Pritunl problems with new OpenVPN Encryption Ciphers


first off: Thanks for putting up a free version of Pritunl and hosting this forum! This is really great!

I noticed, that in the Pritunl OpenVPN-Server the encryption algorithm is set to “AES 256bit GCM”, but in the .ovpn-configuration file for the clients the encryption cipher is set to “AES-256-CBC”.

Furthermore wie OpenVPN 2.6 there are warnings regarding the cipher-option itself. The OpenVPN-Clientlog states:

DEPRECATED OPTION: --cipher set to ‘AES-256-CBC’ but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). OpenVPN ignores --cipher for cipher negotiations.

The connection to the Pritunl VPN Server can be established and everything seems to be working fine. However the warnings from the OpenVPN Community Client are suggesting, that the currently generated .ovpn-config files won´t be working with future versions of OpenVPN Clients.

For an error free result in the connection log of the client i had to add the following line:

data-ciphers AES-256-CBC

The existing line “cipher AES-256-CBC” has to stay for older OpenVPN Client Versions (which don´t know the new configuration directive).

It is strange, that the ovpn configuration file has AES-256-CBC instead of the configured value on the Pritunl VPN server. In the server log of the Pritunl VPN server i can see, that the connection is correctly established with AES-256-GCM. So this should be fine.

It would be nice, if future versions of Pritunl could add the “data-ciphers”-Option to the .ovpn-config file.

Matthias Wefer

This will be fixed in the next server release. The Pritunl Client will already include data-ciphers.

Thank you very much for the information!


Interesting information and explains why our clients are now not connecting. We installed the free version back in October and were testing this with some of our embedded clients and all was working well. Today I installed the server on a new host and all the connections are failing when I replace the .ovpn files. Our client is stuck at 2.4.7 and doesn’t support data-ciphers so fails to connect. Is there any mechanism for us to generate .ovpn files without the data-ciphers option present.



Adding ignore-unknown-option data-ciphers to the configuration should fix the issue. This will be included in the next release.