Fixing OpenVPN 2.6 cipher errors on Ubuntu 22.x / 24.x
Fixing OpenVPN 2.6 cipher errors on Ubuntu 22.x / 24.x - DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers … OpenVPN ignores --cipher for cipher
Works for both the new Netplan “nm-devices” YAML files and the classic .nmconnection profiles that GNOME Settings still writes behind the scenes.
Why the tunnel breaks after upgrading
OpenVPN 2.6 drops the old cipher=
option and only negotiates suites listed in data-ciphers=
.
If the profile contains a legacy suite such as AES-256-CBC but no matching data-ciphers
, OpenVPN refuses to connect and you see in journalctl:
DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers … OpenVPN ignores --cipher for cipher negotiations.:contentReference[oaicite:0]{index=0}
Gnome's Network Manager UI does not import the data-ciphers attribute or allow you to set it when creating or importing a VPN connection, so while your .ovpn file might be valid and work with the openvpn command line client, it will refuse to connect when intiated through the Gnome UI.
Locate the right file
A. Profiles stored by Netplan (/etc/netplan/…yaml
)
Since Ubuntu 24.04, NetworkManager’s per-VPN settings are exported into Netplan as nm-devices YAML.
Use grep to find which one refers to OpenVPN:
cd /etc/netplan
sudo grep -l openvpn *.yaml
#→ 90-NM-8d8a6f8e-…yaml
If nothing shows, the connection may still be an old .nmconnection file (next section).
B. Classic NetworkManager profiles
These should live in /etc/NetworkManager/system-connections/*.nmconnection
cd /etc/NetworkManager/system-connections
sudo grep -l "cipher=" *.nmconnection
Add the missing data-ciphers
Where to edit | What it looks like now | What to add/change |
---|---|---|
Netplan YAML (passthrough: block) | vpn.cipher: "AES-256-CBC" | add vpn.data-ciphers: "AES-256-CBC" directly underneath |
.nmconnection ([vpn] section) | cipher=AES-256-CBC | add data-ciphers=AES-256-CBC on the next line |
network:
version: 2
nm-devices:
NM-8d8…:
renderer: NetworkManager
networkmanager:
passthrough:
vpn.cipher: "AES-256-CBC"
vpn.data-ciphers: "AES-256-CBC" # ← new line
vpn.connection-type: "tls"
Netplan YAML
[vpn]
service-type=org.freedesktop.NetworkManager.openvpn
cipher=AES-256-CBC
data-ciphers=AES-256-CBC # ← new line
nmconnection file
The fix is identical even if you prefer AES-128-CBC or another legacy suite—just keep both lines in sync.
Apply & restart
Format | Command |
---|---|
Netplan YAML | sudo netplan apply |
.nmconnection | sudo systemctl restart NetworkManager |
4 – Verify
nmcli connection up "YourVPNName" # or use the GNOME toggle
journalctl -u NetworkManager -b | grep -i openvpn
The “DEPRECATED OPTION” message should be gone and the tunnel should transition to Initialization Sequence Completed
.
FAQ & extra tips
- Which file format am I using?
Ifjournalctl -u NetworkManager
mentions a UUID such as 8d8a6f8e-… during connection attempts, that UUID matches the Netplan filename (90-NM-<UUID>.yaml
) - Multiple VPNs?
Repeat the grep trick for each YAML or .nmconnection file. - Indentation errors in YAML break Netplan parsing. If
netplan apply
fails, reopen the file and ensure two-space indents throughout. - Still failing after the edit?
- Confirm the server actually allows the cipher you added.
- Test with the raw client:
sudo openvpn --data-ciphers AES-256-CBC --config client.ovpn
If this works, your Netplan/NM profile will work once the edit is correct.