OpenVPN Cipher Negotiation (Quick reference)
This wiki defines the expected behaviour of Cipher Negotiation between common configurations of OpenVPN servers and clients.
Important note: CHACHA20-POLY1305
is widely recognised as a suitable alternative to an AES
based cipher.
- OpenVPN would like to know about any:
- Unexpected behaviour.
- Errors on this page.
For full details please see:
https://github.com/OpenVPN/openvpn/blob/master/doc/man-sections/cipher-negotiation.rst
Effective directives and terms
2.5: --data-ciphers ALG:ALG
- Data channel ciphers. Default ALG
AES-256-GCM:AES-128-GCM
2.5: --data-ciphers-fallback ALG:ALG
- Essentially the same as --cipher
Use of --data-ciphers-fallback
is limited to:
- Openvpn Clients which do not support
--data-ciphers
(Openvpn 2.4, 2.3)
Solution: Upgrade
Or, use --data-ciphers-fallback
in your Server configuration.
- Openvpn Clients using
--ncp-disable
DEPRECATED (Openvpn 2.4)
Solution: Do NOT use --ncp-disable
EVER
- Openvpn built with
--enable-small
:
See below
- Openvpn Server that does not support Cipher Negotiation:
Solution: Upgrade
Otherwise, both Client and Server will DEFAULT to an INSECURE BF-CBC cipher.
... Unless both Client and Server have a secure --cipher
configured.
... otherwise, the VPN connection will fail.
The Point:
@cron2_ | for clients calling in without NCP │
@cron2_ | could be a 2.5 client called with --ncp-disable "because someone on the Internet said so" │
wiscii | but that would auto-fallback to AES* ? 2.5 .. no ? │
* | wiscii checks │
wiscii | --ncp-disable is deprecated .. │
wiscii | and using it is currently a total fail FATAL error │
wiscii | ok ,, that is 2.6 │
wiscii | i have clearly misunderstood the use of the data-cipher-fallback bit, it's just to convoluted |
@cron2_ | the point is that 2.5 and up do not select BF-CBC "by default" anymore, just because it was the │
| cipher in earlier times │
@cron2_ | *if* NCP is active, this is a non-issue, because AES │
@cron2_ | but if *no* NCP is active (old client or --ncp-disable), openvpn does not know what to do, and │
| on purpose does not "just use BF-CBC". So it tells you: if you really want the old behaviour, │
| put it into your config. │
wiscii | yep .. i can see that logic │
All: --cipher ALG
- Data channel cipher. Will be deprecated.
In OpenVPN 2.5 --cipher
does not have a default ALG
.
In OpenVPN up to 2.4 the default ALG
is BF-CBC.
2.4: --ncp-disable
- Disable Negotiated Cipher Protocol - Deprecated.
Note: This document does not cover the use of --ncp-disable
.
In this Wiki cipher negotiation comes in four flavours:
- Full negotiation: Both server and client support NCP
- Partial negotiation: Only the client supports NCP (Known as "Poor man's NCP")
- No negotiation: The client does not support NCP (The server NCP has no effect).
- When the server supports NCP but has a mixture of clients then NCP is defined as 'Yes'.
Cipher negotiation was originally named "Negotiated Cipher Protocol" NCP
Common configurations
Commonly expected configurations of the Effective directives above.
Servers
- Version 2.5
- Default configuration: No effective directives specified.
- Configuring:
--data-ciphers
- Version 2.4
- Default configuration: No effective directives specified.
- Configuring:
--cipher
- Configuring:
--cipher
and --ncp-disable
- Version 2.3
- Default configuration: No effective directives specified.
- Configuring:
--cipher
- Version 2.2
- Default configuration: No effective directives specified.
- Configuring: All bets are off - Upgrade now!
Clients
- Version 2.5
- Default configuration: No effective directives specified.
- Version 2.4
- Default configuration: No effective directives specified.
- Configuring:
--cipher
- Version 2.3
- Default configuration: No effective directives specified.
- Configuring:
--cipher
- Version 2.2
- Default configuration: No effective directives specified.
- Configuring: All bets are off - Upgrade now!
Expected Behaviour indexed by Server version
Server version 2.5
Default configuration: No effective directives specified.
