5
--data-ciphers NCP Connection
- Partial Fail (no shared cipher)
AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC Partial OK. AES-256-CBC
  • Client version 2.4
--cipher --ncp-ciphers NCP Connection
- - Partial Fail (no shared cipher)
AES-256-CBC - Partial OK. AES-256-CBC
BF-CBC - Partial Fail (no shared cipher)
  • Client version 2.3
--cipher NCP Connection
- No Fail (no shared cipher)
AES-256-CBC No OK. AES-256-CBC
BF-CBC No Fail (no shared cipher)
  • Client version 2.2
--cipher NCP Connection
- No Fail (no shared cipher)
AES-256-CBC No OK. AES-256-CBC
BF-CBC No Fail (no shared cipher)

Special requirement: OpenVPN built with --enable-small

When OpenVPN version 2.3 or older is built with --enable-small (Typically found in routers) then Openvpn 2.5 must use --data-ciphers-fallback ALG. The ALG must match the peers --cipher ALG. This is the only case that --data-ciphers-fallback takes effect.

2.5: --data-ciphers-fallback ALG - Fallback data channel cipher
Only to allow OpenVPN version 2.5 to connect with old peers built with --enable-small.
Will be deprecated and removed

Server version 2.3 built with --enable-small

Default configuration: No effective directives specified.

--cipher NCP
- No
  • Client version 2.5
--data-ciphers -fallback NCP Connection
- - No Fail (no shared cipher)
- BF-CBC No Weak BF-CBC

Server version 2.3 built with --enable-small

Configuring: --cipher

--cipher NCP
AES-256-CBC No
  • Client version 2.5
--data-ciphers -fallback NCP Connection
- - No Fail (no shared cipher)
- AES-256-CBC No OK. AES-256-CBC

Client version 2.3 built with --enable-small

Default configuration: No effective directives specified.

--cipher NCP
- No
  • Server version 2.5
--data-ciphers -fallback NCP Connection
- - No Fail (no shared cipher)
- BF-CBC No Weak BF-CBC

Client version 2.3 built with --enable-small

Configuring: --cipher

--cipher NCP
AES-256-CBC No
  • Server version 2.5
--data-ciphers -fallback NCP Connection
- - No Fail (no shared cipher)
- AES-256-CBC No OK. AES-256-CBC
Last modified 12 days ago Last modified on 10/05/21 22:57:40