Page MenuHomeVyOS Platform

Do not generate keysize option in OpenVPN configs
Open, LowPublic


Currently, our OpenVPN configuration scripts generates the following options when encryption cipher is not specified:

# Encryption options
cipher bf-cbc
keysize 128

The problem is that --keysize no longer exists in OpenVPN 2.6.

And the default config of VyOS 1.3.x makes OpenVPN fail to start:

Sep 20 08:24:01 openvpn-vtun20[4801]: Options error: Unrecognized option or missing or extra parameter(s) in vtun20.conf:67: keysize (2.6.3)
Sep 20 08:24:01 openvpn-vtun20[4801]: Use --help for more information.
Sep 20 08:24:01 systemd[1]: [email protected]: Main process exited, code=exited, status=1/FAILURE
Sep 20 08:24:01 systemd[1]: o[email protected]: Failed with result 'exit-code'.

Simply removing the deprecated option fixes the problem — for the old default, BF-CBC 128. However, there seem to be no explicit "bf-128-cbc" and "bf-256-cbc", so Blowfish with 265 bit keys is no longer possible to configure.


Difficulty level
Unknown (require assessment)
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Config syntax change (non-migratable)
Issue type
Feature/functionality removal

Event Timeline

dmbaturin changed Is it a breaking change? from Perfectly compatible to Config syntax change (non-migratable).
dmbaturin changed Issue type from Bug (incorrect behavior) to Feature/functionality removal.