# [nm-openvpn] connexion VPN avec un .ovpn (cipher)

## pti-rem

Bonjour,

J'ai obtenu d'un prestataire un fichier en .ovpn pour établir une connexion VPN pour mon poste de travail.

Je croyais que cela pouvait se faire facilement.

J'ai travaillé en mode CLI avec nmcli pour l'installer :

```
$ sudo nmcli connection import type openvpn file maco.ovpn
```

Ensuite, pour lancer la connexion, ça se gâte.

```
sudo nmcli con up maco
```

```
May 27 19:40:28 n73sm nm-openvpn[9839]: --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.

May 27 19:40:28 n73sm nm-openvpn[9839]: OpenVPN 2.5.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May  4 2021

May 27 19:40:28 n73sm nm-openvpn[9839]: library versions: OpenSSL 1.1.1k  25 Mar 2021, LZO 2.10

May 27 19:40:28 n73sm nm-openvpn[9839]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

May 27 19:40:28 n73sm nm-openvpn[9839]: TCP/UDP: Preserving recently used remote address: [AF_INET]11.22.33.44:1194

May 27 19:40:28 n73sm nm-openvpn[9839]: UDP link local: (not bound)

May 27 19:40:28 n73sm nm-openvpn[9839]: UDP link remote: [AF_INET]11.22.33.44:1194

May 27 19:40:28 n73sm nm-openvpn[9839]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay

May 27 19:40:28 n73sm nm-openvpn[9839]: [server] Peer Connection Initiated with [AF_INET]11.22.33.44:1194

May 27 19:40:29 n73sm nm-openvpn[9839]: OPTIONS ERROR: failed to negotiate cipher with server.  Add the server's cipher ('BF-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM') if you want to connect to this server.

May 27 19:40:29 n73sm nm-openvpn[9839]: ERROR: Failed to apply push options

May 27 19:40:29 n73sm nm-openvpn[9839]: Failed to open tun/tap interface

May 27 19:40:29 n73sm nm-openvpn[9839]: SIGUSR1[soft,process-push-msg-failed] received, process restarting

May 27 19:40:34 n73sm nm-openvpn[9839]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

May 27 19:40:34 n73sm nm-openvpn[9839]: TCP/UDP: Preserving recently used remote address: [AF_INET]11.22.33.44:1194

May 27 19:40:34 n73sm nm-openvpn[9839]: UDP link local: (not bound)

May 27 19:40:34 n73sm nm-openvpn[9839]: UDP link remote: [AF_INET]11.22.33.44:1194

May 27 19:40:35 n73sm nm-openvpn[9839]: [server] Peer Connection Initiated with [AF_INET]11.22.33.44:1194

May 27 19:40:36 n73sm nm-openvpn[9839]: OPTIONS ERROR: failed to negotiate cipher with server.  Add the server's cipher ('BF-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM') if you want to connect to this server.

May 27 19:40:36 n73sm nm-openvpn[9839]: ERROR: Failed to apply push options

May 27 19:40:36 n73sm nm-openvpn[9839]: Failed to open tun/tap interface

May 27 19:40:36 n73sm nm-openvpn[9839]: SIGUSR1[soft,process-push-msg-failed] received, process restarting

May 27 19:40:41 n73sm nm-openvpn[9839]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

May 27 19:40:41 n73sm nm-openvpn[9839]: TCP/UDP: Preserving recently used remote address: [AF_INET]11.22.33.44:1194

May 27 19:40:41 n73sm nm-openvpn[9839]: UDP link local: (not bound)

May 27 19:40:41 n73sm nm-openvpn[9839]: UDP link remote: [AF_INET]11.22.33.44:1194

May 27 19:40:41 n73sm nm-openvpn[9839]: [server] Peer Connection Initiated with [AF_INET]11.22.33.44:1194

May 27 19:40:42 n73sm nm-openvpn[9839]: OPTIONS ERROR: failed to negotiate cipher with server.  Add the server's cipher ('BF-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM') if you want to connect to this server.

May 27 19:40:42 n73sm nm-openvpn[9839]: ERROR: Failed to apply push options

May 27 19:40:42 n73sm nm-openvpn[9839]: Failed to open tun/tap interface

May 27 19:40:42 n73sm nm-openvpn[9839]: SIGUSR1[soft,process-push-msg-failed] received, process restarting

May 27 19:40:47 n73sm nm-openvpn[9839]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

May 27 19:40:47 n73sm nm-openvpn[9839]: TCP/UDP: Preserving recently used remote address: [AF_INET]11.22.33.44:1194

May 27 19:40:47 n73sm nm-openvpn[9839]: UDP link local: (not bound)

May 27 19:40:47 n73sm nm-openvpn[9839]: UDP link remote: [AF_INET]11.22.33.44:1194

May 27 19:40:48 n73sm nm-openvpn[9839]: [server] Peer Connection Initiated with [AF_INET]11.22.33.44:1194

