Solved: ExpressVPN connection error Data channel cipher negotiation failed (no shared cipher)

4o4rh · Jun 21, 2023, 8:19 AM

My ExpressVPN connection went down yesterday, despite no changes from my side.
I tried changing access points, even to different countries, but same thing.
I am getting the below errors in the log.

Received control message: AUTH_FAILED,Data channel cipher negotiation failed (no shared cipher)
SIGUSR1[soft,auth-failure] received, process restarting

Solution: despite being told there were no changes on their side, the support told me to choose AES-256-GCM contrary to the various guides (inc their own) that say to use AES-256-CBC

4o4rh · Jun 21, 2023, 7:47 AM

@gwaitsi expressvpn support say i need to remove the keysize from the ovpn file. sounds sus to me, why after all these years i suddently need to do that

Dredex · Jun 21, 2023, 1:28 PM

Same problem, changed to AES-256-GCM and its working.
Thanks

Gertjan · Jun 21, 2023, 2:11 PM

@gwaitsi said in Solved: ExpressVPN connection error Data channel cipher negotiation failed (no shared cipher):

My ExpressVPN connection went down yesterday,

What ? Where ?
Nothing happened, as I was connected all day.

Or .... do you use an end point that I'm not using ?

Americas

    USA - New York
    USA - San Francisco
    USA - Chicago
    Canada - Toronto
    USA - Washington DC
    USA - Dallas
    USA - Miami
    USA - Los Angeles - 3
    USA - New Jersey - 1
    USA - Los Angeles - 2
    USA - New Jersey - 3
    USA - Seattle
    USA - Miami - 2
    USA - Denver
    USA - Salt Lake City
    USA - Tampa - 1
    USA - Phoenix
    Canada - Toronto - 2
    Mexico
    Brazil - 2
    Panama
    USA - New Jersey - 2
    USA - Dallas - 2
    USA - Los Angeles - 1
    USA - Atlanta
    USA - Albuquerque
    Chile
    Argentina
    Brazil
    Bolivia
    Costa Rica
    Colombia
    Venezuela
    Ecuador
    Guatemala
    Peru
    Uruguay
    Bahamas
    Canada - Montreal
    USA - Los Angeles - 5
    USA - Lincoln Park
    USA - Santa Monica

Europe

    Netherlands - Amsterdam
    Germany - Frankfurt - 1
    Sweden
    Switzerland
    Italy - Milan
    France - Paris - 1
    UK - East London
    Netherlands - Rotterdam
    UK - London
    Italy - Cosenza
    UK - Docklands
    Romania
    France - Strasbourg
    UK - Midlands
    Netherlands - The Hague
    Isle of Man
    Switzerland - 2
    Italy - Naples
    Spain - Madrid
    Turkey
    Ireland
    Spain - Barcelona
    Spain - Barcelona - 2
    France - Paris - 2
    Germany - Nuremberg
    Iceland
    Norway
    Denmark
    Belgium
    Finland
    France - Marseille
    Greece
    Germany - Frankfurt - 3
    Portugal
    Austria
    Armenia
    Poland
    Lithuania
    Latvia
    Estonia
    Czech Republic
    Andorra
    Montenegro
    Bosnia and Herzegovina
    Luxembourg
    Sweden - 2
    Hungary
    Bulgaria
    Belarus
    Ukraine
    Malta
    Liechtenstein
    Cyprus
    Albania
    Croatia
    Slovenia
    Slovakia
    Monaco
    Jersey
    North Macedonia
    Moldova
    Serbia
    Georgia
    UK - Wembley
    France - Alsace

Middle East & Africa

    South Africa
    Israel
    Egypt
    Kenya
    Algeria

Asia Pacific

    Singapore - Jurong
    Hong Kong - 2
    Japan - Tokyo
    Japan - Shibuya
    Japan - Yokohama
    Australia - Melbourne
    South Korea - 2
    Singapore - CBD
    Australia - Woolloomooloo
    Australia - Sydney
    Philippines
    Singapore - Marina Bay
    Australia - Perth
    Australia - Brisbane
    Australia - Adelaide
    Malaysia
    Japan - Tokyo - 2
    India (via UK)
    Sri Lanka
    India (via Singapore)
    Pakistan
    Kazakhstan
    Thailand
    Indonesia
    Australia - Sydney - 2
    New Zealand
    Taiwan - 3
    Vietnam
    Macau
    Cambodia
    Mongolia
    Laos
    Myanmar
    Nepal
    Uzbekistan
    Bangladesh
    Bhutan
    Brunei
    Hong Kong - 1

As far as I remember, they use AES-256-CBC since 2019 ( ?) ....

dev tun
fast-io
persist-key
persist-tun
nobind
remote the-one-and-only-main-expressvpn-pop-ca-version-2.expressnetw.com 1195

remote-random
pull
comp-lzo no
tls-client
verify-x509-name Server name-prefix
ns-cert-type server
key-direction 1
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1200
verb 3
cipher AES-256-CBC
keysize 256
auth SHA512
sndbuf 524288
rcvbuf 524288
auth-user-pass

@gwaitsi said in Solved: ExpressVPN connection error Data channel cipher negotiation failed (no shared cipher):

to the various guides (inc their own)

They make guides ???
Never trust guides from 'other' sources. Take them always as 'maybe' correct, 'probably wrong'.
I go to https://www.expressvpn.com/setup#manual - click on the country I like, and they send my the ovpn file for that pop / country.

