Fixing OpenVPN 2.6 cipher errors on Ubuntu 22.x / 24.x

Fixing OpenVPN 2.6 cipher errors on Ubuntu 22.x / 24.x - DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers … OpenVPN ignores --cipher for cipher

Fixing OpenVPN 2.6 cipher errors on Ubuntu 22.x / 24.x
Photo by FlyD / Unsplash

Works for both the new Netplan “nm-devices” YAML files and the classic .nmconnection profiles that GNOME Settings still writes behind the scenes.


Why the tunnel breaks after upgrading

OpenVPN 2.6 drops the old cipher= option and only negotiates suites listed in data-ciphers=.
If the profile contains a legacy suite such as AES-256-CBC but no matching data-ciphers, OpenVPN refuses to connect and you see in journalctl:

DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers … OpenVPN ignores --cipher for cipher negotiations.:contentReference[oaicite:0]{index=0}

Gnome's Network Manager UI does not import the data-ciphers attribute or allow you to set it when creating or importing a VPN connection, so while your .ovpn file might be valid and work with the openvpn command line client, it will refuse to connect when intiated through the Gnome UI.

Locate the right file

A. Profiles stored by Netplan (/etc/netplan/…yaml)

Since Ubuntu 24.04, NetworkManager’s per-VPN settings are exported into Netplan as nm-devices YAML.

Use grep to find which one refers to OpenVPN:

cd /etc/netplan
sudo grep -l openvpn *.yaml
#→ 90-NM-8d8a6f8e-…yaml

If nothing shows, the connection may still be an old .nmconnection file (next section).

B. Classic NetworkManager profiles

These should live in /etc/NetworkManager/system-connections/*.nmconnection

cd /etc/NetworkManager/system-connections
sudo grep -l "cipher=" *.nmconnection

Add the missing data-ciphers

Where to editWhat it looks like nowWhat to add/change
Netplan YAML (passthrough: block)vpn.cipher: "AES-256-CBC"add vpn.data-ciphers: "AES-256-CBC" directly underneath
.nmconnection ([vpn] section)cipher=AES-256-CBCadd data-ciphers=AES-256-CBC on the next line
network:
  version: 2
  nm-devices:
    NM-8d8…:
      renderer: NetworkManager
      networkmanager:
        passthrough:
          vpn.cipher:       "AES-256-CBC"
          vpn.data-ciphers: "AES-256-CBC"   # ← new line
          vpn.connection-type: "tls"

Netplan YAML

[vpn]
service-type=org.freedesktop.NetworkManager.openvpn
cipher=AES-256-CBC
data-ciphers=AES-256-CBC   # ← new line

nmconnection file

The fix is identical even if you prefer AES-128-CBC or another legacy suite—just keep both lines in sync.

Apply & restart

FormatCommand
Netplan YAMLsudo netplan apply
.nmconnectionsudo systemctl restart NetworkManager

4 – Verify

nmcli connection up "YourVPNName"   # or use the GNOME toggle
journalctl -u NetworkManager -b | grep -i openvpn

The “DEPRECATED OPTION” message should be gone and the tunnel should transition to Initialization Sequence Completed.

FAQ & extra tips

  • Which file format am I using?
    If journalctl -u NetworkManager mentions a UUID such as 8d8a6f8e-… during connection attempts, that UUID matches the Netplan filename (90-NM-<UUID>.yaml)
  • Multiple VPNs?
    Repeat the grep trick for each YAML or .nmconnection file.
  • Indentation errors in YAML break Netplan parsing. If netplan apply fails, reopen the file and ensure two-space indents throughout.
  • Still failing after the edit?
    • Confirm the server actually allows the cipher you added.
    • Test with the raw client: sudo openvpn --data-ciphers AES-256-CBC --config client.ovpn
      If this works, your Netplan/NM profile will work once the edit is correct.