1. Forum
  2. Newsgroups
  3. alt.os.linux

  • Do you know more about the openvpn

    From Nick Cine@nickcine@is.invalid to alt.comp.os.windows-10,alt.os.linux,alt.comp.freeware on Thu Aug 15 13:53:19 2024
    From Newsgroup: alt.os.linux

    I use free public openvpn configuration files found on the Internet which
    have been working for years with only the "cipher AES-128-CBC" directive.

    When I updated to OpenVPN 2.6.12, everything broke, which I narrowed down
    to the lack of a "data-ciphers" directive based on this openvpn error. https://i.postimg.cc/nhqwd2DD/my-vpn-error.jpg

    "OPTIONS ERROR: failed to negotiate cipher with server.
    Add the server's cipher ('AES-128-CBC') to --data-ciphers
    (currently 'AES-256-GCM:AES-128-GCM')
    if you want to connect to this server."

    So I added this directive, but what does this directive even do?
    data-ciphers AES-128-CBC

    There's very little about ciphers in the official wikipedia for openvpn. https://community.openvpn.net/openvpn/wiki/HOWTO
    By default OpenVPN uses Blowfish, a 128 bit symmetrical cipher.
    OpenVPN automatically supports any cipher which is supported by
    the OpenSSL library, and as such can support ciphers which use
    large key sizes. For example, the 256-bit version of AES
    (Advanced Encryption Standard) can be used by adding the
    following to both server and client configuration files:
    cipher AES-256-CBC

    While that's all they had for "ciphers", they had NOTHING for
    "data-ciphers", which is what I'm trying to figure out what it does.

    How are you supposed to figure out what "data-ciphers" does when the
    OpenVPN wikipedia doesn't even mention the error that happens now?

    It's especially frustrating how bad the OpenVPN documentation is when you
    now get a new error about "ovpn-dco" which is a brand new "something" for
    "data channel offload" (whatever that is) as I also now get this warning.
    "Note: cipher 'AES-128-CBD' in --data-ciphers is not
    supported by ovpn-dco, disabling data channel offload." https://i.postimg.cc/zD0N7zrr/my-ovpn-dco-error.jpg

    Where can I get information on what these two things are for openvpn?
    data-ciphers AES-128-CBC
    ovpn-dco disabled
    --- Synchronet 3.20a-Linux NewsLink 1.114
  • From Richard Kettlewell@invalid@invalid.invalid to alt.comp.os.windows-10,alt.os.linux,alt.comp.freeware on Thu Aug 15 21:22:26 2024
    From Newsgroup: alt.os.linux

    Nick Cine <nickcine@is.invalid> writes:
    I use free public openvpn configuration files found on the Internet which have been working for years with only the "cipher AES-128-CBC" directive.

    When I updated to OpenVPN 2.6.12, everything broke, which I narrowed down
    to the lack of a "data-ciphers" directive based on this openvpn error. https://i.postimg.cc/nhqwd2DD/my-vpn-error.jpg

    "OPTIONS ERROR: failed to negotiate cipher with server.
    Add the server's cipher ('AES-128-CBC') to --data-ciphers
    (currently 'AES-256-GCM:AES-128-GCM')
    if you want to connect to this server."

    So I added this directive, but what does this directive even do?
    data-ciphers AES-128-CBC

    Documented here (scroll down a bit): https://openvpn.net/community-resources/reference-manual-for-openvpn-2-5/#protocol-options

    There's very little about ciphers in the official wikipedia for openvpn. https://community.openvpn.net/openvpn/wiki/HOWTO
    By default OpenVPN uses Blowfish, a 128 bit symmetrical cipher.
    OpenVPN automatically supports any cipher which is supported by
    the OpenSSL library, and as such can support ciphers which use
    large key sizes. For example, the 256-bit version of AES
    (Advanced Encryption Standard) can be used by adding the
    following to both server and client configuration files:
    cipher AES-256-CBC

    While that's all they had for "ciphers", they had NOTHING for "data-ciphers", which is what I'm trying to figure out what it does.

    It looks like --data-ciphers is the option in OpenVPN 2.5 and later, and --ciphers in older versions.

    How are you supposed to figure out what "data-ciphers" does when the
    OpenVPN wikipedia doesn't even mention the error that happens now?

    You read the manual.

    It's especially frustrating how bad the OpenVPN documentation is when you now get a new error about "ovpn-dco" which is a brand new "something" for "data channel offload" (whatever that is) as I also now get this warning.
    "Note: cipher 'AES-128-CBD' in --data-ciphers is not
    supported by ovpn-dco, disabling data channel offload." https://i.postimg.cc/zD0N7zrr/my-ovpn-dco-error.jpg

    https://openvpn.net/as-docs/openvpn-dco.html
    --
    https://www.greenend.org.uk/rjk/
    --- Synchronet 3.20a-Linux NewsLink 1.114