Ubuntu
openvpn package

Connecting to VPN fails with Watchguard device using OpenVPN

Bug #1992595 reported by John
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openvpn (Ubuntu)
Won't Fix
Undecided
Unassigned

Bug Description

Downloaded ovpn file from watchguard device.

Get this error in system logs:

Oct 12 11:38:19 DXXXX nm-openvpn[14241]: OPTIONS ERROR: failed to negotiate cipher with server. Add the server's cipher ('AES-256-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305') if you want to connect to this server.

Using the VPN GUI I:

Went To Advanced -> Security

The Cipher was already set as AES-256-CBC.

Changing the value for Cipher has no impact on the error message. "Tried disable cypher negotion" but this immediately failed due to:

Options error: Unrecognized option or missing or extra parameter(s) in [CMD-LINE]:1: ncp-disable (2.6_git)

ncp-disable was depreciated in openvpn 2.5 and removed in openvpn 2.6 so I think this flag will never work.

Looking in the .ovpn file it has the following lines:

cipher AES-256-CBC
auth SHA1

ProblemType: Bug
DistroRelease: Ubuntu 22.10
Package: openvpn 2.6.0~git20220818-1ubuntu1
ProcVersionSignature: Ubuntu 5.19.0-19.19-generic 5.19.7
Uname: Linux 5.19.0-19-generic x86_64
NonfreeKernelModules: nvidia_modeset nvidia
ApportVersion: 2.23.1-0ubuntu2
Architecture: amd64
CasperMD5CheckResult: pass
CurrentDesktop: ubuntu:GNOME
Date: Wed Oct 12 11:34:00 2022
InstallationDate: Installed on 2022-10-11 (0 days ago)
InstallationMedia: Ubuntu 22.10 "Kinetic Kudu" - Beta amd64 (20220927.1)
ProcEnviron:
 LANGUAGE=en_GB:en
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_GB.UTF-8
 SHELL=/bin/bash
SourcePackage: openvpn
UpgradeStatus: No upgrade log present (probably fresh install)

See original description
Revision history for this message
John (3-john-c) wrote :
description: updated
Revision history for this message
Paride Legovini (paride) wrote :

Hello John and thanks for your bug report. Can you please explain more precisely what you mean by "VPN GUI"? Is it the GUI of the watchguard device (which, I imagine, is a firewall solution providing VPN access)?

What that error message is telling you is to change the cipher settings on the client side, but it would be better to make the device use a cipher that is supported by default (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). But keep in mind that I'm trying to guess here.

I think this is not a bug in Ubuntu, but a consequence of new defaults requiring more secure encryption. Marking this as Incomplete for now.

Revision history for this message
Sergio Durigan Junior (sergiodj) wrote (last edit ):

Paride is correct here, but allow me to expand a little bit.

OpenVPN 2.6 doesn't include AES-256-CBC in its default set of supported data ciphers. This was a decision from upstream, and I believe it was based on the fact that BF-CBC is affected by the SWEET32 attack (https://sweet32.info/).

On top of that, upstream also pretty much deprecated the "cipher" option:

https://github.com/OpenVPN/openvpn/blob/master/doc/man-sections/cipher-negotiation.rst

So, if you still want to use AES-256-CBC, you have to include the following line in your client config file:

data-ciphers AES-256-CBC:AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305

I also agree with Paride that it would be better to use a data cipher that is supported by default, BTW.

I also agree that this is not a bug in Ubuntu, but I will make sure to expand Kinetic's release notes to mention the cipher changes. I'm marking this as Won't Fix, but please feel free to reopen it if you still think this is a bug in the distribution. Thanks.

Changed in openvpn (Ubuntu):
status: New → Won't Fix
John (3-john-c)
description: updated
Revision history for this message
John (3-john-c) wrote :

Okay, I might have not been clear enough here:

The issue specifically is that I cannot find a way to change the default data cipher for a VPN connection in openvpn on Ubuntu.

In the .ovpn file I removed 'cipher' and replaced it with

data-ciphers AES-256-CBC:AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305

As suggested by Sergio.

This made no difference I got the same error as above.

Add the server's cipher ('AES-256-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305')

It's as if it's ignoring the data-ciphers value. I've tried using cipher, data-ciphers-fallback... it made no difference.

I tried changing the value with the Ubuntu VPN settings (Identity -> Advanced -> Security) and changing the Cipher to AES-256-CBC using the Cipher drop down menu then clicking 'Apply'. Again, the same error message in the logs:

Add the server's cipher ('AES-256-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305')

I tried picking another random cipher from the list (ARIA-192-CFB) to see if the error message changed: it didn't.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.