OpenVPN Cipher Negotiation (Quick reference)
This wiki defines the expected behaviour of Cipher Negotiation between common configurations of OpenVPN servers and clients.
For full details please see:
https://github.com/OpenVPN/openvpn/blob/master/doc/man-sections/cipher-negotiation.rst
Effective directives
--data-ciphers ALG:ALG
- Data channel ciphers. Default ALG
AES-256-GCM:AES-128-GCM
--data-cipher-fallback ALG
- Fallback data channel cipher.
--cipher ALG
- Data channel cipher. To be deprecated.
In OpenVPN 2.5 --cipher
does not have a default ALG
.
In OpenVPN upto 2.4 the default ALG
is BF-CBC.
--ncp-disable
- Disable NCP - Deprecated.
Common configurations
Commonly expected configurations of the Effective directives above.
Servers
- Version 2.5
- Default configuration: No effective directives specified.
- Configuring:
--data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC
--cipher BF-CBC
- Version 2.4
- Default configuration: No effective directives specified.
- Configuring:
--cipher
- Configuring:
--cipher
and --ncp-disable
- Version 2.3
- Default configuration: No effective directives specified.
- Configuring:
--cipher
- Version 2.2
- Default configuration: No effective directives specified.
- All bets are off.
Clients
- Version 2.5
- Default configuration: No effective directives specified.
- Version 2.4
- Default configuration: No effective directives specified.
- Configuring:
--cipher
- Version 2.3
- Default configuration: No effective directives specified.
- Configuring:
--cipher
- Version 2.2
- Default configuration: No effective directives specified.
- Configuring: All bets are off - Upgrade now[[br]]
Expected Behaviour indexed by Server version
Server version 2.5
Default configuration: No effective directives specified.
--cipher | --data-ciphers | -fallback | NCP
|
---|
- | - | - | Yes
|
---|
--cipher | --data-ciphers | -fallback | NCP | Connection
|
---|
- | - | - | Yes | OK. AES-256-GCM
|
---|
AES-256-CBC | - | - | Yes | OK. AES-256-GCM
|
---|
BF-CBC | - | - | Yes | OK. AES-256-GCM
|
---|
--cipher | NCP | Connection
|
- | Yes | OK. AES-256-GCM
|
AES-256-CBC | Yes | OK. AES-256-GCM
|
BF-CBC | Yes | OK. AES-256-GCM
|
--cipher | NCP | Connection
|
- | No | Fail. (no shared cipher)
|
AES-256-CBC | No | Fail. (no shared cipher)
|
BF-CBC | No | Fail. (no shared cipher)
|
--cipher | NCP | Connection
|
- | No | Fail (no shared cipher)
|
BF-CBC | No | Fail (no shared cipher)
|
Server version 2.5 Configuring: --data-ciphers
and --cipher
--cipher | --data-ciphers | -fallback | NCP
|
---|
BF-CBC | AES-256-GCM:AES-128-GCM:AES-256-CBC | - | Yes
|
---|
--cipher | NCP | Connection
|
- | No | OK. BF-CBC
|
AES-256-CBC | No | OK. AES-256-CBC
|
BF-CBC | No | OK. BF-CBC
|
--cipher | NCP | Connection
|
- | No | OK. BF-CBC
|
BF-CBC | No | OK. BF-CBC
|
Server version 2.4
Default configuration: No effective directives specified.
--cipher | --ncp-ciphers | NCP
|
---|
- | - | Yes
|
---|
--cipher | --data-ciphers | -fallback | NCP | Connection
|
---|
- | - | - | Yes | OK. AES-256-GCM
|
---|
AES-256-CBC | - | - | Yes | OK. AES-256-GCM
|
---|
BF-CBC | - | - | Yes | OK. AES-256-GCM
|
---|
--cipher | --ncp-ciphers | NCP | Connection
|
---|
- | - | Yes | OK. AES-256-GCM
|
---|
AES-256-CBC | - | Yes | OK. AES-256-GCM
|
---|
BF-CBC | - | Yes | OK. AES-256-GCM
|
---|
--cipher | NCP | Connection
|
- | No | OK. BF-CBC
|
AES-256-CBC | No | Fail (no shared cipher)
|
BF-CBC | No | OK. BF-CBC
|
--cipher | NCP | Connection
|
- | No | OK. BF-CBC
|
BF-CBC | No | OK. BF-CBC
|
Server version 2.4 Configuring: --cipher
--cipher | --ncp-ciphers | NCP
|
---|
AES-256-CBC | - | Yes
|
---|
--cipher | --data-ciphers | -fallback | NCP | Connection
