Monthly Archives: January 2021

Enabling backwards compatibility in OpenVPN

If your OpenVPN client is showing errors like

AUTH: Received control message: AUTH_FAILED,Data channel cipher negotiation failed (no shared cipher)

after the server has been upgraded to OpenVPN 2.5, you might need to configure fallback options. Since OpenVPN 2.4, client and server will try to negotiate the best ciphers that are available to both sides. In OpenVPN 2.5, the automatic fallback to a standard cipher has been disabled (I think), but it can be reenabled on the server with theĀ data-ciphers-fallback directive. You need to make sure that both server and (pre 2.4) clients use the same cipher. The 2.3 and earlier default is BF-CBC, which is considered outdated and weak.

I have some older OpenWrt based routers installed at some family members’ homes (for easier remote support), which I cannot easily upgrade remotely. So I had to update both by OpenVPN 2.5 server config by adding this line:

data-ciphers-fallback AES-256-CBC

And on the client side, I added this line to the config section in /etc/config/openvpn:

   option cipher 'AES-256-CBC'

After restarting both the server and the clients, the connections are re-established again.

If you’re getting error message like this on the server:

client.example.com/192.168.23.45:49263 Authenticate/Decrypt packet error: cipher final failed

The problem is likely that the fallback cipher on the server does not match the cipher on the client. Double check that the data-ciphers-fallback and cipher options specify the same value.

This page shows the matrix of supported ciphers between 2.3, 2.4, and 2.5.