Error: Server Cipher Negotiation Not Supported
When connecting an OpenVPN server, the VPN server and client must decide on a cipher to use for the connection. A cipher is the encryption algorithm used to encrypt the VPN network traffic. However, in some instances the OpenVPN server may not support this process.
Error Information
When connecting to an VPN server, modern versions of OpenVPN will send along a list of ciphers it is willing to use for the connection. The OpenVPN server also has its own list of ciphers, and settles on which cipher to use based on the shared supported ciphers in both lists. This process is known as cipher negotiation.
However, in some instances the OpenVPN server may not support cipher negotiation and not send along to the client what cipher to use. This can occur if the VPN server is using an old legacy version of OpenVPN designed for routers (for example, a "slim" build of OpenVPN 2.3 such as used on older Netgear routers), or using a custom OpenVPN protocol implementation that is incomplete (such as on many MikroTik routers).
Viscosity will detect when this occurs and display the message "The VPN connection was not connected as the server does not support Cipher Negotiation and a fallback cipher has not been set. However, a legacy cipher setting of "<cipher>" was found. If you wish to try connecting using this cipher please tick the checkbox below.".
You may also see the message "OPTIONS ERROR: failed to negotiate cipher with server. Configure --data-ciphers-fallback if you want to connect to this server." in the connection log.
Error After Updating Viscosity
If you recently updated your copy of Viscosity to version 1.11 and you are now seeing this error, it's because previously your VPN connection was configured with what cipher to use using the legacy "cipher" command. Old legacy versions of OpenVPN required that the cipher to use be specified on the client and server using the "cipher" command.
However, OpenVPN 2.6 no longer supports this command, and instead requires cipher negotiation between the server and client. Older versions of Viscosity used OpenVPN 2.5 (or earlier), where the use of the "cipher" command was still supported by default.
Resolving the Error
Viscosity provides a "Use cipher <cipher> for this connection" checkbox when the above error message is displayed, that should allow the VPN connection to connect. This will set the cipher to use for the connection using modern OpenVPN syntax.
However, you should also consider contacting your VPN Provider to check that the OpenVPN server is up to date. If it's using an old legacy version of OpenVPN your VPN connection may not be secure.
Configuration for VPN Administrators
If you are a OpenVPN administrator, you should ensure that the OpenVPN server has been updated to the latest OpenVPN version to avoid users seeing the above error message.
However, if you are position where this is not possible (and understand any potential security risks) and you would prefer your Viscosity users not see the above error message, you can also set the cipher to use using the data-ciphers-fallback
command. For example, add data-ciphers-fallback AES-256-CBC
to the configuration to set the cipher to "AES-256-CBC" when cipher negotiation is unavailable.