May 27 19:40:49 n73sm nm-openvpn[9839]: OPTIONS ERROR: failed to negotiate cipher with server.  Add the server's cipher ('BF-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM') if you want to connect to this server.

May 27 19:40:49 n73sm nm-openvpn[9839]: ERROR: Failed to apply push options

May 27 19:40:49 n73sm nm-openvpn[9839]: Failed to open tun/tap interface

May 27 19:40:49 n73sm nm-openvpn[9839]: SIGUSR1[soft,process-push-msg-failed] received, process restarting

May 27 19:40:54 n73sm nm-openvpn[9839]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

May 27 19:40:54 n73sm nm-openvpn[9839]: TCP/UDP: Preserving recently used remote address: [AF_INET]11.22.33.44:1194

May 27 19:40:54 n73sm nm-openvpn[9839]: UDP link local: (not bound)

May 27 19:40:54 n73sm nm-openvpn[9839]: UDP link remote: [AF_INET]11.22.33.44:1194

May 27 19:40:54 n73sm nm-openvpn[9839]: [server] Peer Connection Initiated with [AF_INET]11.22.33.44:1194

May 27 19:40:55 n73sm nm-openvpn[9839]: OPTIONS ERROR: failed to negotiate cipher with server.  Add the server's cipher ('BF-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM') if you want to connect to this server.

May 27 19:40:55 n73sm nm-openvpn[9839]: ERROR: Failed to apply push options

May 27 19:40:55 n73sm nm-openvpn[9839]: Failed to open tun/tap interface

May 27 19:40:55 n73sm nm-openvpn[9839]: SIGUSR1[soft,process-push-msg-failed] received, process restarting

May 27 19:41:05 n73sm nm-openvpn[9839]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

May 27 19:41:05 n73sm nm-openvpn[9839]: TCP/UDP: Preserving recently used remote address: [AF_INET]11.22.33.44:1194

May 27 19:41:05 n73sm nm-openvpn[9839]: UDP link local: (not bound)

May 27 19:41:05 n73sm nm-openvpn[9839]: UDP link remote: [AF_INET]11.22.33.44:1194

May 27 19:41:06 n73sm nm-openvpn[9839]: [server] Peer Connection Initiated with [AF_INET]11.22.33.44:1194

May 27 19:41:07 n73sm nm-openvpn[9839]: OPTIONS ERROR: failed to negotiate cipher with server.  Add the server's cipher ('BF-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM') if you want to connect to this server.

May 27 19:41:07 n73sm nm-openvpn[9839]: ERROR: Failed to apply push options

May 27 19:41:07 n73sm nm-openvpn[9839]: Failed to open tun/tap interface

May 27 19:41:07 n73sm nm-openvpn[9839]: SIGUSR1[soft,process-push-msg-failed] received, process restarting

May 27 19:41:27 n73sm nm-openvpn[9839]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

May 27 19:41:27 n73sm nm-openvpn[9839]: TCP/UDP: Preserving recently used remote address: [AF_INET]11.22.33.44:1194

May 27 19:41:27 n73sm nm-openvpn[9839]: UDP link local: (not bound)

May 27 19:41:27 n73sm nm-openvpn[9839]: UDP link remote: [AF_INET]11.22.33.44:1194

May 27 19:41:27 n73sm nm-openvpn[9839]: [server] Peer Connection Initiated with [AF_INET]11.22.33.44:1194

May 27 19:41:28 n73sm nm-openvpn[9839]: SIGTERM[hard,] received, process exiting

May 27 19:41:28 n73sm NetworkManager[3879]: <warn>  [1622137288.3648] vpn-connection[0x5650ea200580,549a319c-6c8f-4132-8372-05359094d8e6,"maco",0]: VPN connection: connect timeout exceeded.

May 27 19:41:28 n73sm NetworkManager[3879]: <warn>  [1622137288.3689] vpn-connection[0x5650ea200580,549a319c-6c8f-4132-8372-05359094d8e6,"maco",0]: VPN plugin: failed: connect-failed (1)

May 27 19:41:28 n73sm NetworkManager[3879]: <info>  [1622137288.3691] vpn-connection[0x5650ea200580,549a319c-6c8f-4132-8372-05359094d8e6,"maco",0]: VPN plugin: state changed: stopping (5)

May 27 19:41:28 n73sm NetworkManager[3879]: <info>  [1622137288.3692] vpn-connection[0x5650ea200580,549a319c-6c8f-4132-8372-05359094d8e6,"maco",0]: VPN plugin: state changed: stopped (6)

May 27 19:41:28 n73sm NetworkManager[3879]: <info>  [1622137288.3721] vpn-connection[0x5650ea200580,549a319c-6c8f-4132-8372-05359094d8e6,"maco",0]: VPN service disappeared
```

```
n73sm ~ # emerge -pv openvpn

These are the packages that would be merged, in order:

Calculating dependencies... done!

[ebuild   R    ] net-vpn/openvpn-2.5.2::gentoo  USE="examples lz4 lzo openssl pam plugins -down-root -inotify -iproute2 -mbedtls -pkcs11 (-selinux) -systemd -test" 0 KiB

Total: 1 package (1 reinstall), Size of downloads: 0 KiB

n73sm ~ #
```

