Warning: A connection reset occurred with a legacy cipher command present
When connecting to an OpenVPN server, the cipher used by the client and server must match. A cipher is the encryption algorithm used to encrypt the VPN network traffic. If the server and client attempt to use different ciphers, the connection attempt will fail.
Warning Information
When connecting to an VPN server, modern versions of OpenVPN will send along a list of ciphers it is willing to use for the connection. The OpenVPN server also has its own list of ciphers, and settles on which cipher to use based on the shared supported ciphers in both lists. This process is known as cipher negotiation.
However, in some instances the OpenVPN server may not support cipher negotiation and not send along to the client what cipher to use. In these instances, depending on the configuration, the server and client could attempt to use different ciphers. This will not prevent the VPN connection from initially connecting and authenticating, however as soon as the cipher mismatch is detected the VPN connection will be "reset" and disconnected.
If you see the warning message Warning: A connection reset occurred with a legacy cipher command present. The likely cause of the connection failure is that the cipher <cipher> is specified using the legacy "cipher" command rather than "data-ciphers-fallback".
in the connection log, then Viscosity has detected that this may be the case. You may also see the message Connection reset, restarting [0]
in the connection log.
If you're repeatably unable to connect your VPN connection, and you see the above warning message, then you should follow the steps below to ensure it's not caused by a cipher mismatch between the server and the client.
However, Viscosity can't know for sure it's why the connection reset occurred. For example, it could have occurred due to a network error. If your connection otherwise works fine, then you can safely ignore the warning message. If you've checked that the cipher settings are correct, and you still see the warning message, then the resets are likely being caused by something else and the warning message should also be ignored.
Warning After Updating Viscosity
If you recently updated your copy of Viscosity to version 1.11 and you are now seeing this error, it's because previously your VPN connection was configured with what cipher to use using the legacy "cipher" command. Old legacy versions of OpenVPN required that the cipher to use be specified on the client and server using the "cipher" command.
However, OpenVPN 2.6 no longer supports this command, and instead requires cipher negotiation between the server and client. Older versions of Viscosity instead used OpenVPN 2.5 (or earlier), where the use of the "cipher" command was still supported by default.
Resolving the Warning
It is recommended you first reach out to your VPN Provider to check whether they have an updated configuration available that is compatible with OpenVPN 2.6 that you can import into Viscosity. That will save you having to troubleshoot the issue yourself. However, if this isn't possible, please follow the steps below.
In most instances the connection resets can be resolved by setting a fallback cipher to use for the VPN connection. This should be the same cipher that the OpenVPN server is configured to use. First, in the warning, take note of the cipher listed in the message. For example, you should see a cipher such as "AES-256-CBC" listed.
Now, open Viscosity's Settings window, select your VPN connection, and then click the Edit button. Click on the Advanced tab. In the advanced commands area, add the command data-ciphers-fallback <cipher>
on a new line, replacing "<cipher>" with the correct cipher to use. For example, if the cipher was "AES-256-CBC", you should add the command data-ciphers-fallback AES-256-CBC
. Save the changes and try connecting.
If you're still unable to connect, try changing the Compatibility setting to version 2.3, which will enable OpenVPN's legacy cipher settings.
Configuration for VPN Administrators
If you are a OpenVPN administrator, you should ensure that the OpenVPN server has been updated to the latest OpenVPN version to ensure that users using the latest version of OpenVPN can connect.
However, if you are position where this is not possible, you should update the configuration file using the same steps as listed above to specify the correct data-ciphers-fallback
command to use.