I just updated from an ER7206 to a ER8411 router in controller mode.
The OpenVPN server still does not support AES-256-GCM ciphers?
AES-128-CBC is considered outdated and blocked on modern Linux systems because of security concerns.
The user request for stronger ciphers is at least 2 years old...
Oh, this worked. It should be a config option in the UI.
I tried it with data-ciphers AES-256-GCM in the config file, but that fails.
And this is strange. That's the option you should use according to the docs when using an OpenVPN client 2.6.x
I didn't quite understand what you meant, did setting AES-256-GCM in the configuration file work or not?
Yes, it works with the line "cipher AES-256-GCM" however I'm not really sure there is no silent fallback to AES-128-CBC
If you use the line "data-ciphers AES-256-GCM" instead you will receive an error message:
OPTIONS ERROR: failed to negotiate cipher with server. Add the server's cipher ('AES-128-CBC') to --data-ciphers (currently 'AES-256-GCM') if you want to connect to this server
This is also strange because the change log of firmware version 1.2.2. mentions this and I have 1.3.3:
- Upgrade the OpenSSL version.
- Support GCM encryption of OpenVPN.
ER8411(UN)_V1_1.2.2 Build 20240809 | Omada Network Support
Ok, this seems to work:
data-ciphers AES-256-GCM:AES-128-GCM:AES-128-CBC
With verbose logs on you can see the line in the log file:
Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Data Channel: cipher 'AES-256-GCM', compression: 'stub'
Helpful: 0
Views: 59
Replies: 6
No one has voted for it yet.
We use cookies and browser activity to improve your experience, personalize content and ads, and analyze how our sites are used. For more details, please read our Privacy Policy.