--data-ciphers | NCP | Connection
|
---|
- | Full | OK. AES-256-GCM
|
---|
AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC | Full | OK. AES-256-GCM
|
---|
AES-256-CBC | Full | Fail (no shared cipher)
|
---|
--cipher | NCP | Connection
|
- | Full | OK. AES-256-GCM
|
AES-256-CBC | Full | OK. AES-256-GCM
|
BF-CBC | Full | OK. AES-256-GCM
|
--cipher | NCP | Connection
|
- | No | Fail (no shared cipher)
|
AES-256-CBC | No | Fail (no shared cipher)
|
BF-CBC | No | Fail (no shared cipher)
|
--cipher | NCP | Connection
|
- | No | Fail (no shared cipher)
|
AES-256-CBC | No | Fail (no shared cipher)
|
BF-CBC | No | Fail (no shared cipher)
|
Server version 2.5 Configuring: --data-ciphers
--data-ciphers | NCP
|
---|
AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC | Yes
|
---|
--cipher | NCP | Connection
|
- | No | Weak BF-CBC
|
AES-256-CBC | No | OK. AES-256-CBC
|
BF-CBC | No | Weak BF-CBC
|
--cipher | NCP | Connection
|
- | No | Weak BF-CBC
|
AES-256-CBC | No | OK. AES-256-CBC
|
BF-CBC | No | Weak BF-CBC
|
Server version 2.4
Default configuration: No effective directives specified.
--cipher | --ncp-ciphers | NCP
|
---|
- | - | Yes
|
---|
--data-ciphers | NCP | Connection
|
---|
- | Full | OK. AES-256-GCM
|
---|
AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC | Full | OK. AES-256-GCM
|
---|
AES-256-CBC | Full | Fail (no shared cipher)
|
---|
--cipher | --ncp-ciphers | NCP | Connection
|
---|
- | - | Full | OK. AES-256-GCM
|
---|
AES-256-CBC | - | Full | OK. AES-256-GCM
|
---|
BF-CBC | - | Full | OK. AES-256-GCM
|
---|
--cipher | NCP | Connection
|
- | No | Weak BF-CBC
|
AES-256-CBC | No | Fail (no shared cipher)
|
BF-CBC | No | Weak BF-CBC
|
--cipher | NCP | Connection
|
- | No | Weak BF-CBC
|
AES-256-CBC | No | Fail (no shared cipher)
|
BF-CBC | No | Weak BF-CBC
|
Server version 2.4 Configuring: --cipher
--cipher | --ncp-ciphers | NCP
|
---|
AES-256-CBC | - | Yes
|
---|
--data-ciphers | NCP | Connection
|
---|
- | Full | OK. AES-256-GCM
|
---|
AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC | Full | OK. AES-256-GCM
|
---|
AES-256-CBC | Full | OK. AES-256-CBC
|
---|
--cipher | --ncp-ciphers | NCP | Connection
|
---|
- | - | Full | OK. AES-256-GCM
|
---|
AES-256-CBC | - | Full | OK. AES-256-GCM
|
---|
BF-CBC | - | Full | OK. AES-256-GCM
|
---|
--cipher | NCP | Connection
|
- | No | Fail (no shared cipher)
|
AES-256-CBC | No | OK. AES-256-CBC
|
BF-CBC | No | Fail (no shared cipher)
|
--cipher | NCP | Connection
|
- | No | Fail (no shared cipher)
|
AES-256-CBC | No | OK. AES-256-CBC
|
BF-CBC | No | Fail (no shared cipher)
|
Server version 2.4 Configuring: --cipher
and --ncp-disable
--cipher | --ncp-ciphers | NCP
|
---|
AES-256-CBC | - | No --ncp-disable
|
---|
--data-ciphers | NCP | Connection
|
---|
- | Partial | Fail (no shared cipher)
|
---|
AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC | Partial | OK. AES-256-CBC
|
---|
--cipher | --ncp-ciphers | NCP | Connection
|
---|
- | - | Partial | Fail (no shared cipher)
|
---|
AES-256-CBC | - | Partial | OK. AES-256-CBC
|
---|
BF-CBC | - | Partial | Fail (no shared cipher)
|
---|
--cipher | NCP | Connection
|
- | No | Fail (no shared cipher)
|
AES-256-CBC | No | OK. AES-256-CBC
|
BF-CBC | No | Fail (no shared cipher)
|
--cipher | NCP | Connection
|
- | No | Fail (no shared cipher)
|
AES-256-CBC | No | OK. AES-256-CBC
|
BF-CBC | No | Fail (no shared cipher)
|
Server version 2.3
Default configuration: No effective directives specified.
