OpenVPN Cipher Negotiation (Quick reference)
This wiki defines the expected behaviour of Cipher Negotiation between common configurations of OpenVPN servers and clients.
Important note: CHACHA20-POLY1305
is widely recognised as a suitable alternative to an AES
based cipher.
- OpenVPN would like to know about any:
- Unexpected behaviour.
- Errors on this page.
For full details please see:
https://github.com/OpenVPN/openvpn/blob/master/doc/man-sections/cipher-negotiation.rst
Effective directives and terms
2.5: --data-ciphers ALG:ALG
- Data channel ciphers list. Default: AES-256-GCM:AES-128-GCM
2.5: --data-ciphers-fallback ALG
- Single ALG (Essentially the same as --cipher
)
Use of --data-ciphers-fallback
is limited to:
- Openvpn Clients which do not support
--data-ciphers
(Openvpn 2.4, 2.3)
Solution: Upgrade
Or, use --data-ciphers-fallback
in your Server configuration.
- Openvpn Clients using
--ncp-disable
DEPRECATED (Openvpn 2.4)
Solution: Do NOT use --ncp-disable
EVER
- Openvpn built with
--enable-small
:
See below
- Openvpn Server that does not support Cipher Negotiation:
Solution: Upgrade
Otherwise, both Client and Server will DEFAULT to an INSECURE BF-CBC cipher.
... Unless both Client and Server have a secure --cipher
configured.
... otherwise, the VPN connection will fail.
The Point:
@cron2_ | for clients calling in without NCP │
@cron2_ | could be a 2.5 client called with --ncp-disable "because someone on the Internet said so" │
wiscii | but that would auto-fallback to AES* ? 2.5 .. no ? │
* | wiscii checks │
wiscii | --ncp-disable is deprecated .. │
wiscii | and using it is currently a total fail FATAL error │
wiscii | ok ,, that is 2.6 │
wiscii | i have clearly misunderstood the use of the data-cipher-fallback bit, it's just to convoluted |
@cron2_ | the point is that 2.5 and up do not select BF-CBC "by default" anymore, just because it was the │
| cipher in earlier times │
@cron2_ | *if* NCP is active, this is a non-issue, because AES │
@cron2_ | but if *no* NCP is active (old client or --ncp-disable), openvpn does not know what to do, and │
| on purpose does not "just use BF-CBC". So it tells you: if you really want the old behaviour, │
| put it into your config. │
wiscii | yep .. i can see that logic │
All: --cipher ALG
- Data channel cipher. Will be deprecated.
In OpenVPN 2.5 --cipher
does not have a default ALG
.
In OpenVPN up to 2.4 the default ALG
is BF-CBC.
2.4: --ncp-disable
- Disable Negotiated Cipher Protocol - Deprecated.
Note: This document does not cover the use of --ncp-disable
.
In this Wiki cipher negotiation comes in four flavours:
- Full negotiation: Both server and client support NCP
- Partial negotiation: Only the client supports NCP (Known as "Poor man's NCP", See note below)
- No negotiation: The client does not support NCP (The server NCP has no effect).
- When the server supports NCP but has a mixture of clients then NCP is defined as 'Yes'.
Cipher negotiation was originally named "Negotiated Cipher Protocol" NCP
Poor Man's NCP
Poor Man's NCP is a term used to describe when either peer does not support cipher negotiation, directly. And the subsequent configurations which can be used to get full AEAD cipher support, without the need to negotiate it.
This wiki fully expands the server side variety of Poor Man's NCP, which means this wiki does not apply that term to the server. This wiki only applies the term to mean the client because it is easier to understand. Also, clients which suffer from Poor Man's NCP can be more easily upgraded than an old server. So this wiki fully explains the server side, while encouraging the user to upgrade their client OpenVPN version.
Common configurations
Commonly expected configurations of the Effective directives above.
Servers
- Version 2.5
- Default configuration: No effective directives specified.
- Configuring:
--data-ciphers
- Version 2.4
- Default configuration: No effective directives specified.
- Configuring:
--cipher
- Configuring:
--cipher
and --ncp-disable
- Version 2.3
- Default configuration: No effective directives specified.
- Configuring:
--cipher
- Version 2.2
- Default configuration: No effective directives specified.
- Configuring: All bets are off - Upgrade now!
Clients
- Version 2.5
- Default configuration: No effective directives specified.
- Version 2.4
- Default configuration: No effective directives specified.
- Configuring:
--cipher
- Version 2.3
- Default configuration: No effective directives specified.
- Configuring:
--cipher
- Version 2.2
- Default configuration: No effective directives specified.
- Configuring: All bets are off - Upgrade now!
Expected Behaviour indexed by Server version
Server version 2.5
Default configuration: No effective directives specified.
