OpenVPN configuration file warning

NethServer Version: NethServer 7.9.2009
Module: OpenVPN RoadWarrior

Hello,

I just updated my OpenVPN client and instantly got a warning in logs as below.

2021-02-24 18:59:59 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.

Not sure if that is fine, or needs some configuration file tuning. Just letting you know.

Thanks & Regards,
Ertan

Thank you for reporting, I will add to our future todo list to avoid breaking changes with next openvpn releases.

Could you please paste your config so I can reproduce? Thank you!

Here is my configuration file

######### NethServer OpenVPN client configuration #########

dev tun
client
remote [snip]
port 1194
proto udp
explicit-exit-notify 1
float
auth-user-pass
# Authentication: certificate
<cert>
-----BEGIN CERTIFICATE-----
MIIEZjCCA06gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBmTETMBEGA1UEAwwKTmV0
aFNlcnZlcjEUMBIGA1UECgwLRXhhbXBsZSBPcmcxEjAQBgNVBAgMCVNvbWVTdGF0
ZTENMAsGA1UECwwETWFpbjEpMCcGCSqGSIb3DQEJARYacm9vdEBsb2NhbGhvc3Qu
bG9jYWxkb21haW4xCzAJBgNVBAYTAi0tMREwDwYDVQQHDAhIb21ldG93bjAeFw0y
MDA0MTgxMjE2MDZaFw0zMDA0MTYxMjE2MDZaMIG9MQswCQYDVQQGEwItLTESMBAG
A1UECAwJU29tZVN0YXRlMRIwEAYDVQQHDAnEsHN0YW5idWwxJjAkBgNVBAoMHUdl
bGnFn2ltIFlhesSxbMSxbSBMdGQuIMWedGkuMQ0wCwYDVQQLDARNYWluMSEwHwYD
VQQDDBhlcnRhbkBnZWxpc2lteWF6aWxpbS5jb20xLDAqBgkqhkiG9w0BCQEWHWFk
bWluQG5ldGguZ2VsaXNpbXlhemlsaW0uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAxsJjDKrwte6TcmUILb9iGo3bIPrdNCa0PsMITX5WubcBimRR
MP2ajeOpeKKYqlKasXlHMjWOuKPiSFuERC5MYNrmUil2f/7Ybd16SY3IC7fRjxm6
8JolbxzBPyHbPJ/thAoHszGXn8qp8pRUUIRFeTAWOy7d+WPGIAZOgyF7c908/tu6
8vMcedMu30RXcLmB7dADh1E03DLyUAYSKZRUgevh4UP2Y42xmw7u6157vIB3TtnM
5vmotQxDNwENrJyed8GYzeD8K/ZhW61CmG98+RDfX2YtAw0DHzGx5Sy92CnoVS+S
r4K6hbYkbiMc8ydK1hkSV61yZArytXHo8TimYQIDAQABo4GSMIGPMAkGA1UdEwQC
MAAwEQYJYIZIAYb4QgEBBAQDAgSwMC8GCWCGSAGG+EIBDQQiFiBOZXRoU2VydmVy
IEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUopgta6NZvSaiV/aHmiJy
7Lb9IL8wHwYDVR0jBBgwFoAUEqoIwpL1jfTIVuG+5MOt+ow5eiswDQYJKoZIhvcN
AQELBQADggEBAESdJdxpcL7+7l5GW9wyZIgXOvClCroapiogvp365sE6IDeBOKzo
rMEr0pZ4mAFlDisMZcUJuSzr37PQCQMRTAWMfcu84zosnrHzLbbi3Ku4WaBZJ+3Z
E7JjY2GdJCJw8hj8yfNsrsxKfQONz0oWWcJfbk4vBYozUYOSSe34I39PifCIggsC
cFiNXBYljW0sd5bmT0RU45ISWkVybXc3XnQeNUuhf8FzSw52xLhKKqhuiWcx5IH+
L3eK9Qt4qCJ4kXWjbZHCTb+5QC6beSKLCTovLuQiDRZ50ZAUkobGe5d7n/xL0v5s
kuZegjrMjXTWJZJCAWxiXREFICOiWHMdS+k=
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDGwmMMqvC17pNy
ZQgtv2Iajdsg+t00JrQ+wwhNfla5twGKZFEw/ZqN46l4opiqUpqxeUcyNY64o+JI
W4RELkxg2uZSKXZ//tht3XpJjcgLt9GPGbrwmiVvHME/Ids8n+2ECgezMZefyqny
lFRQhEV5MBY7Lt35Y8YgBk6DIXtz3Tz+27ry8xx50y7fRFdwuYHt0AOHUTTcMvJQ
BhIplFSB6+HhQ/ZjjbGbDu7rXnu8gHdO2czm+ai1DEM3AQ2snJ53wZjN4Pwr9mFb
rUKYb3z5EN9fZi0DDQMfMbHlLL3YKehVL5KvgrqFtiRuIxzzJ0rWGRJXrXJkCvK1
cejxOKZhAgMBAAECggEAct3WhnSoBkyp0/vFnUK0vKns0QOKIWCY3Ii0XKy+DDhS
