Package: network-manager-openvpn
Version: 1.8.18-3
Severity: important
X-Debbugs-Cc: sjgrea...@gmail.com
Dear Maintainer,
* What led up to the situation?
I have a subscription to an OpenVPN service which uses the AES-256-CBC
cipher. This was configured using the nm-openvpn-gnome UI and up until
the most recent OpenVPN version worked well albeit with a warning in
the daemon.log file that the --cipher flag was to be deprecated. Now,
having updated OpenVPN, the connection now fail because the flag is
now ignored. OpenVPN logs the suggestion that the cipher I need should
be added to the --data-ciphers list.
from daemon.log:
nm-openvpn[3234]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but
missing in --data-ciphers
(AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher
for cipher negotiations.
...
nm-openvpn[3234]: OPTIONS ERROR: failed to negotiate cipher with
server. Add the server's cipher ('AES-256-CBC') to --data-ciphers
(currently 'AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305') if you want to
connect to this server.
* What exactly did you do (or not do) that was effective (or
ineffective)?
Just trying to enable the VPN fails due to the required cipher not
being in the --data-ciphers list. There is no obvious way to do this
with the nm-openvpn tool, a quick glance at the source implies that
the --cipher flag is hardcoded there.
I tried adding the --data-cipher list including the AES-256-CBC cipher
to the /etc/default/openvpn file but that didn't seem to help.
* What was the outcome of this action?
I have been trying to recompile the network-manager-openvpn package
from source having modified it but so far have been unsuccessful due
to unfamiliarity with packaging.
* What outcome did you expect instead?
If nm-openvpn passes the correct flags then I expect the connection to
come up and work - it was fully operational with the previous OpenVPN
release. I will try configuring an OpenVPN client config file by hand
but obviously the nm-openvpn tool will need to be updated to reflect
the changes to OpenVPN itself.
-- System Information:
Debian Release: bookworm/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 5.17.0-1-amd64 (SMP w/12 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8),
LANGUAGE=en_IE:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages network-manager-openvpn depends on:
ii adduser 3.121
ii libc6 2.33-7
ii libglib2.0-0 2.72.1-1
ii libnm0 1.38.0-2
ii network-manager 1.38.0-2
ii openvpn 2.6.0~git20220518+dco-2
network-manager-openvpn recommends no packages.
network-manager-openvpn suggests no packages.
-- no debconf information