--data-ciphers | NCP | Connection
|
---|
- | Full | OK. AES-256-GCM
|
---|
AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC | Full | OK. AES-256-GCM
|
---|
AES-256-CBC | Full | Fail (no shared cipher)
|
---|
--cipher | NCP | Connection
|
- | Full | OK. AES-256-GCM
|
AES-256-CBC | Full | OK. AES-256-GCM
|
BF-CBC | Full | OK. AES-256-GCM
|
--cipher | NCP | Connection
|
- | No | Fail (no shared cipher)
|
AES-256-CBC | No | Fail (no shared cipher)
|
BF-CBC | No | Fail (no shared cipher)
|
--cipher | NCP | Connection
|
- | No | Fail (no shared cipher)
|
AES-256-CBC | No | Fail (no shared cipher)
|
BF-CBC | No | Fail (no shared cipher)
|
Server version 2.5 Configuring: --data-ciphers
--data-ciphers | NCP
|
---|
AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC | Yes
|
---|
--cipher | NCP | Connection
|
- | No | Weak BF-CBC
|
AES-256-CBC | No | OK. AES-256-CBC
|
BF-CBC | No | Weak BF-CBC
|
--cipher | NCP | Connection
|
- | No | Weak BF-CBC
|
AES-256-CBC | No | OK. AES-256-CBC
|
BF-CBC | No | Weak BF-CBC
|
Server version 2.4
Default configuration: No effective directives specified.
--cipher | --ncp-ciphers | NCP
|
---|
- | - | Yes
|
---|
--data-ciphers | NCP | Connection
|
---|
- | Full | OK. AES-256-GCM
|
---|
AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC | Full | OK. AES-256-GCM
|
---|
AES-256-CBC | Full | Fail (no shared cipher)
|
---|
--cipher | --ncp-ciphers | NCP | Connection
|
---|
- | - | Full | OK. AES-256-GCM
|
---|
AES-256-CBC | - | Full | OK. AES-256-GCM
|
---|
BF-CBC | - | Full | OK. AES-256-GCM
|
---|
--cipher | NCP | Connection
|
- | No | Weak BF-CBC
|
AES-256-CBC | No | Fail (no shared cipher)
|
BF-CBC | No | Weak BF-CBC
|
--cipher | NCP | Connection
|
- | No | Weak BF-CBC
|
AES-256-CBC | No | Fail (no shared cipher)
|
BF-CBC | No | Weak BF-CBC
|
Server version 2.4 Configuring: --cipher
--cipher | --ncp-ciphers | NCP
|
---|
AES-256-CBC | - | Yes
|
---|
--data-ciphers | NCP | Connection
|
---|
- | Full | OK. AES-256-GCM
|
---|
AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC | Full | OK. AES-256-GCM
|
---|
AES-256-CBC | Full | OK. AES-256-CBC
|
---|
--cipher | --ncp-ciphers | NCP | Connection
|
---|
- | - | Full | OK. AES-256-GCM
|
---|
AES-256-CBC | - | Full | OK. AES-256-GCM
|
---|
BF-CBC | - | Full | OK. AES-256-GCM
|
---|
--cipher | NCP | Connection
|
- | No | Fail (no shared cipher)
|
AES-256-CBC | No | OK. AES-256-CBC
|
BF-CBC | No | Fail (no shared cipher)
|
--cipher | NCP | Connection
|
- | No | Fail (no shared cipher)
|
AES-256-CBC | No | OK. AES-256-CBC
|
BF-CBC | No | Fail (no shared cipher)
|
Server version 2.4 Configuring: --cipher
and --ncp-disable
--cipher | --ncp-ciphers | NCP
|
---|
AES-256-CBC | - | No --ncp-disable
|
---|
--data-ciphers | NCP | Connection
|
---|
- | Partial | Fail (no shared cipher)
|
---|
AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC | Partial | OK. AES-256-CBC
|
---|
--cipher | --ncp-ciphers | NCP | Connection
|
---|
- | - | Partial | Fail (no shared cipher)
|
---|
AES-256-CBC | - | Partial | OK. AES-256-CBC
|
---|
BF-CBC | - | Partial | Fail (no shared cipher)
|
---|
--cipher | NCP | Connection
|
- | No | Fail (no shared cipher)
|
AES-256-CBC | No | OK. AES-256-CBC
|
BF-CBC | No | Fail (no shared cipher)
|
--cipher | NCP | Connection
|
- | No | Fail (no shared cipher)
|
AES-256-CBC | No | OK. AES-256-CBC
|
BF-CBC | No | Fail (no shared cipher)
|
Server version 2.3
Default configuration: No effective directives specified.