J'ai besoin d'aide pour comprendre ces :

- UDP link local: (not bound)

- ERROR: Failed to apply push options

- Failed to open tun/tap interface

Et la cerise :

- Add the server's cipher ('BF-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM') if you want to connect to this server.

Merci d'avance

Je suis paumé

J'ai pas trouvé de bonnes docs...Last edited by pti-rem on Tue Jun 01, 2021 5:47 pm; edited 2 times in total

----------

## netfab

Salut,

 *pti-rem wrote:*   

> 
> 
> Et la cerise :
> 
> - Add the server's cipher ('BF-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM') if you want to connect to this server.
> ...

 

Jette un oeil ici. Les autres erreurs ne sont (peut-être) que des erreurs en cascade.

 *Quote:*   

> 
> 
> In order to solve this, I’ve added the following line of code in .opvn configuration file:
> 
> ncp-ciphers "BF-CBC"
> ...

 

----------

## pti-rem

Merci netfab

Pour le moment, c'est pareil.

Je n'oublie pas d'effacer ma connexion avant de modifier maco.ovpn et de la recréer ensuite.

J'ai un entête du maco.ovpn :

```
client

dev tun

proto udp

remote 11.22.33.44 1194

resolv-retry infinite

nobind

persist-key

persist-tun

remote-cert-tls server

comp-lzo

verb 3
```

Je ne sais pas trop où placer « ncp-ciphers 'BF-CBC' »

Avec de simples quotes, des guillemets ou rien du tout ?

Ce « UDP link local: (not bound) » semble intervenir en amont.

Ça devrait se faire presque tout seul ce genre de connexion, non ?

