Bug#1117458: network-manager-openvpn: (Trixie/KDE) ignores compatibility options (data-ciphers, push-peer-info)

Sun, 05 Oct 2025 14:33:15 -0700 

Package: network-manager-openvpn
Version: 1.12.3-1~deb13u1
Severity: important
Tags: upstream
X-Debbugs-Cc: [email protected]

Dear Maintainer,

Since upgrading to Debian Trixie (testing/stable) and OpenVPN 2.6, the OpenVPN 
client managed by NetworkManager (NM) fails to connect to older OpenVPN servers 
(e.g., VPN Gate servers).

The root cause is that the NM OpenVPN plugin ignores crucial compatibility 
options required by OpenVPN 2.6 for negotiating with older servers, even when 
these options are manually added to the `.nmconnection` file.

This seems highly related to **Bug #1107240** (GUI import/edit drops crucial 
"data-ciphers" option), but affects configurations across KDE/Plasma via manual 
file editing as well.

## Observed Errors and Problem Summary

The connection is blocked by two simultaneous errors, indicating that required 
compatibility settings are not passed from NM to the OpenVPN process:

1.  **Cipher Negotiation Failure:**
    ```
    OPTIONS ERROR: failed to negotiate cipher with server. Add the server's 
cipher ('AES-128-CBC') to --data-ciphers
    ```

2.  **Tunnel/Compression Setup Failure:**
    ```
    ERROR: Failed to apply push options
    Failed to open tun/tap interface
    ```

## Attempts and Effective Solution

**What exactly did you do (or not do) that was effective (or ineffective)?**

* **Ineffective:** Manual editing of the `.nmconnection` file (adding 
`data-ciphers`, `data-ciphers-fallback`, `push-peer-info`, and 
`allow-compression yes` to various sections like `[vpn]` and `[openvpn]`) was 
completely ignored by the NetworkManager plugin.

**What was the outcome of this action?**

* The connection consistently failed with the errors shown above.

**What outcome did you expect instead?**

* I expected NM to honor the configuration options added to the `.nmconnection` 
file and successfully connect.

**Effective Solution (Bypassing NetworkManager):**

The VPN connects and works flawlessly when run directly from the console with 
the required compatibility options, confirming that the issue is solely in the 
NetworkManager plugin's parsing/passing mechanism:

```bash
sudo openvpn --config /path/to/file.ovpn --data-ciphers 
AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-128-CBC --push-peer-info 
--allow-compression yes

Reply via email to