--data-ciphers | NCP | Connection
|
---|
- | Partial | Fail (no shared cipher)
|
---|
AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC | Partial | Weak BF-CBC
|
---|
--cipher | --ncp-ciphers | NCP | Connection
|
---|
- | - | Partial | Fail (no shared cipher)
|
---|
AES-256-CBC | - | Partial | Fail (no shared cipher)
|
---|
BF-CBC | - | Partial | Weak BF-CBC
|
---|
--cipher | NCP | Connection
|
- | No | Weak BF-CBC
|
AES-256-CBC | No | Fail (no shared cipher)
|
BF-CBC | No | Weak BF-CBC
|
--cipher | NCP | Connection
|
- | No | Weak BF-CBC
|
AES-256-CBC | No | Fail (no shared cipher)
|
BF-CBC | No | Weak BF-CBC
|
Server version 2.3 Configuring: --cipher
--cipher | NCP
|
AES-256-CBC | No
|
--data-ciphers | NCP | Connection
|
---|
- | Partial | Fail (no shared cipher)
|
---|
AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC | Partial | OK. AES-256-CBC
|
---|
--cipher | --ncp-ciphers | NCP | Connection
|
---|
- | - | Partial | Fail (no shared cipher)
|
---|
AES-256-CBC | - | Partial | OK. AES-256-CBC
|
---|
BF-CBC | - | Partial | Fail (no shared cipher)
|
---|
--cipher | NCP | Connection
|
- | No | Fail (no shared cipher)
|
AES-256-CBC | No | OK. AES-256-CBC
|
BF-CBC | No | Fail (no shared cipher)
|
--cipher | NCP | Connection
|
- | No | Fail (no shared cipher)
|
AES-256-CBC | No | OK. AES-256-CBC
|
BF-CBC | No | Fail (no shared cipher)
|
Server version 2.2
Default configuration: No effective directives specified.
--data-ciphers | NCP | Connection
|
---|
- | Partial | Fail (no shared cipher)
|
---|
AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC | Partial | Weak BF-CBC
|
---|
--cipher | --ncp-ciphers | NCP | Connection
|
---|
- | - | Partial | Weak BF-CBC
|
---|
AES-256-CBC | - | Partial | Fail (no shared cipher)
|
---|
BF-CBC | - | Partial | Weak BF-CBC
|
---|
--cipher | NCP | Connection
|
- | No | Weak BF-CBC
|
AES-256-CBC | No | Fail (no shared cipher)
|
BF-CBC | No | Weak BF-CBC
|
--cipher | NCP | Connection
|
- | No | Weak BF-CBC
|
AES-256-CBC | No | Fail (no shared cipher)
|
BF-CBC | No | Weak BF-CBC
|
Server version 2.2 Configuring: --cipher
--cipher | NCP
|
AES-256-CBC | No
|
--data-ciphers | NCP | Connection
|
---|
- | Partial | Fail (no shared cipher)
|
---|
AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC | Partial | OK. AES-256-CBC
|
---|
--cipher | --ncp-ciphers | NCP | Connection
|
---|
- | - | Partial | Fail (no shared cipher)
|
---|
AES-256-CBC | - | Partial | OK. AES-256-CBC
|
---|
BF-CBC | - | Partial | Fail (no shared cipher)
|
---|
--cipher | NCP | Connection
|
- | No | Fail (no shared cipher)
|
AES-256-CBC | No | OK. AES-256-CBC
|
BF-CBC | No | Fail (no shared cipher)
|
--cipher | NCP | Connection
|
- | No | Fail (no shared cipher)
|
AES-256-CBC | No | OK. AES-256-CBC
|
BF-CBC | No | Fail (no shared cipher)
|
Special requirement: OpenVPN built with --enable-small
When OpenVPN version 2.3 or older is built with --enable-small
(Typically found in routers) then Openvpn 2.5 must use --data-ciphers-fallback ALG
. The ALG
must match the peers --cipher ALG
. This is the only case that --data-ciphers-fallback
takes effect.
2.5: --data-ciphers-fallback ALG
- Fallback data channel cipher
Only to allow OpenVPN version 2.5 to connect with old peers built with --enable-small
.
Will be deprecated and removed
Server version 2.3 built with --enable-small
Default configuration: No effective directives specified.
--data-ciphers | -fallback | NCP | Connection
|
---|
- | - | No | Fail (no shared cipher)
|
---|
- | BF-CBC | No | Weak BF-CBC
|
---|
Server version 2.3 built with --enable-small
Configuring: --cipher
--cipher | NCP
|
AES-256-CBC | No
|
--data-ciphers | -fallback | NCP | Connection
|
---|
- | - | No | Fail (no shared cipher)
|
---|
- | AES-256-CBC | No | OK. AES-256-CBC
|
---|
Client version 2.3 built with --enable-small
Default configuration: No effective directives specified.
--data-ciphers | -fallback | NCP | Connection
|
---|
- | - | No | Fail (no shared cipher)
|
---|
- | BF-CBC | No | Weak BF-CBC
|
---|
Client version 2.3 built with --enable-small
Configuring: --cipher
--cipher | NCP
|
AES-256-CBC | No
|
--data-ciphers | -fallback | NCP | Connection
|
---|
- | - | No | Fail (no shared cipher)
|
---|
- | AES-256-CBC | No | OK. AES-256-CBC
|
---|