Bug 461055 - Add "data-ciphers" field in OpenVPN configuration editor for NetworkManager
Summary: Add "data-ciphers" field in OpenVPN configuration editor for NetworkManager
Status: REPORTED
Alias: None
Product: systemsettings
Classification: Applications
Component: kcm_networkmanagement (other bugs)
Version First Reported In: 5.26.1
Platform: Ubuntu Linux
: NOR wishlist
Target Milestone: ---
Assignee: Jan Grulich
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-10-27 08:26 UTC by Giovanni
Modified: 2025-06-10 10:57 UTC (History)
4 users (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description Giovanni 2022-10-27 08:26:21 UTC 
Hello, it seems that is with OpenVPN 2.6 the user needs to edit the field "data-ciphers", as reported by OpenVPN logs on my post here: https://forums.openvpn.net/viewtopic.php?t=34936

But currently (plasma 5.26.1) there is no way to edit data-ciphers via the KDE settings GUI.

Thank you

PS: is this the right place for this feature request? There is also pasma-nm/editor... but I have no idea which one is the right place.

Thank you.
Comment 1 Yury Zhuravlev 2024-06-18 07:35:08 UTC 
Do we have any updates? It's kind of an important option.
Comment 2 Stefan Neufeind 2025-06-10 08:05:22 UTC 
Just stumbled across this again on Fedora 42 which has OpenVPN 2.6.14. Newer openvpn-versions don't have the "cipher"-option anymore but need "data-ciphers" to be set. syslog reports something like:

nm-openvpn[41191]: OPTIONS ERROR: failed to negotiate cipher with server.  Add the server's cipher ('AES-128-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305') if you want to connect to this server.

Workaround: Manually editing the vpn-connection below /etc/NetworkManager makes it work.
https://discourse.gnome.org/t/gnome-settings-openvpn-data-ciphers-field-missing/11590

Gnome added it when writing the vpn-connection, in 2022:
merge: https://gitlab.gnome.org/GNOME/NetworkManager-openvpn/-/merge_requests/46
patch-details: https://gitlab.gnome.org/GNOME/NetworkManager-openvpn/-/commit/020ab0c4b872fa5415ed1a5e682acb3343c7b9f3

Maybe we could add a similar solution when writing the connection. Should we keep the current dropdown for cipher and export that as data-ciphers? Or have it as a new input-field (to support a list of ciphers)? Automatically add it to the list of ciphers then as a compat-solution? Or assume that newer distributions ("since ever") use openvpn 2.6+ and simply switch from "cipher" to "data-ciphers" completely in the source?
https://github.com/KDE/plasma-nm/blob/master/vpn/openvpn/openvpn.cpp
Comment 3 Stefan Neufeind 2025-06-10 08:12:24 UTC 
Possible solution added as a pull-request. I hope that's the right place (and the right solution you might want to go for). I think we can (meanwhile) assume OpenVPN 2.6+ and thus simply update the exported config.
https://github.com/KDE/plasma-nm/pull/11
Comment 4 Stefan Neufeind 2025-06-10 10:57:28 UTC 
(In reply to Stefan Neufeind from comment #3)
> Possible solution added as a pull-request. I hope that's the right place
> (and the right solution you might want to go for). I think we can
> (meanwhile) assume OpenVPN 2.6+ and thus simply update the exported config.
[...]

Sorry, submitted merge-request through the right channel again.
https://invent.kde.org/plasma/plasma-nm/-/merge_requests/435