Bug #10919

Improve handling of OpenVPN ncp options

Added by Arne Schwabe about 1 month ago. Updated 22 days ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Affected Version:
Affected Architecture:


TL;DR: the cipher that is selected as --cipher in the openvpn config, should always be added to ncp-ciphers

In OpenVPN we are trying to simplify the data channel cipher situation and also trying to remove the default of BF-CBC that we currently have in --cipher and move to a sane default of 'AES-256-GCM:AES-128-GCM'. The long term plan is to completely drop --cipher and rely only on --data-ciphers (newer preferred alias to --ncp-ciphers). More details here:

Most people do not mess with ncp-ciphers or if they do have ncp enabled on both server and client side. But it seems to be very easy to generate a configuration with pfSense that violates that assumption. (See also here The best way to avoid all this troubles is from pfsense side. Also allowing to not include AES-256-GCM and AES-128-GCM into the ncp-ciphers is problematic (see also the document).

So what pfSense should do to avoid compatibility problem with its generated configs:

- Mark disabling NCP deprecated.
- always append the cipher selected to ncp-ciphers to allow compatiblity with OpenVPN version beyond 2.5
- Warn that if AES-256-GCM and AES-128-GCM are not included in ncp-ciphers, this can cause problem if either server or client is 2.5 and the other peer is 2.4

When the server (pfSense) is OpenVPN 2.5+ only, selecting the --cipher can be completely dropped.


#1 Updated by Jim Pingle about 1 month ago

  • Subject changed from pfsense's handling of OpenVPN ncp options is problematic to Improve handling of OpenVPN ncp options
  • Category set to OpenVPN
  • Target version set to 2.5.0

#2 Updated by Steve Beaver 22 days ago

  • Assignee set to Jim Pingle

Also available in: Atom PDF