= Cipher Negotiation
Data channel cipher negotiation is complicated.  This wiki defines the expected behaviour between OpenVPN servers and clients.
[[TOC(notitle, inline)]]

== OpenVPN Directives:
`--data-cipher ALG:ALG`[[br]]
`--data-cipher-fallback ALG:ALG`[[br]]

== Expected Behaviour:
=== Server version 2.5
==== Client version 2.5
||||  `--cipher`  ||||=  `--data-cipher`  =||=  `-fallback`  =||||  NCP  ||  Expected  ||
||  Client  ||  Server  ||=  Client  =||=  Server  =||=  =||  Client  ||  Server  ||       ||
||    -     ||    -     ||=  -       =||=  AES-256-GCM:AES-128-GCM  =||=  -  =||  YES  ||  YES  ||  OK  ||
||  BF-CBC  ||  -       ||=  -       =||=  AES-256-GCM:AES-128-GCM  =||=  -  =||  YES  ||  YES  ||  OK  ||

==== Client version 2.4
||||  `--cipher`  ||||=  `--data-cipher`  =||=  `-fallback`  =||||  NCP  ||  Expected  ||
||  Client  ||  Server  ||=  Client  =||=  Server  =||=  =||  Client  ||  Server  ||       ||
||    -     ||    -     ||=  -       =||=  AES-256-GCM:AES-128-GCM  =||=  -  =||  YES  ||  YES  ||  OK  ||
||  BF-CBC  ||  -       ||=  -       =||=  AES-256-GCM:AES-128-GCM  =||=  -  =||  YES  ||  YES  ||  OK  ||

==== Client version 2.3
||||  `--cipher`  ||||=  `--data-cipher`  =||=  `-fallback`  =||||  NCP  ||  Expected  ||
||  Client  ||  Server  ||=  Client  =||=  Server  =||=  =||  Client  ||  Server  ||       ||
||    -     ||    -     ||=  -       =||=  AES-256-GCM:AES-128-GCM  =||=  -  =||  NO  ||  YES  ||  FAIL  ||
||  -  ||  -       ||=  -       =||=  AES-256-GCM:AES-128-GCM  =||=  BF-CBC  =||  NO  ||  YES  ||  OK  ||
||  BF-CBC  ||  -       ||=  -       =||=  AES-256-GCM:AES-128-GCM  =||=  -  =||  NO  ||  YES  ||  FAIL  ||
||  BF-CBC  ||  -       ||=  -       =||=  AES-256-GCM:AES-128-GCM  =||=  BF-CBC  =||  NO  ||  YES  ||  OK  ||

==== Client version 2.2
||||  `--cipher`  ||||=  `--data-cipher`  =||=  `-fallback`  =||||  NCP  ||  Expected  ||
||  Client  ||  Server  ||=  Client  =||=  Server  =||=  =||  Client  ||  Server  ||       ||
||    -     ||    -     ||=  -       =||=  AES-256-GCM:AES-128-GCM  =||=  -  =||  YES  ||  YES  ||  OK  ||
||  BF-CBC  ||  -       ||=  -       =||=  AES-256-GCM:AES-128-GCM  =||=  -  =||  YES  ||  YES  ||  OK  ||

=== Server version 2.5
||Client version |||| `--data-cipher` || `--fallback-data-cipher` || Expected || Other.. ||
||   || Client || Server ||   ||   ||   ||
|| 2.5 || x || x || x ||   ||   ||
|| 2.4 || x || x || x ||   ||   ||
|| 2.3 || x || x || x ||   ||   ||
|| 2.2 || x || x || x ||   ||   ||

=== Server version 2.4
||Client version |||| `--data-cipher` || `--fallback-data-cipher` || Expected || Other.. ||
||   || Client || Server ||   ||   ||   ||
|| 2.5 || x || x || x ||   ||   ||
|| 2.4 || x || x || x ||   ||   ||
|| 2.3 || x || x || x ||   ||   ||
|| 2.2 || x || x || x ||   ||   ||



[[br]]


{{{#!td colspan=2 align=middle
`--cipher`
}}}
{{{#!td colspan=2 align=middle
`--data-cipher`
}}}
{{{#!td align=middle
`-fallback`
}}}
{{{#!td colspan=2 align=middle
NCP
}}}
{{{#!td align=middle
Expected
}}}
|----------------
{{{#!td style="background: #eef" align=middle
Client
}}}
{{{#!td style="background: #eef" align=middle
Server
}}}
{{{#!td style="background: #fee" align=middle
Client
}}}
{{{#!td style="background: #fee" align=middle
Server
}}}
{{{#!td align=middle

}}}
{{{#!td style="background: #efe" align=middle
Client
}}}
{{{#!td style="background: #efe" align=middle
Server
}}}
{{{#!td align=middle

}}}
|----------------
{{{#!td style="background: #eef" align=middle
-
}}}
{{{#!td style="background: #eef" align=middle
-
}}}
{{{#!td style="background: #fee" align=middle
-
}}}
{{{#!td style="background: #fee" align=middle
AES-256-GCM:AES-128-GCM
}}}
{{{#!td align=middle

}}}
{{{#!td style="background: #efe" align=middle
YES
}}}
{{{#!td style="background: #efe" align=middle
YES
}}}
{{{#!td align=middle
OK
}}}
|----------------
{{{#!td
Even ..
}}}