If your OpenVPN client is showing errors like
AUTH: Received control message: AUTH_FAILED,Data channel cipher negotiation failed (no shared cipher)
after the server has been upgraded to OpenVPN 2.5, you might need to configure fallback options. Since OpenVPN 2.4, client and server will try to negotiate the best ciphers that are available to both sides. In OpenVPN 2.5, the automatic fallback to a standard cipher has been disabled (I think), but it can be reenabled on the server with theĀ data-ciphers-fallback directive. You need to make sure that both server and (pre 2.4) clients use the same cipher. The 2.3 and earlier default is BF-CBC, which is considered outdated and weak.
I have some older OpenWrt based routers installed at some family members’ homes (for easier remote support), which I cannot easily upgrade remotely. So I had to update both by OpenVPN 2.5 server config by adding this line:
data-ciphers-fallback AES-256-CBC
And on the client side, I added this line to the config section in /etc/config/openvpn:
option cipher 'AES-256-CBC'
After restarting both the server and the clients, the connections are re-established again.
If you’re getting error message like this on the server:
client.example.com/192.168.23.45:49263 Authenticate/Decrypt packet error: cipher final failed
The problem is likely that the fallback cipher on the server does not match the cipher on the client. Double check that the data-ciphers-fallback and cipher options specify the same value.
This page shows the matrix of supported ciphers between 2.3, 2.4, and 2.5.
Hello,
thanks a lot for your article. I feel I’m getting closer to solving my issue thanks to your writeup, but I just can’t seem to finish up the task. I just upgraded my router today to the latest OpenWRT version and I can’t seem to get my OpenVPN to work. I’m on OpenWrt 21.02.0. Could you possibly provide additional guidance? I really don’t know what files I should update.
thank you so much
Important update: my Mac OS works just fine. The problems seems to be with my iPhone. Well, this is an important breakthrough because it means that my OpenVPN works and it is just a matter of figuring out what has changed from 19.07 to OpenWrt 21.02.0 that may impact iOS. Any idea?
many thanks!
My site FQ6 covers a lot of topics about Thai-Massage and I thought we could greatly benefit from each other. Awesome posts by the way!
Hey there, I appreciate you posting great content covering that topic with full attention to details and providing updated data. I believe it is my turn to give back, check out my website UY6 for additional resources about Advertise.
You made some really good points on your post. Definitely worth bookmarking for revisiting. Also, visit my website UY8 for content about Airport Transfer.