----------

## pti-rem

J'ai trouvé ça : https://forums.openvpn.net/viewtopic.php?t=24381

J'en ai fait ça de l'entête de maco :

```
client

dev tun

proto udp

remote 33.112.88.32 1194

ncp-ciphers AES-256-GCM:AES-128-GCM:AES-128-CBC:AES-256-CBC

cipher BF-CBC

resolv-retry infinite

nobind

persist-key

persist-tun

remote-cert-tls server

comp-lzo

verb 3
```

```
May 27 21:38:38 n73sm NetworkManager[3879]: <info>  [1622144318.5656] device (tun0): state change: activated -> unmanaged (reason 'unmanaged', sys-iface-state: 'removed')

May 27 21:39:05 n73sm NetworkManager[3879]: <info>  [1622144345.9306] audit: op="connection-activate" uuid="db4e1dbd-beb6-435c-b2af-b9e42ece1e3c" name="maco" pid=4543 uid=1000 result="success"

May 27 21:39:05 n73sm NetworkManager[3879]: <info>  [1622144345.9354] vpn-connection[0x5650ea200580,db4e1dbd-beb6-435c-b2af-b9e42ece1e3c,"maco",0]: Started the VPN service, PID 15509

May 27 21:39:05 n73sm NetworkManager[3879]: <info>  [1622144345.9444] vpn-connection[0x5650ea200580,db4e1dbd-beb6-435c-b2af-b9e42ece1e3c,"maco",0]: Saw the service appear; activating connection

May 27 21:39:05 n73sm NetworkManager[3879]: <info>  [1622144345.9662] vpn-connection[0x5650ea200580,db4e1dbd-beb6-435c-b2af-b9e42ece1e3c,"maco",0]: VPN plugin: state changed: starting (3)

May 27 21:39:05 n73sm NetworkManager[3879]: <info>  [1622144345.9665] vpn-connection[0x5650ea200580,db4e1dbd-beb6-435c-b2af-b9e42ece1e3c,"maco",0]: VPN connection: (ConnectInteractive) reply received

May 27 21:39:05 n73sm nm-openvpn[15513]: DEPRECATED OPTION: --cipher set to 'BF-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'BF-CBC' to --data-ciphers or change --cipher 'BF-CBC' to --data-ciphers-fallback 'BF-CBC' to silence this warning.

May 27 21:39:05 n73sm nm-openvpn[15513]: OpenVPN 2.5.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May  4 2021

May 27 21:39:05 n73sm nm-openvpn[15513]: library versions: OpenSSL 1.1.1k  25 Mar 2021, LZO 2.10

May 27 21:39:05 n73sm nm-openvpn[15513]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

May 27 21:39:05 n73sm nm-openvpn[15513]: WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Support for these insecure ciphers will be removed in OpenVPN 2.6.

May 27 21:39:05 n73sm nm-openvpn[15513]: TCP/UDP: Preserving recently used remote address: [AF_INET]11.22.33.44:1194

May 27 21:39:05 n73sm nm-openvpn[15513]: UDP link local: (not bound)

May 27 21:39:05 n73sm nm-openvpn[15513]: UDP link remote: [AF_INET]11.22.33.44:1194

May 27 21:39:05 n73sm nm-openvpn[15513]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay

May 27 21:39:06 n73sm nm-openvpn[15513]: [server] Peer Connection Initiated with [AF_INET]11.22.33.44:1194

May 27 21:39:07 n73sm nm-openvpn[15513]: WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Support for these insecure ciphers will be removed in OpenVPN 2.6.

May 27 21:39:07 n73sm nm-openvpn[15513]: WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Support for these insecure ciphers will be removed in OpenVPN 2.6.

May 27 21:39:07 n73sm nm-openvpn[15513]: WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.

