[Pkg-utopia-maintainers] Bug#1012664: network-manager-openvpn: --cipher option deprecated in OpenVPN 2.6, no option to set suggested --data-ciphers flag instead

Simon Greaves sjgreaves at gmail.com
Sat Jun 11 14:04:21 BST 2022 

Package: network-manager-openvpn
Version: 1.8.18-3
Severity: important
X-Debbugs-Cc: sjgreaves at gmail.com

Dear Maintainer,

   * What led up to the situation?

I have a subscription to an OpenVPN service which uses the AES-256-CBC
cipher. This was configured using the nm-openvpn-gnome UI and up until
the most recent OpenVPN version worked well albeit with a warning in
the daemon.log file that the --cipher flag was to be deprecated. Now,
having updated OpenVPN, the connection now fail because the flag is
now ignored. OpenVPN logs the suggestion that the cipher I need should
be added to the --data-ciphers list.

from daemon.log:
nm-openvpn[3234]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but
missing in --data-ciphers
(AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher
for cipher negotiations.
...
nm-openvpn[3234]: OPTIONS ERROR: failed to negotiate cipher with
server.  Add the server's cipher ('AES-256-CBC') to --data-ciphers
(currently 'AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305') if you want to
connect to this server.

   * What exactly did you do (or not do) that was effective (or
     ineffective)?

Just trying to enable the VPN fails due to the required cipher not
being in the --data-ciphers list. There is no obvious way to do this
with the nm-openvpn tool, a quick glance at the source implies that
the --cipher flag is hardcoded there.

I tried adding the --data-cipher list including the AES-256-CBC cipher
to the /etc/default/openvpn file but that didn't seem to help.

   * What was the outcome of this action?

I have been trying to recompile the network-manager-openvpn package
from source having modified it but so far have been unsuccessful due
to unfamiliarity with packaging.

   * What outcome did you expect instead?

If nm-openvpn passes the correct flags then I expect the connection to
come up and work - it was fully operational with the previous OpenVPN
release. I will try configuring an OpenVPN client config file by hand
but obviously the nm-openvpn tool will need to be updated to reflect
the changes to OpenVPN itself. 



-- System Information:
Debian Release: bookworm/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 5.17.0-1-amd64 (SMP w/12 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8), LANGUAGE=en_IE:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages network-manager-openvpn depends on:
ii  adduser          3.121
ii  libc6            2.33-7
ii  libglib2.0-0     2.72.1-1
ii  libnm0           1.38.0-2
ii  network-manager  1.38.0-2
ii  openvpn          2.6.0~git20220518+dco-2

network-manager-openvpn recommends no packages.

network-manager-openvpn suggests no packages.

-- no debconf information

More information about the Pkg-utopia-maintainers mailing list