With this file, I set up the pfSense client.

I don't now if this is a official guide (as expressvpn will never [for very understandable reasons] support router X or Y or pfSense).
https://www.expressvpn.com/support/vpn-setup/pfsense-with-expressvpn-openvpn/

That guide says : AES-256-CBC - as that is what you've found in the opvn file.

True : maybe you are using a expressvpn location they forgot to update ;)

4o4rh · Jun 21, 2023, 2:40 PM

@Gertjan my end point was in germany and was working for many, many moons. all of a sudden there was 100% packet loss despite no changes on my side. tried luxembourg and netherlands. same thing. expressvpn support assured me, they made no changes. purely coincidential, to make it work one has to change the encryption type.....right..... "maybe you are using a expressvpn location they forgot to update" - it was using AES-256-CBC for years. that is what is in their opvn config, but now all of a sudden i have to use AES-256-GCM to get a connection. that is something changed on expressvpn, not on the client

vlurk · Jun 23, 2023, 7:27 PM

Same issue here, same fix (replace AES-256-CBC by AES-256-GCM).

The funny thing is.... I redownloaded the manual config file for the server that I use and the config statement "cipher AES-256-CBC" was still there. The config they provide is broken, and it might be the case for more than a few servers.

Gertjan · Jun 24, 2023, 6:28 AM

@gwaitsi

I guess, as I was using this :

so : 'CBC' or 'GCM' : it will work it out by itself ....

Most North Europe ovpn files use "cipher AES-256-CBC" right now.

polo2883 · Jun 26, 2023, 1:36 AM

Changed my encryption to AES-256-GCM and I am still getting the error:
AUTH: Received control message: AUTH_FAILED,Data channel cipher negotiation failed (no shared cipher)
SIGUSR1[soft,auth-failure] received, process restarting

shdwkeeper · Jun 26, 2023, 4:14 AM

@gwaitsi Found this on Expressvpn site: How secure is ExpressVPN encryption?
Control-channel encryption
To ensure the integrity and confidentiality of encrypted data even on low-powered hardware, ExpressVPN uses AES-256-GCM. AES is one of the most widely used symmetric encryption standards. The 256 refers to the fixed size of each encrypted block, 256 bits. GCM (Galois/Counter Mode) allows your computer to encrypt multiple packages at once, ensuring that your connection never hangs even for a short moment.

4o4rh · Jun 26, 2023, 6:26 AM

@shdwkeeper must be new, cause i was using CBC for years, until 6 days ago when the connection just dropped. they must be deploying one because all the profiles still have CBC. Anyways, i'm working, so i'm happy

Gertjan · Jun 26, 2023, 6:38 AM

If you use "OpenVPN" : take note of this post : HEADS UP: OpenVPN deprecating shared key mode, requires TLS, deprecating cipher selection

So, you should have :

the first 3 because of : "that's what OpenVPN proposes".
and the fourth : because ExpressVPN needs it. Or was needing it before, and now uses some 'GCM'.

Clear is : 'CBC' will get phased out.

ExpressVPN most probably uses the same publicly available OpenVPN server code, and 'adapted' it for their own needs.

shdwkeeper · Jun 26, 2023, 2:00 PM

@gwaitsi
I agree I was working for years untill this last week and it went down, than I found this post and started researching it. Once I made this change it started working. So they need to update their documentation.

shdwkeeper · Jun 26, 2023, 2:02 PM

@Gertjan
So your saying add all of these and use GCM as the fallback as well?

Gertjan · Jun 26, 2023, 2:08 PM

@shdwkeeper said in Solved: ExpressVPN connection error Data channel cipher negotiation failed (no shared cipher):

So your saying add all of these and use GCM as the fallback as well?

It works for me.

@vlurk said in Solved: ExpressVPN connection error Data channel cipher negotiation failed (no shared cipher):

The funny thing is.... I redownloaded the manual config file for the server that I use and the config statement "cipher AES-256-CBC" was still there. The config they provide is broken, and it might be the case for more than a few servers.

Exact. When you download a ovpn file for a typical country/place, is still says '....CBC' as the encryption key.
I'm using one right now for France => Paris.

When I connect :

Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256

and you can clearly see the GCM - non CBC.

That's why I said " add them all and let them figure it out among client and server "

Pippin · Jun 26, 2023, 6:18 PM

@Gertjan said in Solved: ExpressVPN connection error Data channel cipher negotiation failed (no shared cipher):

Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256

That's the control channel ;)
.
Data channel is this one:

2023-06-26 11:08:24 us=684115 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-06-26 11:08:24 us=684160 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key