OpenVPN Cipher Negotiation (Quick reference)

This wiki defines the expected behaviour of Cipher Negotiation between common configurations of OpenVPN servers and clients.

Important note: CHACHA20-POLY1305 is widely recognised as a suitable alternative to an AES based cipher.

• OpenVPN would like to know about any:
  1. Unexpected behaviour.
  2. Errors on this page.

For full details please see: https://github.com/OpenVPN/openvpn/blob/master/doc/man-sections/cipher-negotiation.rst

Effective directives and terms

• 2.5: --data-ciphers ALG:ALG - Data channel ciphers list. Default: AES-256-GCM:AES-128-GCM
• 2.5: --data-ciphers-fallback ALG - Single ALG (Essentially the same as --cipher)
• Source: https://sourceforge.net/p/openvpn/mailman/message/37232992/

Use of --data-ciphers-fallback is limited to:

• Openvpn Clients which do not support --data-ciphers (Openvpn 2.4, 2.3)
  • Solution: Upgrade or use --data-ciphers-fallback in your Server configuration.
• Openvpn Clients using --ncp-disable DEPRECATED (Openvpn 2.4)
  • Solution: Do NOT use --ncp-disable, EVER
• Openvpn built with --enable-small (see below)
• Openvpn Server that does not support Cipher Negotiation:
  • Solution: Upgrade. Otherwise, both Client and Server will DEFAULT to an INSECURE BF-CBC cipher, unless both Client and Server have a secure --cipher configured... otherwise, the VPN connection will fail.

The Point:

@cron2_ | for clients calling in without NCP                                                               │
 @cron2_ | could be a 2.5 client called with --ncp-disable "because someone on the Internet said so"        │
   wiscii | but that would auto-fallback to AES* ? 2.5 .. no ?                                               │
      * | wiscii checks                                                                                    │
   wiscii | --ncp-disable is deprecated ..                                                                   │
   wiscii | and using it is currently a total fail FATAL error                                               │
   wiscii | ok ,, that is 2.6                                                                                │
   wiscii | i have clearly misunderstood the use of the data-cipher-fallback bit, it's just to convoluted    |
 @cron2_ | the point is that 2.5 and up do not select BF-CBC "by default" anymore, just because it was the  │
      | cipher in earlier times                                                                          │
 @cron2_ | *if* NCP is active, this is a non-issue, because AES                                             │
 @cron2_ | but if *no* NCP is active (old client or --ncp-disable), openvpn does not know what to do, and   │
      | on purpose does not "just use BF-CBC".  So it tells you: if you really want the old behaviour,   │
      | put it into your config.                                                                         │
   wiscii | yep .. i can see that logic                                                                      │

All: --cipher ALG - Data channel cipher. Will be deprecated. In OpenVPN 2.5 --cipher does not have a default ALG. In OpenVPN up to 2.4 the default ALG is BF-CBC. 2.4: --ncp-disable - Disable Negotiated Cipher Protocol - Deprecated. Note: This document does not cover the use of --ncp-disable.

In this Wiki cipher negotiation comes in four flavours:

• Full negotiation: Both server and client support NCP
• Partial negotiation: Only the client supports NCP (Known as "Poor man's NCP", See note below)
• No negotiation: The client does not support NCP (The server NCP has no effect).
• When the server supports NCP but has a mixture of clients then NCP is defined as 'Yes'.

Cipher negotiation was originally named "Negotiated Cipher Protocol" NCP

Poor Man's NCP

Poor Man's NCP is a term used to describe when either peer does not support cipher negotiation, directly. And the subsequent configurations which can be used to get full AEAD cipher support, without the need to negotiate it.

This wiki fully expands the server side variety of Poor Man's NCP, which means this wiki does not apply that term to the server. This wiki only applies the term to mean the client because it is easier to understand. Also, clients which suffer from Poor Man's NCP can be more easily upgraded than an old server. So this wiki fully explains the server side, while encouraging the user to upgrade their client OpenVPN version.

Common configurations

Commonly expected configurations of the Effective directives above.

Servers

• Version 2.5
  1. Default configuration: No effective directives specified.
  2. Configuring: --data-ciphers
• Version 2.4
  1. Default configuration: No effective directives specified.
  2. Configuring: --cipher
  3. Configuring: --cipher and --ncp-disable
• Version 2.3
  1. Default configuration: No effective directives specified.
  2. Configuring: --cipher
• Version 2.2
  1. Default configuration: No effective directives specified.
  2. Configuring: All bets are off - Upgrade now!

Clients

• Version 2.5
  1. Default configuration: No effective directives specified.
• Version 2.4
  1. Default configuration: No effective directives specified.
  2. Configuring: --cipher
• Version 2.3
  1. Default configuration: No effective directives specified.
  2. Configuring: --cipher
• Version 2.2
  1. Default configuration: No effective directives specified.
  2. Configuring: All bets are off - Upgrade now!

Expected Behaviour indexed by Server version

Server version 2.5

Default configuration: No effective directives specified.

Client version 2.5

Client version 2.4

Client version 2.3

Client version 2.2

Server version 2.5 Configuring: --data-ciphers

Client version 2.3

Client version 2.2

Server version 2.4

Default configuration: No effective directives specified.

Client version 2.5

Client version 2.4

Client version 2.3

Client version 2.2

Server version 2.4 Configuring: --cipher

Client version 2.5

Client version 2.4

Client version 2.3

Client version 2.2

Server version 2.4 Configuring: --cipher and --ncp-disable

Client version 2.5

Client version 2.4

Client version 2.3

Client version 2.2

Server version 2.3

Default configuration: No effective directives specified.

Client version 2.5

Client version 2.4

Client version 2.3

Client version 2.2

Server version 2.3 Configuring: --cipher

Client version 2.5

Client version 2.4

Client version 2.3

Client version 2.2

Server version 2.2

Default configuration: No effective directives specified.

Client version 2.5

Client version 2.4

Client version 2.3

Client version 2.2

Server version 2.2 Configuring: --cipher

Client version 2.5

Client version 2.4

Client version 2.3

Client version 2.2

Special requirement: OpenVPN built with --enable-small

When OpenVPN version 2.3 or older is built with --enable-small (Typically found in routers) then Openvpn 2.5 must use --data-ciphers-fallback ALG. The ALG must match the peers --cipher ALG. This is the only case that --data-ciphers-fallback takes effect. 2.5: --data-ciphers-fallback ALG - Fallback data channel cipher Only to allow OpenVPN version 2.5 to connect with old peers built with --enable-small. Will be deprecated and removed

Server version 2.3 built with --enable-small

Default configuration: No effective directives specified.

Client version 2.5

Server version 2.3 built with --enable-small

Configuring: --cipher

| --cipher | NCP | | AES-256-CBC | No |

Client version 2.5

Client version 2.3 built with --enable-small

Default configuration: No effective directives specified.

Server version 2.5

Client version 2.3 built with --enable-small

Configuring: --cipher

Server version 2.5