May 27 21:39:07 n73sm nm-openvpn[15513]: TUN/TAP device tun0 opened

May 27 21:39:07 n73sm nm-openvpn[15513]: /usr/libexec/nm-openvpn-service-openvpn-helper --debug 0 15509 --bus-name org.freedesktop.NetworkManager.openvpn.Connection_25 --tun -- tun0 1500 1622 10.8.0.34 255.255.255.0 init

May 27 21:39:07 n73sm NetworkManager[3879]: <info>  [1622144347.5235] manager: (tun0): new Tun device (/org/freedesktop/NetworkManager/Devices/7)

May 27 21:39:07 n73sm NetworkManager[3879]: <info>  [1622144347.5355] vpn-connection[0x5650ea200580,db4e1dbd-beb6-435c-b2af-b9e42ece1e3c,"maco",0]: VPN connection: (IP Config Get) reply received.

May 27 21:39:07 n73sm NetworkManager[3879]: <info>  [1622144347.5393] vpn-connection[0x5650ea200580,db4e1dbd-beb6-435c-b2af-b9e42ece1e3c,"maco",7:(tun0)]: VPN connection: (IP4 Config Get) reply received

May 27 21:39:07 n73sm NetworkManager[3879]: <info>  [1622144347.5398] vpn-connection[0x5650ea200580,db4e1dbd-beb6-435c-b2af-b9e42ece1e3c,"maco",7:(tun0)]: Data: VPN Gateway: 11.22.33.44

May 27 21:39:07 n73sm NetworkManager[3879]: <info>  [1622144347.5398] vpn-connection[0x5650ea200580,db4e1dbd-beb6-435c-b2af-b9e42ece1e3c,"maco",7:(tun0)]: Data: Tunnel Device: "tun0"

May 27 21:39:07 n73sm NetworkManager[3879]: <info>  [1622144347.5398] vpn-connection[0x5650ea200580,db4e1dbd-beb6-435c-b2af-b9e42ece1e3c,"maco",7:(tun0)]: Data: IPv4 configuration:

May 27 21:39:07 n73sm NetworkManager[3879]: <info>  [1622144347.5398] vpn-connection[0x5650ea200580,db4e1dbd-beb6-435c-b2af-b9e42ece1e3c,"maco",7:(tun0)]: Data:   Internal Gateway: 10.8.0.1

May 27 21:39:07 n73sm NetworkManager[3879]: <info>  [1622144347.5398] vpn-connection[0x5650ea200580,db4e1dbd-beb6-435c-b2af-b9e42ece1e3c,"maco",7:(tun0)]: Data:   Internal Address: 10.8.0.34

May 27 21:39:07 n73sm NetworkManager[3879]: <info>  [1622144347.5399] vpn-connection[0x5650ea200580,db4e1dbd-beb6-435c-b2af-b9e42ece1e3c,"maco",7:(tun0)]: Data:   Internal Prefix: 24

May 27 21:39:07 n73sm NetworkManager[3879]: <info>  [1622144347.5399] vpn-connection[0x5650ea200580,db4e1dbd-beb6-435c-b2af-b9e42ece1e3c,"maco",7:(tun0)]: Data:   Internal Point-to-Point Address: 10.8.0.34

May 27 21:39:07 n73sm NetworkManager[3879]: <info>  [1622144347.5399] vpn-connection[0x5650ea200580,db4e1dbd-beb6-435c-b2af-b9e42ece1e3c,"maco",7:(tun0)]: Data:   Static Route: 0.0.0.0/0   Next Hop: 10.8.0.1

May 27 21:39:07 n73sm NetworkManager[3879]: <info>  [1622144347.5399] vpn-connection[0x5650ea200580,db4e1dbd-beb6-435c-b2af-b9e42ece1e3c,"maco",7:(tun0)]: Data:   Static Route: 10.8.0.34/32   Next Hop: 0.0.0.0

May 27 21:39:07 n73sm NetworkManager[3879]: <info>  [1622144347.5399] vpn-connection[0x5650ea200580,db4e1dbd-beb6-435c-b2af-b9e42ece1e3c,"maco",7:(tun0)]: Data:   Static Route: 10.8.0.0/24   Next Hop: 0.0.0.0

May 27 21:39:07 n73sm NetworkManager[3879]: <info>  [1622144347.5399] vpn-connection[0x5650ea200580,db4e1dbd-beb6-435c-b2af-b9e42ece1e3c,"maco",7:(tun0)]: Data:   Internal DNS: 55.66.78.90

May 27 21:39:07 n73sm NetworkManager[3879]: <info>  [1622144347.5399] vpn-connection[0x5650ea200580,db4e1dbd-beb6-435c-b2af-b9e42ece1e3c,"maco",7:(tun0)]: Data:   Internal DNS: 55.66.78.91

