OpenVPN --data-ciphers?

    I'm trying to get VPN Manager working (with NordVPN) and I'm getting the following error after it fails to connect (it's drawing down the OVPN file from Nord ok):

    DEPRECIATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers


    How do I add that switch/setting to OpenVPN?


    I've tried making /storage/.config/openvpn.config and adding a line to it: --data-ciphers 'AES-256-CBC'

    But no dice.


    If I run: openvpn --data-ciphers AES-256-CBC

    I get a message about needing to define TUN/TAP and with that I'm rapidly moving out of my depth.


    Any and all help gratefully received.

    Thanks,

    The bit I'm missing is where to add this line?

    I edited the ovpn that had pulled in to /.kodi/addons/service.vpn.manager/NordVPN and replaced the line you've mentioned, but when I went back through VPN manager it re-pulled the ovpn and wrote over my edit.

    The error seems to suggest that it's a parameter/switch that can be set when openvpn gets run (hence me thinking it was a 'boot' switch).

    Or, is it that I can't use VPNManager as designed and I need to get all the various ovpns I need, edit them, and then do some sort of manual setup (so it doesn't re-download them from Nord?

    Like everything related to OpenVPN, you add the line to the client conf you are using. If the whizzy add-on does some kind of magic in the background to make things easy (in reality probably making it more complicated) then you need to ask the add-on author for support. Perhaps it supports some kind of override logic? - I've no idea about it, and have no interest to explore it.

    It's the Zomboided add on, I had the impression he used to be of this parish? (I also understand he has subsequently abandoned the add on (https://github.com/Zomboided/service.vpn.manager))

    It works in Kodi running on Debian (well DietPi), fwiw

    It seems odd that NordVPN would be using config files that use depreciated security cipher settings, rather than up-to-date ones.

    Is there a correct/better way to handle switching between multiple country confs, without using the add on?

    I started out thinking that NordVPN are misrepresenting themselves in their marketing bumph

    "To guarantee the protection of your sensitive data, NordVPN uses AES-256-GCM encryption algorithm with a 4096-bit DH key."

    I've just randomly selected a range of UDP .ovpn config files from the 'set up your own' area of my account and they all feature

    Code
    auth-user-pass
verb 3
pull
fast-io
cipher AES-256-CBC
auth SHA512

    But then I found this page: https://community.openvpn.net/openvpn/wiki/DeprecatedOptions which seems to suggest that the --data-ciphers tag is part of the server deployment (which seems to fit my notion that it's not just a config file issue) the section called 'Policy: Migrate away from deprecated ciphers. Status: In progress' it says:

    If both client and server runs OpenVPN v2.4, the tunnel will automatically be upgraded to AES-256-GCM. If the environment also uses clients older than OpenVPN v2.4, the server can deploy:

    Code
    --data-ciphers AES-256-GCM:AES-256-CBC:BF-CBC

    Which seems to suggest that if --data-ciphers is set to include 'CBC' at deployment then it'll accept a CBC definition and switch ('upgrade') it to GCM? (maybe NordVPN are telling the truth?)

    Deprecation is normal and nothing bad (hence it's a warning in the log, not an error). It's a necessity for handling a diverse set of clients. OpenVPN won't upgrade the connection from CBC to GCM but the initial handshake exchanges a list of what's supported and then the client will negotiate with the server on what to use; generally starting from best to worst.

    It's simple enough to start an OpenVPN connection on boot using a systemd service. You can crib the process from the WireGuard service sample in /storage/.config/system.d.