Feature #7077

Display negotiated cipher for NCP OpenVPN connections in Status->OpenVPN

Added by Jeff Wischkaemper about 4 years ago. Updated over 1 year ago.

Needs Patch
Target version:
Start date:
Due date:
% Done:


Estimated time:


NCP is great. Not knowing what cipher NCP negotiated is less great.

It would be excellent to add something on the OpenVPN status page that showed what cipher was negotiated, similar to what is displayed on the IPSec status page.


#1 Updated by Jim Pingle about 4 years ago

  • Status changed from New to Needs Patch
  • Assignee deleted (Jim Pingle)
  • Target version changed from 2.4.0 to Future

We have no way to detect that currently. OpenVPN does not report that in any of their status output. Open a feature request with OpenVPN and if they add it in, we'll display it.

#2 Updated by Jeff Wischkaemper about 4 years ago

Will do. Is there something specific I can ask for over there that would make it easier for you?

#3 Updated by Jim Pingle about 4 years ago

Nothing in particular comes to mind, it would be nice to see all of the known parameters for connecting clients/servers (selected NCP cipher, compression settings, ECDH curve, etc.

#4 Updated by Jeff Wischkaemper about 4 years ago

I'll see what I can do and report back.

#5 Updated by Jeff Wischkaemper about 4 years ago

Their initial reply is that it's available if you use verbosity 4... which is correct, but not entirely useful. I'm asking if a couple of specific messages can be moved to 2/3.

#6 Updated by Jim Pingle about 4 years ago

"verbosity 4"? As in the system logs? Sure, it's in the logs, sure, but scraping logs isn't proper status output. It should show up in the management status output. For example you connect to the management socket/port and ask for data, like "status 2" and it should output the info there.

That's where the rest of the status output is gleaned from:

: nc -U server2.sock
>INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
status 2
TITLE,OpenVPN 2.4.0 amd64-portbld-freebsd11.0 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Dec 30 2016
TIME,Thu Jan  5 08:59:22 2017,1483624762
HEADER,CLIENT_LIST,Common Name,Real Address,Virtual Address,Virtual IPv6 Address,Bytes Received,Bytes Sent,Connected Since,Connected Since (time_t),Username,Client ID,Peer ID
CLIENT_LIST,,,,2001:470:c614:202::1000,82837,79207,Thu Jan  5 08:50:19 2017,1483624219,UNDEF,1,1
HEADER,ROUTING_TABLE,Virtual Address,Common Name,Real Address,Last Ref,Last Ref (time_t)
ROUTING_TABLE,2001:470:c614:202::1000,,,Thu Jan  5 08:59:22 2017,1483624762
ROUTING_TABLE,,,,Thu Jan  5 08:50:19 2017,1483624219
GLOBAL_STATS,Max bcast/mcast queue length,0

If they would add a couple more columns to that for the cipher/compression/etc that would be ideal.

#7 Updated by Jeff Wischkaemper about 4 years ago

The proposal to add the info to status 2 / 3 has been accepted, and may make it into OVPN 2.4.1. I'll update this when the commit happens.


#8 Updated by Jim Pingle about 4 years ago

Great news!

We'll keep an eye out for it

#9 Updated by Jim Pingle over 1 year ago

Looks like this was finally merged in but it's not slated to be in an OpenVPN release until they put out 2.5.

Also available in: Atom PDF