YJuXPJvj3UqMH5bAafaxRg3T8pV3NQgpdy3Eo+6p33PClgs2W8R5ag0MZkPVL8h9
CJmTKwe6yJsyp3y2ijPW/W8aghoQCZ4DV5kXnSzERcRfpLZyPHXIA6wBZdFM2mkl
46xaBMthPNEXbTPRv7znqdwA2w990BF9hhsCiGvPm6SX0STImsdwoqBoX5z7eRlY
24bDcp9D4lN54S5qq9YC/iSAc3lzqlYmWt0j0iJd9BRhSlEWfv2uCYOqBohV1Q/A
Wt2MS+hbArJh3sDgEGrYWwWygglIa7JvwZ7a8Mdk/QKBgQDiLfzhhEHA0i1ZjPZQ
KeFukT0JVZdnOQLKnJwnokInQKw4D7LX9a2lN3sX8j1lAydjjuBZXoNUYsNz3CYd
8onV5tYDoaNwBf4CsijHUveepJMyNEU6VLoPS581khw1Uoid/1a89GQGKnL/aK87
vccAXosySl6IP/adEVfk/bRP0wKBgQDg9uixUPhvrkGFK572QOzpQREjLJD3Phcu
3IaMzekUZ8tZngEsKqYspJDTP69RxVAPktp3xnApY/osaoqBIhWMkJJ7BakHgngq
a9L2mjSbutdjHH/fqsmwXpvBZOY7htRHLLf8FC/HS4m7icpSoW1l9QJRJYp8a8Yf
SL3n3O0EewKBgQDN1cA/k9crHZs71fcLOTH5J5/+cLBath1+Okw6HYZKpqaUVmUR
+HlQ1E7nmgKZfOdJyWsOqd6m20K4m+7sbh9WVL8LivxsJGfoGC7YRv8mluuGUt91
mEnDRbTcUd3uAPBnqUpMp7Snj9Yb7i8bFTiXc3MGD3w8TsmmY3Qz51dDFQKBgHsY
H3MGrynM26UWnUB5fiiTpeDtPdVLcDwABs98zBCSSr6aqmGUZKEA2w38Rt4jbQ9Y
d5oaRr0fK4CqO2c1Uz06zivqiPbG+SGdJi4xap/buIdOzNmCBiIvYmKL5z6jI/xe
B74y/YG7X33yg3Z7RfUH/2CPfhtejWYI04DPbhGJAoGBANIgut26262Bscx4d3Ox
NSaciAk49doK7UPNpVU2iJVPTLktjCcYmmNLFf63G1fqj4l+59vZfis/IJti19EW
3kOIIX0XVzj579UJRqgrJcOSaAT6lRex5T3U9yFR4xW9ynwqjmNt140dpzqSVyRe
T5h8dvLGoMmzLAw89+lkgOg6
-----END PRIVATE KEY-----
</key>
<ca>
-----BEGIN CERTIFICATE-----
MIIEAjCCAuqgAwIBAgIEXpp85TANBgkqhkiG9w0BAQsFADCBmTETMBEGA1UEAwwK
TmV0aFNlcnZlcjEUMBIGA1UECgwLRXhhbXBsZSBPcmcxEjAQBgNVBAgMCVNvbWVT
dGF0ZTENMAsGA1UECwwETWFpbjEpMCcGCSqGSIb3DQEJARYacm9vdEBsb2NhbGhv
c3QubG9jYWxkb21haW4xCzAJBgNVBAYTAi0tMREwDwYDVQQHDAhIb21ldG93bjAe
Fw0yMDA0MTgwNDA3MDFaFw0zMDA0MTYwNDA3MDFaMIGZMRMwEQYDVQQDDApOZXRo
U2VydmVyMRQwEgYDVQQKDAtFeGFtcGxlIE9yZzESMBAGA1UECAwJU29tZVN0YXRl
MQ0wCwYDVQQLDARNYWluMSkwJwYJKoZIhvcNAQkBFhpyb290QGxvY2FsaG9zdC5s
b2NhbGRvbWFpbjELMAkGA1UEBhMCLS0xETAPBgNVBAcMCEhvbWV0b3duMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2UzfFg8Bvk/Ir0jrNlNnTBd4gtfu
Zjc9DY75S9gZ3+J2y7TPDd0OaPBhH/U/dc+Qp7dTj/wAI4O6+uLg7jxDkSy0VRQ4
99kk+XnVTN6afrGLcvgE30Ue38LVZTUkGMVDR0ToX0UIawI0086zwVlJvyapigMT
oaVol3ae/x7x+dn3RV7jCPJantFF0o58tN4c3abuf/3UBsruWncRf/xA4qveIJzx
QDvNyrCpwj03iJcJbyR5XTVaGYo4tdztIsdjBfgcDUsdS5oDiBaPtEt4sB+PUc1X
Q9XtUcMJtlIv6x9NXvqo/4VXSoPkLjT04YKYLoNYlg5TaeUgaUj617G1UQIDAQAB
o1AwTjAdBgNVHQ4EFgQUEqoIwpL1jfTIVuG+5MOt+ow5eiswHwYDVR0jBBgwFoAU
EqoIwpL1jfTIVuG+5MOt+ow5eiswDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsF
AAOCAQEAeEDHK80ynSl3PLDn4PGuQvjHSxL6a9SLQMbHL04IpYqjtUWEKr2ExsE5
Q0aQPAgi99BeLf8x8jn0rpREwh3uLGZHOqkmqhri8v6dpIJAvQMkDwPYVBgfydc0
9WxeV+14BK8hmuGhTubn14kiZPsJ5QZZoFsJJzgaUiuWsG+PRWZOjj0mjzGeCLPz
QkyDU615d+06KsF5Rvt681xIVeHdOM9FxJBdRd8VkuMrFZSG40HiMnP6swGiFQ5e
VvgMX8/j4B20EXps7YlUs677Hib5V0f9Q62mztJ0YY0Y/yyScwgQzjbDpkMyhs2d
A18FquAQHCTYEAHZgphsvWDCAxBi7g==
-----END CERTIFICATE-----
</ca>
auth SHA512
cipher AES-256-CBC
verb 3
persist-key
persist-tun
nobind
passtos

