NetworkManager doesn't seem to parse or respect `.ovpn` file's `data-ciphers` field (and respective OpenVPN connection property)
Summary
After a recent update of either OpenVPN, NetworkManager or NetworkManager-openvpn, I found myself unable to connect to my work VPN, which has previously worked fine, and which continued to work fine on my laptop that I didn't update. Upon further inspection, I found the following in my journalctl -fu NetworkManager.service
when trying to connect:
DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations.
It was weird, since the .ovpn
file I'm using does provide a data-ciphers
option. I haven't found one in the GUI, so I went and manually added data-ciphers =
to my .nmconnection
file in /etc/NetworkManager/system-connections
. After that, the OpenVPN connection started working again.
It also should be noted that editing anything in the connection settings deletes the data-ciphers
field too and the .nmconnections
file needs to be manually edited again.
Version affected
$ nmcli --version
nmcli tool, version 1.46.0-2
$ yay -Q networkmanager-openvpn-git
networkmanager-openvpn-git 1.11.0.r2.g269f64a-1
$ openvpn --version
OpenVPN 2.6.10 [git:makepkg/ba0f62fb950c56a0+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO] built on Mar 20 2024
library versions: OpenSSL 3.3.0 9 Apr 2024, LZO 2.10
DCO version: N/A
Originally developed by James Yonan
Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>
Compile time defines:
I am also using network-manager-applet 1.36.0
if that might be the problem.
Steps to reproduce
Add an .ovpn
connection that needs a non-default data-ciphers
to work properly. It would not work. Add data-ciphers
manually in the .nmconnection
file and restart NetworkManager. The connection should work now. Change anything in the connection to trigger a re-save of .nmconnection
file by NetworkManager. The data-ciphers
option will be deleted from the file and the connection will stop working again.
Relevant logs
None, as far as I can tell, except journalctl
output I've attached