Solved: ExpressVPN connection error Data channel cipher negotiation failed (no shared cipher)
-
@gwaitsi said in Solved: ExpressVPN connection error Data channel cipher negotiation failed (no shared cipher):
My ExpressVPN connection went down yesterday,
What ? Where ?
Nothing happened, as I was connected all day.Or .... do you use an end point that I'm not using ?
Americas USA - New York USA - San Francisco USA - Chicago Canada - Toronto USA - Washington DC USA - Dallas USA - Miami USA - Los Angeles - 3 USA - New Jersey - 1 USA - Los Angeles - 2 USA - New Jersey - 3 USA - Seattle USA - Miami - 2 USA - Denver USA - Salt Lake City USA - Tampa - 1 USA - Phoenix Canada - Toronto - 2 Mexico Brazil - 2 Panama USA - New Jersey - 2 USA - Dallas - 2 USA - Los Angeles - 1 USA - Atlanta USA - Albuquerque Chile Argentina Brazil Bolivia Costa Rica Colombia Venezuela Ecuador Guatemala Peru Uruguay Bahamas Canada - Montreal USA - Los Angeles - 5 USA - Lincoln Park USA - Santa Monica Europe Netherlands - Amsterdam Germany - Frankfurt - 1 Sweden Switzerland Italy - Milan France - Paris - 1 UK - East London Netherlands - Rotterdam UK - London Italy - Cosenza UK - Docklands Romania France - Strasbourg UK - Midlands Netherlands - The Hague Isle of Man Switzerland - 2 Italy - Naples Spain - Madrid Turkey Ireland Spain - Barcelona Spain - Barcelona - 2 France - Paris - 2 Germany - Nuremberg Iceland Norway Denmark Belgium Finland France - Marseille Greece Germany - Frankfurt - 3 Portugal Austria Armenia Poland Lithuania Latvia Estonia Czech Republic Andorra Montenegro Bosnia and Herzegovina Luxembourg Sweden - 2 Hungary Bulgaria Belarus Ukraine Malta Liechtenstein Cyprus Albania Croatia Slovenia Slovakia Monaco Jersey North Macedonia Moldova Serbia Georgia UK - Wembley France - Alsace Middle East & Africa South Africa Israel Egypt Kenya Algeria Asia Pacific Singapore - Jurong Hong Kong - 2 Japan - Tokyo Japan - Shibuya Japan - Yokohama Australia - Melbourne South Korea - 2 Singapore - CBD Australia - Woolloomooloo Australia - Sydney Philippines Singapore - Marina Bay Australia - Perth Australia - Brisbane Australia - Adelaide Malaysia Japan - Tokyo - 2 India (via UK) Sri Lanka India (via Singapore) Pakistan Kazakhstan Thailand Indonesia Australia - Sydney - 2 New Zealand Taiwan - 3 Vietnam Macau Cambodia Mongolia Laos Myanmar Nepal Uzbekistan Bangladesh Bhutan Brunei Hong Kong - 1
As far as I remember, they use AES-256-CBC since 2019 ( ?) ....
dev tun fast-io persist-key persist-tun nobind remote the-one-and-only-main-expressvpn-pop-ca-version-2.expressnetw.com 1195 remote-random pull comp-lzo no tls-client verify-x509-name Server name-prefix ns-cert-type server key-direction 1 route-method exe route-delay 2 tun-mtu 1500 fragment 1300 mssfix 1200 verb 3 cipher AES-256-CBC keysize 256 auth SHA512 sndbuf 524288 rcvbuf 524288 auth-user-pass
@gwaitsi said in Solved: ExpressVPN connection error Data channel cipher negotiation failed (no shared cipher):
to the various guides (inc their own)
They make guides ???
Never trust guides from 'other' sources. Take them always as 'maybe' correct, 'probably wrong'.
I go to https://www.expressvpn.com/setup#manual - click on the country I like, and they send my the ovpn file for that pop / country.With this file, I set up the pfSense client.