Thanks.

Dude, at least hide the IP!

Just did. Thanks

Btw, all looks fine to me, i am still using 2.4.9 or 2.4.10 openvpn client in my stations, since i had some problems with 2.5 windows app.

No warning with earlier version of the windows client. I started to see that warning right after I update it.

Thank you!

Found below information on subject

IMPORTANT NOTICES

BF-CBC CIPHER IS NO LONGER THE DEFAULT

Cipher handling for the data channel cipher has been significantly changed between OpenVPN 2.3/2.4 and v2.5, most notably there are no “default cipher BF-CBC” anymore because it is no longer considered a reasonable default. BF-CBC is still available, but it needs to be explicitly configured now.

For connections between OpenVPN 2.4 and v2.5 clients and servers, both ends will be able to negotiate a better cipher than BF-CBC. By default they will select one of the AES-GCM ciphers, but this can be influenced using the –data-ciphers setting.

Connections between OpenVPN 2.3 and v2.5 that have no –cipher setting in the config (= defaulting to BF-CBC and not being negotiation-capable) must be updated. Unless BF-CBC is included in –data-ciphers or there is a “–cipher BF-CBC” in the OpenVPN 2.5 config, a v2.5 client or server will refuse to talk to a v2.3 server or client, because it has no common data channel cipher and negotiating a cipher is not possible. Generally, we recommend upgrading such setups to OpenVPN 2.4 or v2.5. If upgrading is not possible we recommend adding data-ciphers AES-256-GCM:AES-128-GCM:AES-128-CBC (for v2.5+) or cipher AES-128-CBC (v2.4.x and older) to the configuration of all clients and servers.

If you really need to use an unsupported OpenVPN 2.3 (or even older) release and need to stay on BF-CBC (not recommended), the OpenVPN 2.5 based client will need a config file change to re-enable BF-CBC. But be warned that BF-CBC and other related weak ciphers will be removed in coming OpenVPN major releases.

For full details see the”Data channel cipher negotiation” section on the man page.

CONNECTIVITY TO SOME VPN SERVICE PROVIDER MAY BREAK

Connecting with an OpenVPN 2.5 client to at least one commercial VPN service that

implemented their own cipher negotiation method that always reports back that it is using BF-CBC to the client is broken in v2.5. This has always caused warning about mismatch ciphers. We have been in contact with some service providers and they are looking into it. This is not something the OpenVPN community can fix. If your commercial VPN does not work with a v2.5 client, complain to the VPN service provider.

More details on these new features as well as a list of deprecated features and user-visible changes are available in Changes.rst.

You published your private key. Did you really want to do that?

Yes, I did.