|
---|
- | - | - | Yes | OK. AES-256-GCM
|
---|
AES-256-CBC | - | - | Yes | OK. AES-256-GCM
|
---|
BF-CBC | - | - | Yes | OK. AES-256-GCM
|
---|
--cipher | --ncp-ciphers | NCP | Connection
|
---|
- | - | Yes | OK. AES-256-GCM
|
---|
AES-256-CBC | - | Yes | OK. AES-256-GCM
|
---|
BF-CBC | - | Yes | OK. AES-256-GCM
|
---|
--cipher | NCP | Connection
|
- | No | OK. BF-CBC
|
AES-256-CBC | No | OK. AES-256-CBC
|
BF-CBC | No | OK. BF-CBC
|
--cipher | NCP | Connection
|
- | No | OK. BF-CBC
|
BF-CBC | No | OK. BF-CBC
|
Server version 2.4 Configuring: --cipher
and --ncp-disable
--cipher | --ncp-ciphers | NCP
|
---|
AES-256-CBC | - | No
|
---|
--cipher | --data-ciphers | -fallback | NCP | Connection
|
---|
- | - | - | Yes | Fail (no shared cipher)
|
---|
AES-256-CBC | - | - | Yes | OK. AES-256-CBC
|
---|
BF-CBC | - | - | Yes | Fail (no shared cipher)
|
---|
--cipher | --ncp-ciphers | NCP | Connection
|
---|
- | - | Yes | Fail (no shared cipher)
|
---|
AES-256-CBC | - | Yes | OK. AES-256-CBC
|
---|
BF-CBC | - | Yes | Fail (no shared cipher)
|
---|
--cipher | NCP | Connection
|
- | No | Fail (no shared cipher)
|
AES-256-CBC | No | OK. AES-256-CBC
|
BF-CBC | No | Fail (no shared cipher)
|
--cipher | NCP | Connection
|
- | No | Fail (no shared cipher)
|
BF-CBC | No | Fail (no shared cipher)
|
Server version 2.3
Default configuration: No effective directives specified.
--cipher | --data-ciphers | -fallback | NCP | Connection
|
---|
- | - | - | Yes | OK. AES-256-GCM
|
---|
AES-256-CBC | - | - | Yes | OK. AES-256-GCM
|
---|
BF-CBC | - | - | Yes | OK. AES-256-GCM
|
---|
--cipher | --ncp-ciphers | NCP | Connection
|
---|
- | - | Yes | OK. AES-256-GCM
|
---|
AES-256-CBC | - | Yes | OK. AES-256-GCM
|
---|
BF-CBC | - | Yes | OK. AES-256-GCM
|
---|
--cipher | NCP | Connection
|
- | No | OK. BF-CBC
|
AES-256-CBC | No | Fail (no shared cipher)
|
BF-CBC | No | OK. BF-CBC
|
--cipher | NCP | Connection
|
- | No | OK. BF-CBC
|
BF-CBC | No | OK. BF-CBC
|
Server version 2.3 Configuring: --cipher
--cipher | NCP
|
AES-256-CBC | No
|
--cipher | --data-ciphers | -fallback | NCP | Connection
|
---|
- | - | - | Yes | Fail (no shared cipher)
|
---|
AES-256-CBC | - | - | Yes | OK. AES-256-CBC
|
---|
BF-CBC | - | - | Yes | Fail (no shared cipher)
|
---|
--cipher | --ncp-ciphers | NCP | Connection
|
---|
- | - | Yes | Fail (no shared cipher)
|
---|
AES-256-CBC | - | Yes | OK. AES-256-CBC
|
---|
BF-CBC | - | Yes | Fail (no shared cipher)
|
---|
--cipher | NCP | Connection
|
- | No | Fail (no shared cipher)
|
AES-256-CBC | No | OK. AES-256-CBC
|
BF-CBC | No | Fail (no shared cipher)
|
--cipher | NCP | Connection
|
- | No | Fail (no shared cipher)
|
BF-CBC | No | Fail (no shared cipher)
|
Server version 2.2
Default configuration: No effective directives specified.
--cipher | --data-ciphers | -fallback | NCP | Connection
|
---|
- | - | - | Yes | Fail (no shared cipher)
|
---|
AES-256-CBC | - | - | Yes | Fail (no shared cipher)
|
---|
BF-CBC | - | - | Yes | OK. BF-CBC
|
---|
--cipher | --ncp-ciphers | NCP | Connection
|
---|
- | - | Yes | OK. BF-CBC
|
---|
AES-256-CBC | - | Yes | Fail (no shared cipher)
|
---|
BF-CBC | - | Yes | OK. BF-CBC
|
---|
--cipher | NCP | Connection
|
- | No | OK. BF-CBC
|
AES-256-CBC | No | Fail (no shared cipher)
|
BF-CBC | No | OK. BF-CBC
|
--cipher | NCP | Connection
|
- | No | OK. BF-CBC
|
BF-CBC | No | OK. BF-CBC
|
Corner case: OpenVPN built with --enable-small
TODO.
Only effects ..
And some fun ;-)
--cipher
|
--data-cipher
|
-fallback
|
NCP
|
Expected
|
Client
|
Server
|
Client
|
Server
| |
Client
|
Server
| |
-
|
-
|
-
|
AES-256-GCM:AES-128-GCM
| |
YES
|
YES
|
OK
|
Even ..
|