[Pkg-utopia-maintainers] Bug#1117458: network-manager-openvpn: (Trixie/KDE) ignores compatibility options (data-ciphers, push-peer-info)

Dawid (R) dawid at skyline.net.pl
Sun Oct 5 22:30:59 BST 2025 

Package: network-manager-openvpn
Version: 1.12.3-1~deb13u1
Severity: important
Tags: upstream
X-Debbugs-Cc: dawid at skyline.net.pl

Dear Maintainer,

Since upgrading to Debian Trixie (testing/stable) and OpenVPN 2.6, the OpenVPN client managed by NetworkManager (NM) fails to connect to older OpenVPN servers (e.g., VPN Gate servers).

The root cause is that the NM OpenVPN plugin ignores crucial compatibility options required by OpenVPN 2.6 for negotiating with older servers, even when these options are manually added to the `.nmconnection` file.

This seems highly related to **Bug #1107240** (GUI import/edit drops crucial "data-ciphers" option), but affects configurations across KDE/Plasma via manual file editing as well.

## Observed Errors and Problem Summary

The connection is blocked by two simultaneous errors, indicating that required compatibility settings are not passed from NM to the OpenVPN process:

1.  **Cipher Negotiation Failure:**
    ```
    OPTIONS ERROR: failed to negotiate cipher with server. Add the server's cipher ('AES-128-CBC') to --data-ciphers
    ```

2.  **Tunnel/Compression Setup Failure:**
    ```
    ERROR: Failed to apply push options
    Failed to open tun/tap interface
    ```

## Attempts and Effective Solution

**What exactly did you do (or not do) that was effective (or ineffective)?**

* **Ineffective:** Manual editing of the `.nmconnection` file (adding `data-ciphers`, `data-ciphers-fallback`, `push-peer-info`, and `allow-compression yes` to various sections like `[vpn]` and `[openvpn]`) was completely ignored by the NetworkManager plugin.

**What was the outcome of this action?**

* The connection consistently failed with the errors shown above.

**What outcome did you expect instead?**

* I expected NM to honor the configuration options added to the `.nmconnection` file and successfully connect.

**Effective Solution (Bypassing NetworkManager):**

The VPN connects and works flawlessly when run directly from the console with the required compatibility options, confirming that the issue is solely in the NetworkManager plugin's parsing/passing mechanism:

```bash
sudo openvpn --config /path/to/file.ovpn --data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-128-CBC --push-peer-info --allow-compression yes

More information about the Pkg-utopia-maintainers mailing list