Page MenuHomeVyOS Platform
Create Task
Maniphest T7633

OpenVPN site-to-site tunnels not working after upgrade from 1.4 nightly to 1.5 Q2-2025 stream (data-ciphers incompatibility)
Open, HighPublicBUG
Actions

Description

After upgrading from a VyOS 1.4 nightly build to the vyos-1.5-stream-2025-Q2, my site-to-site OpenVPN tunnels stopped working. The configuration was not applied during boot, and migration silently failed.

After running load, the OpenVPN tunnel configuration appeared as uncommitted:

+ openvpn vtun20 {
+     description "my-mega-tunnel"
+     encryption {
+         data-ciphers "aes128"
+     }
+     local-address 10.0.1.87 {
+     }
+     local-host "8.1.2.3"
+     local-port "13020"
+     mode "site-to-site"
+     remote-address "10.0.1.88"
+     remote-host "3.4.5.6"
+     remote-port "13001"
+     tls {
+         ca-certificate "vyos-ca"
+         certificate "vpngw-my01_signed"
+         role "passive"
+     }
+ }

Attempting to commit results in the following error:

[ interfaces openvpn vtun20 ]
Cipher negotiation can only be used in client or server mode

Root cause:
The data-ciphers directive is not compatible with mode site-to-site, but this is not properly handled during the migration process. The configuration fails to apply at boot, and the error is shown only in the local console output during startup. As a result, the configuration block is silently skipped and later appears as uncommitted when running load.

Workaround:
To restore functionality, I manually removed the encryption { data-ciphers ... } block and replaced it with an explicit fallback cipher using a raw OpenVPN option:

+ openvpn vtun20 {
+     description "my-mega-tunnel"
+     local-address 10.0.1.87 {
+     }
+     local-host "8.1.2.3"
+     local-port "13020"
+     mode "site-to-site"
+     openvpn-option "--data-ciphers-fallback AES-128-CBC"
+     remote-address "10.0.1.88"
+     remote-host "3.4.5.6"
+     remote-port "13001"
+     tls {
+         ca-certificate "vyos-ca"
+         certificate "vpngw-my01_signed"
+         role "passive"
+     }
+ }

This workaround allows the tunnel to be committed and function as expected.

Steps to reproduce:

  • Configure OpenVPN site-to-site tunnel with data-ciphers on VyOS 1.4 nightly
  • Upgrade to 1.5 Q2-2025 stream
  • Reboot
  • Run load → config appears uncommitted
  • Run commit → error: Cipher negotiation can only be used in client or server mode

Suggestion:
This issue is caused by the transition to a newer OpenVPN version, which enforces stricter mode-based configuration rules. Specifically, data-ciphers is only allowed in client or server modes, and not in site-to-site mode.

To maintain backward compatibility and avoid silent configuration failures, it is recommended to:

Add native support for data-ciphers-fallback in the VyOS configuration syntax (especially for mode site-to-site)
Fix the migration logic to:
Either preserve and convert existing data-ciphers into data-ciphers-fallback when used in site-to-site mode
Or automatically translate a single-entry data-ciphers directive into a corresponding openvpn-option "--data-ciphers-fallback <cipher>"
This would ensure proper handling of existing configs and prevent OpenVPN from silently skipping tunnel definitions due to incompatible options.

Details

Version
vyos-1.5-stream-2025-Q2-generic-amd64.iso
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)