--data-ciphers | NCP | Connection
|
---|
- | Partial | Fail (no shared cipher)
|
---|
AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC | Partial | Weak BF-CBC
|
---|
--cipher | --ncp-ciphers | NCP | Connection
|
---|
- | - | Partial | Fail (no shared cipher)
|
---|
AES-256-CBC | - | Partial | Fail (no shared cipher)
|
---|
BF-CBC | - | Partial | Weak BF-CBC
|
---|
--cipher | NCP | Connection
|
- | No | Weak BF-CBC
|
AES-256-CBC | No | Fail (no shared cipher)
|
BF-CBC | No | Weak BF-CBC
|
--cipher | NCP | Connection
|
- | No | Weak BF-CBC
|
AES-256-CBC | No | Fail (no shared cipher)
|
BF-CBC | No | Weak BF-CBC
|
Server version 2.3 Configuring: --cipher
--cipher | NCP
|
AES-256-CBC | No
|
--data-ciphers | NCP | Connection
|
---|
- | Partial | Fail (no shared cipher)
|
---|
AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC | Partial | OK. AES-256-CBC
|
---|
--cipher | --ncp-ciphers | NCP | Connection
|
---|
- | - | Partial | Fail (no shared cipher)
|
---|
AES-256-CBC | - | Partial | OK. AES-256-CBC
|
---|
BF-CBC | - | Partial | Fail (no shared cipher)
|
---|
--cipher | NCP | Connection
|
- | No | Fail (no shared cipher)
|
AES-256-CBC | No | OK. AES-256-CBC
|
BF-CBC | No | Fail (no shared cipher)
|
--cipher | NCP | Connection
|
- | No | Fail (no shared cipher)
|
AES-256-CBC | No | OK. AES-256-CBC
|
BF-CBC | No | Fail (no shared cipher)
|
Server version 2.2
Default configuration: No effective directives specified.
--data-ciphers | NCP | Connection
|
---|
- | Partial | Fail (no shared cipher)
|
---|
AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC | Partial | Weak BF-CBC
|
---|
--cipher | --ncp-ciphers | NCP | Connection
|
---|
- | - | Partial | Weak BF-CBC
|
---|
AES-256-CBC | - | Partial | Fail (no shared cipher)
|
---|
BF-CBC | - | Partial | Weak BF-CBC
|
---|
--cipher | NCP | Connection
|
- | No | Weak BF-CBC
|
AES-256-CBC | No | Fail (no shared cipher)
|
BF-CBC | No | Weak BF-CBC
|
--cipher | NCP | Connection
|
- | No | Weak BF-CBC
|
AES-256-CBC | No | Fail (no shared cipher)
|
BF-CBC | No | Weak BF-CBC
|
Server version 2.2 Configuring: --cipher
--cipher | NCP
|
AES-256-CBC | No
|
--data-ciphers | NCP | Connection
|
---|
- | Partial | Fail (no shared cipher)
|
---|
AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC | Partial | OK. AES-256-CBC
|
---|
--cipher | --ncp-ciphers | NCP | Connection
|
---|
- | - | Partial | Fail (no shared cipher)
|
---|
AES-256-CBC | - | Partial | OK. AES-256-CBC
|
---|
BF-CBC | - | Partial | Fail (no shared cipher)
|
---|
--cipher | NCP | Connection
|
- | No | Fail (no shared cipher)
|
AES-256-CBC | No | OK. AES-256-CBC
|
BF-CBC | No | Fail (no shared cipher)
|
--cipher | NCP | Connection
|
- | No | Fail (no shared cipher)
|
AES-256-CBC | No | OK. AES-256-CBC
|
BF-CBC | No | Fail (no shared cipher)
|
Special requirement: OpenVPN built with --enable-small
When OpenVPN version 2.3 or older is built with --enable-small
(Typically found in routers) then Openvpn 2.5 must use --data-ciphers-fallback ALG
. The ALG
must match the peers --cipher ALG
. This is the only case that --data-ciphers-fallback
takes effect.
2.5: --data-ciphers-fallback ALG
- Fallback data channel cipher
Only to allow OpenVPN version 2.5 to connect with old peers built with --enable-small
.
Will be deprecated and removed
Server version 2.3 built with --enable-small
Default configuration: No effective directives specified.
--data-ciphers | -fallback | NCP | Connection
|
---|
- | - | No | Fail (no shared cipher)
|
---|
- | BF-CBC | No | Weak BF-CBC
|
---|
Server version 2.3 built with --enable-small
Configuring: --cipher
--cipher | NCP
|
AES-256-CBC | No
|
--data-ciphers | -fallback | NCP | Connection
|
---|
- | - | No | Fail (no shared cipher)
|
---|
- | AES-256-CBC | No | OK. AES-256-CBC
|
---|
Client version 2.3 built with --enable-small
Default configuration: No effective directives specified.
--data-ciphers | -fallback | NCP | Connection
|
---|
- | - | No | Fail (no shared cipher)
|
---|
- | BF-CBC | No | Weak BF-CBC
|
---|
Client version 2.3 built with --enable-small
Configuring: --cipher
--cipher | NCP
|
AES-256-CBC | No
|
--data-ciphers | -fallback | NCP | Connection
|
---|
- | - | No | Fail (no shared cipher)
|
---|
- | AES-256-CBC | No | OK. AES-256-CBC
|
---|