I don't now if this is a official guide (as expressvpn will never [for very understandable reasons] support router X or Y or pfSense).
https://www.expressvpn.com/support/vpn-setup/pfsense-with-expressvpn-openvpn/That guide says : AES-256-CBC - as that is what you've found in the opvn file.
True : maybe you are using a expressvpn location they forgot to update ;)
-
@Gertjan my end point was in germany and was working for many, many moons. all of a sudden there was 100% packet loss despite no changes on my side. tried luxembourg and netherlands. same thing. expressvpn support assured me, they made no changes. purely coincidential, to make it work one has to change the encryption type.....right..... "maybe you are using a expressvpn location they forgot to update" - it was using AES-256-CBC for years. that is what is in their opvn config, but now all of a sudden i have to use AES-256-GCM to get a connection. that is something changed on expressvpn, not on the client
-
Same issue here, same fix (replace AES-256-CBC by AES-256-GCM).
The funny thing is.... I redownloaded the manual config file for the server that I use and the config statement "cipher AES-256-CBC" was still there. The config they provide is broken, and it might be the case for more than a few servers.
-
@gwaitsi
I guess, as I was using this :
so : 'CBC' or 'GCM' : it will work it out by itself ....
Most North Europe ovpn files use "cipher AES-256-CBC" right now.
-
Changed my encryption to AES-256-GCM and I am still getting the error:
AUTH: Received control message: AUTH_FAILED,Data channel cipher negotiation failed (no shared cipher)
SIGUSR1[soft,auth-failure] received, process restarting -
@gwaitsi Found this on Expressvpn site: How secure is ExpressVPN encryption?
Control-channel encryption
To ensure the integrity and confidentiality of encrypted data even on low-powered hardware, ExpressVPN uses AES-256-GCM. AES is one of the most widely used symmetric encryption standards. The 256 refers to the fixed size of each encrypted block, 256 bits. GCM (Galois/Counter Mode) allows your computer to encrypt multiple packages at once, ensuring that your connection never hangs even for a short moment. -
@shdwkeeper must be new, cause i was using CBC for years, until 6 days ago when the connection just dropped. they must be deploying one because all the profiles still have CBC. Anyways, i'm working, so i'm happy
-
If you use "OpenVPN" : take note of this post : HEADS UP: OpenVPN deprecating shared key mode, requires TLS, deprecating cipher selection
So, you should have :
the first 3 because of : "that's what OpenVPN proposes".
and the fourth : because ExpressVPN needs it. Or was needing it before, and now uses some 'GCM'.Clear is : 'CBC' will get phased out.
ExpressVPN most probably uses the same publicly available OpenVPN server code, and 'adapted' it for their own needs.
-
@gwaitsi
I agree I was working for years untill this last week and it went down, than I found this post and started researching it. Once I made this change it started working. So they need to update their documentation. -
@Gertjan
So your saying add all of these and use GCM as the fallback as well? -
@shdwkeeper said in Solved: ExpressVPN connection error Data channel cipher negotiation failed (no shared cipher):
So your saying add all of these and use GCM as the fallback as well?
It works for me.
@vlurk said in Solved: ExpressVPN connection error Data channel cipher negotiation failed (no shared cipher):
The funny thing is.... I redownloaded the manual config file for the server that I use and the config statement "cipher AES-256-CBC" was still there. The config they provide is broken, and it might be the case for more than a few servers.
Exact. When you download a ovpn file for a typical country/place, is still says '....CBC' as the encryption key.
I'm using one right now for France => Paris.When I connect :
Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
and you can clearly see the GCM - non CBC.
That's why I said " add them all and let them figure it out among client and server "
-
@Gertjan said in Solved: ExpressVPN connection error Data channel cipher negotiation failed (no shared cipher):
Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
That's the control channel ;)
.
Data channel is this one:2023-06-26 11:08:24 us=684115 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key 2023-06-26 11:08:24 us=684160 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key