Hi folks,
not a GL.iNet issue at at all, but I thought the solution might help some other folks here subscribing to CyberGhost VPN too.
A couple of days ago I noticed that VPN connections to the CyberGhost servers from my Flint 2 setup as a VPN client could no longer be established.
Sample log messages here:
Thu Apr 17 12:06:51 2025 daemon.notice ovpnclient[10613]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client'
Thu Apr 17 12:06:51 2025 daemon.notice ovpnclient[10613]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-server'
Thu Apr 17 12:06:51 2025 daemon.notice ovpnclient[10613]: TCP/UDP: Preserving recently used remote address: [AF_INET]84.17.49.63:443
Thu Apr 17 12:06:51 2025 daemon.notice ovpnclient[10613]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Thu Apr 17 12:06:51 2025 daemon.notice ovpnclient[10613]: UDP link local: (not bound)
Thu Apr 17 12:06:51 2025 daemon.notice ovpnclient[10613]: UDP link remote: [AF_INET]84.17.49.63:443
Thu Apr 17 12:06:51 2025 daemon.notice ovpnclient[10613]: TLS: Initial packet from [AF_INET]84.17.49.63:443, sid=5de23034 739884d6
Thu Apr 17 12:06:51 2025 daemon.notice ovpnclient[10613]: VERIFY OK: depth=1, C=RO, L=Bucharest, O=CyberGhost S.A., CN=CyberGhost Root CA, emailAddress=info@cyberghost.ro
Thu Apr 17 12:06:51 2025 daemon.notice ovpnclient[10613]: VERIFY KU OK
Thu Apr 17 12:06:51 2025 daemon.notice ovpnclient[10613]: Validating certificate extended key usage
Thu Apr 17 12:06:51 2025 daemon.notice ovpnclient[10613]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu Apr 17 12:06:51 2025 daemon.notice ovpnclient[10613]: VERIFY EKU OK
Thu Apr 17 12:06:51 2025 daemon.notice ovpnclient[10613]: VERIFY OK: depth=0, CN=frankfurt-rack409.nodes.gen4.ninja
Thu Apr 17 12:06:51 2025 daemon.warn ovpnclient[10613]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1569', remote='link-mtu 1553'
Thu Apr 17 12:06:51 2025 daemon.warn ovpnclient[10613]: WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
Thu Apr 17 12:06:51 2025 daemon.notice ovpnclient[10613]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA256
Thu Apr 17 12:06:51 2025 daemon.notice ovpnclient[10613]: [frankfurt-rack409.nodes.gen4.ninja] Peer Connection Initiated with [AF_INET]84.17.49.63:443
Thu Apr 17 12:06:51 2025 daemon.notice ovpnclient[10613]: AUTH: Received control message: AUTH_FAILED,Data channel cipher negotiation failed (no shared cipher)
Thu Apr 17 12:06:51 2025 daemon.notice ovpnclient[10613]: TCP/UDP: Closing socket
Thu Apr 17 12:06:51 2025 daemon.notice ovpnclient[10613]: SIGTERM[soft,auth-failure] received, process exiting
I contacted their support and they gave me this (confirmed) solution:
A possible fix to this issue, and to ensure compatibility the newer OpenVPN version,
we recommend the following changes to your .ovpn configuration file:
1. Remove the line:
• ncp-disable
2. Add the following lines instead:
• data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC
• data-ciphers-fallback AES-256-CBC
3. If your configuration contains the line:
• cipher AES-256-CBC
please remove it, as it is deprecated in OpenVPN 2.6 and no longer necessary.
To find the ovpn file you should access the CyberGhost files>
There you will find openvpn file open it>
in there you will find the ovpn configuration file where you can modify the terminals in.
I can confirm that when you edit the "openvpn.ovpn" file that's in the ZIP archive downloaded from CyberGhost according to above instructions, this will resolve the issue. Make sure to pack the editied file back into the archive, upload/import the changed ZIP file to your GL.iNet router, and the issue is resolved!
Hope this helps some folks here stuck with the same issue.