Solved: ExpressVPN connection error Data channel cipher negotiation failed (no shared cipher)

vlurk

Same issue here, same fix (replace AES-256-CBC by AES-256-GCM).

The funny thing is.... I redownloaded the manual config file for the server that I use and the config statement "cipher AES-256-CBC" was still there. The config they provide is broken, and it might be the case for more than a few servers.

Gertjan

@gwaitsi

I guess, as I was using this :

so : 'CBC' or 'GCM' : it will work it out by itself ....

Most North Europe ovpn files use "cipher AES-256-CBC" right now.

polo2883

Changed my encryption to AES-256-GCM and I am still getting the error:
AUTH: Received control message: AUTH_FAILED,Data channel cipher negotiation failed (no shared cipher)
SIGUSR1[soft,auth-failure] received, process restarting

shdwkeeper

@gwaitsi Found this on Expressvpn site: How secure is ExpressVPN encryption?
Control-channel encryption
To ensure the integrity and confidentiality of encrypted data even on low-powered hardware, ExpressVPN uses AES-256-GCM. AES is one of the most widely used symmetric encryption standards. The 256 refers to the fixed size of each encrypted block, 256 bits. GCM (Galois/Counter Mode) allows your computer to encrypt multiple packages at once, ensuring that your connection never hangs even for a short moment.

4o4rh

@shdwkeeper must be new, cause i was using CBC for years, until 6 days ago when the connection just dropped. they must be deploying one because all the profiles still have CBC. Anyways, i'm working, so i'm happy

Gertjan

If you use "OpenVPN" : take note of this post : HEADS UP: OpenVPN deprecating shared key mode, requires TLS, deprecating cipher selection

So, you should have :

the first 3 because of : "that's what OpenVPN proposes".
and the fourth : because ExpressVPN needs it. Or was needing it before, and now uses some 'GCM'.

Clear is : 'CBC' will get phased out.

ExpressVPN most probably uses the same publicly available OpenVPN server code, and 'adapted' it for their own needs.

shdwkeeper

@gwaitsi
I agree I was working for years untill this last week and it went down, than I found this post and started researching it. Once I made this change it started working. So they need to update their documentation.

shdwkeeper

@Gertjan
So your saying add all of these and use GCM as the fallback as well?

Gertjan

@shdwkeeper said in Solved: ExpressVPN connection error Data channel cipher negotiation failed (no shared cipher):

So your saying add all of these and use GCM as the fallback as well?

It works for me.

@vlurk said in Solved: ExpressVPN connection error Data channel cipher negotiation failed (no shared cipher):

The funny thing is.... I redownloaded the manual config file for the server that I use and the config statement "cipher AES-256-CBC" was still there. The config they provide is broken, and it might be the case for more than a few servers.

Exact. When you download a ovpn file for a typical country/place, is still says '....CBC' as the encryption key.
I'm using one right now for France => Paris.

When I connect :

Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256

and you can clearly see the GCM - non CBC.

That's why I said " add them all and let them figure it out among client and server "

Pippin

@Gertjan said in Solved: ExpressVPN connection error Data channel cipher negotiation failed (no shared cipher):

Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256

That's the control channel ;)
.
Data channel is this one:

2023-06-26 11:08:24 us=684115 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-06-26 11:08:24 us=684160 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key