Opened 5 months ago

Last modified 5 months ago

#5769 new

OpenVPN Cipher Issue (Always reverting to AES-256-GCM)

Reported by: Shaun Owned by:
Keywords: Cc:



I have noticed lately with my OpenVPN server running in DD WRT that the ciphers i have specifically set on the server and client sides (namely AES-128-CBC) are not being honoured when i connect from either my Android device and windows laptop, it is instead defaulting to the AES-256-GCM all the time in the OpenVPN logs.

I am assuming this issue has been occurring since OpenVPN was updated to 2.4.0 in DD WRT as with my existing settings which i have always used it always connected with the cipher i specifically set in DD WRT and in my client OVPN file (AES-128-CBC)

Also none of the new GCM ciphers introduced in the 2.4.0 release of OpenVPN are visible in the Cipher dropdown list in Services>VPN>OpenVPN Server section of DD WRT, i can only see the CBC ciphers.

To troubleshoot i have tried all sorts of the different ciphers (AES-256-CBC, AES-512-CBC etc) and set in the server and client sides but it just keeps reverting to the AES-256-GCM cipher.

I have heard also that OpenVPN 2.4.0 introduces cipher negotiation so i am wondering if this new mechanism is resulting in this behaviour.

Is this a bug with OpenVPN itself or with DD WRTs integration with the new OpenVPN release?

I am curious to see if other users using the OpenVPN server in DD WRT are reverting to the AES-256-GCM cipher even though they may have specifically set a different cipher.

I am currently using the latest 31571 2017/03/04 version of DD WRT on my Archer C7 V2 router.

Thanks in advance


Change History (2)

comment:1 Changed 5 months ago by Shaun

Summary: OpenVPN Cipher IssueOpenVPN Cipher Issue (Always reverting to AES-256-GCM)

comment:2 Changed 5 months ago by sgobiraj

This is the new cipher negotiation in OpenVPN 2.4. You can disable cipher negotiation by adding the "ncp-disable" line to the additional config on the OpenVPN configuration page. This will force it to only support the cipher which you have specified server side. This means you have to explicitly add the "cipher AES-128-CBC" line to your client configuration as well since the default cipher assumed is Blowfish (BF-CBC). Also if you want to allow for cipher negotiation then you can put in a list of available ciphers in order of preference delimited by a ":" semicolon. This can be done by adding the "ncp-ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC" line to the additional config on the OpenVPN configuration page. As you can see my configuration prefers AES-128-GCM then AES-256-GCM and then the AES CBC ciphers. If you want to exclude the AEAD ciphers (GCM) then add "ncp-ciphers AES-128-CBC:AES-256-CBC".

Last edited 5 months ago by sgobiraj (previous) (diff)
Note: See TracTickets for help on using tickets.