May 27 21:39:07 n73sm nm-openvpn[15513]: GID set to nm-openvpn

May 27 21:39:07 n73sm nm-openvpn[15513]: UID set to nm-openvpn

May 27 21:39:07 n73sm nm-openvpn[15513]: Initialization Sequence Completed

May 27 21:39:07 n73sm NetworkManager[3879]: <info>  [1622144347.5401] vpn-connection[0x5650ea200580,db4e1dbd-beb6-435c-b2af-b9e42ece1e3c,"maco",7:(tun0)]: Data:   DNS Domain: '(none)'

May 27 21:39:07 n73sm NetworkManager[3879]: <info>  [1622144347.5406] vpn-connection[0x5650ea200580,db4e1dbd-beb6-435c-b2af-b9e42ece1e3c,"maco",7:(tun0)]: Data: No IPv6 configuration

May 27 21:39:07 n73sm NetworkManager[3879]: <info>  [1622144347.5407] vpn-connection[0x5650ea200580,db4e1dbd-beb6-435c-b2af-b9e42ece1e3c,"maco",7:(tun0)]: VPN plugin: state changed: started (4)

May 27 21:39:07 n73sm NetworkManager[3879]: <info>  [1622144347.5416] vpn-connection[0x5650ea200580,db4e1dbd-beb6-435c-b2af-b9e42ece1e3c,"maco",7:(tun0)]: VPN connection: (IP Config Get) complete

May 27 21:39:07 n73sm NetworkManager[3879]: <info>  [1622144347.5454] device (tun0): state change: unmanaged -> unavailable (reason 'connection-assumed', sys-iface-state: 'external')

May 27 21:39:07 n73sm dbus-daemon[3817]: [system] Activating service name='org.freedesktop.nm_dispatcher' requested by ':1.0' (uid=0 pid=3879 comm="/usr/sbin/NetworkManager --pid-file /run/NetworkMa" label="kernel") (using servicehelper)

May 27 21:39:07 n73sm NetworkManager[3879]: <info>  [1622144347.5488] device (tun0): state change: unavailable -> disconnected (reason 'connection-assumed', sys-iface-state: 'external')

May 27 21:39:07 n73sm NetworkManager[3879]: <info>  [1622144347.5496] device (tun0): Activation: starting connection 'tun0' (57f7adcf-1d63-4330-b7c4-8ec338fc93f3)

May 27 21:39:07 n73sm NetworkManager[3879]: <info>  [1622144347.5497] device (tun0): state change: disconnected -> prepare (reason 'none', sys-iface-state: 'external')

May 27 21:39:07 n73sm NetworkManager[3879]: <info>  [1622144347.5506] device (tun0): state change: prepare -> config (reason 'none', sys-iface-state: 'external')

May 27 21:39:07 n73sm NetworkManager[3879]: <info>  [1622144347.5509] device (tun0): state change: config -> ip-config (reason 'none', sys-iface-state: 'external')

May 27 21:39:07 n73sm NetworkManager[3879]: <info>  [1622144347.5511] device (tun0): state change: ip-config -> ip-check (reason 'none', sys-iface-state: 'external')

May 27 21:39:07 n73sm dbus-daemon[3817]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'

May 27 21:39:07 n73sm NetworkManager[3879]: <info>  [1622144347.5667] policy: set 'maco' (tun0) as default for IPv4 routing and DNS

May 27 21:39:07 n73sm NetworkManager[3879]: <info>  [1622144347.5885] device (tun0): state change: ip-check -> secondaries (reason 'none', sys-iface-state: 'external')

May 27 21:39:07 n73sm NetworkManager[3879]: <info>  [1622144347.5891] device (tun0): state change: secondaries -> activated (reason 'none', sys-iface-state: 'external')

May 27 21:39:07 n73sm NetworkManager[3879]: <info>  [1622144347.5918] device (tun0): Activation: successful, device activated.
```

