Solution
If your VPN stopped working after upgrading to Ubuntu 24.04 and logs say “Data channel cipher negotiation failed (no shared cipher)”, set the data-ciphers list on your NetworkManager VPN connection to include both modern AEAD and legacy CBC ciphers.
(works bestwhen you can’t change the OpenVPN server. If youre just working with one server its easyer to change cipher on Server to a GCM-cypher because thats default from version 2.5 on in openvpn)
Add a universal cipher list:
nmcli connection modify "YOUR_VPN" +vpn.data "data-ciphers=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC:AES-128-CBC"
Reconnect:
nmcli connection down "YOUR_VPN"
nmcli -w 60 connection up "YOUR_VPN" --ask
Optional (security warning fix):
nmcli connection modify "YOUR_VPN" +vpn.data "remote-cert-tls=server"
In many environments this single change is enough. Do not add compat-mode or data-ciphers-fallback via NetworkManager; those options are not supported there and can prevent the connection from starting.
Background
Ubuntu 24.04 ships OpenVPN 2.6. Defaults changed to AEAD ciphers (AES-GCM/ChaCha20), while many servers still require CBC (e.g., AES-128-CBC or AES-256-CBC).
NetworkManager’s OpenVPN plugin in 24.04 does not support compat-mode or data-ciphers-fallback, so adding those options breaks the profile.
Symptom in logs
AUTH: Received control message: AUTH_FAILED, Data channel cipher negotiation failed (no shared cipher)
Reference: Step-by-step fix and troubleshooting
Verify current VPN settings (NetworkManager)
Show OpenVPN key/values:
nmcli -f connection.id,type,vpn.data connection show "YOUR_VPN"
If you see compat-mode or data-ciphers-fallback in vpn.data, remove them:
nmcli connection modify "YOUR_VPN" -vpn.data "compat-mode=2.4"
nmcli connection modify "YOUR_VPN" -vpn.data "data-ciphers-fallback=AES-128-CBC"
Set the cipher list (works for both modern and legacy servers)
Recommended universal list:
nmcli connection modify "YOUR_VPN" +vpn.data "data-ciphers=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC:AES-128-CBC"
If your server explicitly requires a specific CBC cipher/HMAC and may have NCP disabled, set them explicitly too:
nmcli connection modify "YOUR_VPN" +vpn.data "cipher=AES-128-CBC,auth=SHA256"
Replace AES-128-CBC/SHA256 with what your server actually uses (e.g., AES-256-CBC, SHA512).
Fix common warnings and file permission issues
Remove “group or others accessible” warnings and avoid AppArmor denials by moving certs/keys out of $HOME and locking permissions:
sudo mkdir -p /etc/NetworkManager/openvpn-certs
sudo cp /path/to/ca.pem /etc/NetworkManager/openvpn-certs/
sudo cp /path/to/cert.pem /etc/NetworkManager/openvpn-certs/
sudo cp /path/to/cert.key /etc/NetworkManager/openvpn-certs/
sudo chmod 600 /etc/NetworkManager/openvpn-certs/*
Update your VPN profile to point to these new paths:
nmcli connection modify "YOUR_VPN" +vpn.data "ca=/etc/NetworkManager/openvpn-certs/ca.pem,cert=/etc/NetworkManager/openvpn-certs/cert.pem,key=/etc/NetworkManager/openvpn-certs/cert.key"
Enable server cert verification to remove the MITM warning:
nmcli connection modify "YOUR_VPN" +vpn.data "remote-cert-tls=server"
Optionally enforce modern TLS:
nmcli connection modify "YOUR_VPN" +vpn.data "tls-version-min=1.2"
Reconnect and watch logs live
Reconnect:
nmcli connection down "YOUR_VPN"
nmcli -w 60 connection up "YOUR_VPN" --ask
Live logs:
sudo journalctl -b -u NetworkManager -t nm-openvpn -n 100 -f
or only the tag, simplified:
sudo journalctl -f -t nm-openvpn -o cat
If you still see “no shared cipher,” double‑check that:
The cipher in data-ciphers actually matches what the server allows (e.g., AES-128-CBC).
If the server disables NCP, you may need to set both cipher and auth explicitly (see step 2).
Your keys/certs are readable by root-only (600) and accessible (no AppArmor denials).
Alternative: Use the native OpenVPN client (bypass NetworkManager)
But be aware no gui is availible out of the box.
If you want to avoid NetworkManager quirks entirely, you can run OpenVPN directly.
Run:
sudo openvpn --config /etc/openvpn/client/your.conf
Notes and caveats
NetworkManager OpenVPN plugin in Ubuntu 24.04 does not support compat-mode and data-ciphers-fallback; adding them stops the connection from starting.
The simplest reliable fix within NM is to set data-ciphers to a list that includes the server’s CBC option.
If you manage the server, consider migrating to AEAD (AES-GCM/ChaCha20-Poly1305). It’s safer and faster, and aligns with OpenVPN 2.6 defaults.
