iOS OpenVPN: Authentication Failed - Data channel cipher negotiation failed (no shared cipher)

McDing · Sep 11, 2022, 4:36 AM

iOS OpenVPN v3.2.3 (3760)
pfSense 22.01 (SG-4860)

Greetings :)

I am looking for some assistance/guidance on solving a likely misconfiguration issue on my part with my OpenVPN setup.

I have been successfully running a remote OpenVPN connection to my pfSense box (SG-4860) for a couple of years. I wanted to upgrade the setup to strengthen my former choice of ciphers and created a new setup. Somehow though, my authentication seems to fail due to a "Data channel cipher negotiation" issue.

iOS OpenVPN client
When connecting from my iOS device using the official OpenVPN client, I am getting the following error:

My iOS OpenVPN log shows the following:

My pfSense OpenVPN log shows the following (not sure the blue part is related but maybe that's another issue I need to address?):

My pfSense Encryption settings are configured as follows (I used AES-256-GCM as fallback as well to prevent downgrading to a weaker encryption as I am the only user of the VPN):

Finally the OpenVPN config file for my iOS client is as follows (certificates part removed):

persist-tun
persist-key
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
data-ciphers-fallback AES-256-GCM
auth SHA512
tls-client
client
remote my.site.com 1194 udp4
setenv opt block-outside-dns
lport 0
verify-x509-name "server" name
auth-user-pass
remote-cert-tls server
explicit-exit-notify

Would anyone have any leads I could investigate? I am not really sure where to go from here:

is this an issue with the iOS OpenVPN app not supporting stronger ciphers?
did I make a config mistake anywhere?

I am quite reliant on my VPN setup but my old config is deprecated and I don't want to let it run as such with the older ciphers.

Any help or pointers would be greatly appreciated :)

McDing · May 23, 2022, 6:02 PM

Well after 3 days of numerous trials & errors, I finally managed to solve the issue by checking the iOS client settings and unticking the "AES-CBC Cipher Algorithm" option which apparently can break the VPN connection.

So there you go, I am leaving my solution here in case anyone else stumbles on a similar problem one day.

alfaro · Sep 11, 2022, 4:36 AM

@mcding Hello, thank you for providing an answer. I just ran into that problem I do not seem to find the setting you indicate in your answer. Which ios client are you using? is it the openvopn client? I am using version 3.3.2 (5086) Under settings I see VPN protocol, cnnection timeot, batery saver, seamless tunnel, connect vi, captive portal detection, confirmation dialogs, theme, crash reporting and under advanced settings: minimun TLS version (profile default) ipv6 and allow compression (insecure) , DNS fallback, and layer 2 reachability. Any idea where I can find the setting you indicate?

McDing · Sep 11, 2022, 6:07 AM

@alfaro hey, i checked my iOS client settings and indeed, I couldn’t see the option anymore.

So I checked the iOS OpenVPN version history here:
iOS OpenVPN release notes and saw that they removed that option in the latest 3.3.0 release from July 19.
Second line: Removed the “force AES-CBC cipher” legacy compatibility option.

I am still connecting without any issues though.