C'est une de ces tambouilles !

cipher par ci data-cipher par là !

et des data-ciphers-fallback en veux-tu : en voilà..

1) Add 'BF-CBC' to --data-ciphers or change --cipher 'BF-CBC' to --data-ciphers-fallback 'BF-CBC' to silence this warning.

----------

## netfab

Y'a de l'évolution  :Smile: 

Utilise plutôt l'option :

```

data-ciphers

```

au lieu de :

```

ncp-ciphers

```

D'après ces commits : 1 2 3

L'option a été renommée à la version 2.5 d'openvpn et n'est plus activée par défaut.

 *pti-rem wrote:*   

> Ça devrait se faire presque tout seul ce genre de connexion, non ?

 

Et bien pas vraiment non, au contraire c'est hyper strict, raison de sécurité :p

----------

## pti-rem

Je ne sais pas faire mieux que de conserver le cipher BF-CBC  :Sad: 

Sans lui la connexion ne se fait pas.

Le serveur est en cipher BF-CBC !!

@netfab, je ne comprends pas encore bien les commits.

```
client

dev tun

proto udp

remote 118.15.77.43 1194

data-ciphers AES-256-GCM:AES-128-GCM:BF-CBC

data-ciphers-fallback BF-CBC

cipher BF-CBC

resolv-retry infinite

nobind

persist-key

persist-tun

remote-cert-tls server

comp-lzo

verb 3
```

```
May 27 23:02:49 n73sm nm-openvpn[21059]: DEPRECATED OPTION: --cipher set to 'BF-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'BF-CBC' to --data-ciphers or change --cipher 'BF-CBC' to --data-ciphers-fallback 'BF-CBC' to silence this warning.

May 27 23:02:49 n73sm nm-openvpn[21059]: OpenVPN 2.5.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May  4 2021

May 27 23:02:49 n73sm nm-openvpn[21059]: library versions: OpenSSL 1.1.1k  25 Mar 2021, LZO 2.10

May 27 23:02:49 n73sm nm-openvpn[21059]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

May 27 23:02:49 n73sm nm-openvpn[21059]: WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Support for these insecure ciphers will be removed in OpenVPN 2.6.

May 27 23:02:49 n73sm nm-openvpn[21059]: TCP/UDP: Preserving recently used remote address: [AF_INET] :1194

May 27 23:02:49 n73sm nm-openvpn[21059]: UDP link local: (not bound)

May 27 23:02:49 n73sm nm-openvpn[21059]: UDP link remote: [AF_INET] :1194

May 27 23:02:49 n73sm nm-openvpn[21059]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay

May 27 23:02:49 n73sm nm-openvpn[21059]: [server] Peer Connection Initiated with [AF_INET]:1194

May 27 23:02:51 n73sm nm-openvpn[21059]: WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Support for these insecure ciphers will be removed in OpenVPN 2.6.

May 27 23:02:51 n73sm nm-openvpn[21059]: WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Support for these insecure ciphers will be removed in OpenVPN 2.6.

May 27 23:02:51 n73sm nm-openvpn[21059]: WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.

May 27 23:02:51 n73sm nm-openvpn[21059]: TUN/TAP device tun0 opened
```

 *Quote:*   

> Add 'BF-CBC' to --data-ciphers or change --cipher 'BF-CBC' to --data-ciphers-fallback 'BF-CBC' to silence this warning.

 

Ça ne marche pas, j'ai déjà trop essayé. Je n'y comprends plus rien ou presque.

 *Quote:*   

> INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC)

 

J'ai essayé le cipher AES-256-CBC et ça ne passe pas.

Je veux bien que l'on m'aide pour configurer cet ovpn.

Je ne connais pas la syntaxe ni les limitations.

Je pense que j'en mets trop.

----------

## pti-rem

Je n'ai pas voulu de cet OpenVPN avec un cipher non sûr et exposé au danger.

Je me suis fait rembourser.

----------

