RUTX11 always falls back to BF-CBC


I want to create an openVPN connection with the RUTX11.
The latest firmware is installed 7.04.4 2023-06-29
However, it doesn’t matter what encryption method I choose, it always falls back to BF-CBC.
The warning I see in the logs is:
DEPRICATED OPTION: --cipher set to ‘AES-192-CBC’ but missing in --data-ciphers (BF-CBC)… Add ‘AES-192-CBC’ to --data-ciphers.

Where and how can I add the encryption methods to --data-ciphers, isn’t that supposed to happen automatically in the WebUI when selecting the encryption?


As you mentioned, this is only a warning. Are you sure it actually chooses BF-CBC?
I’ve tested this behavior, and the tunnel seems to establish using the data cypher set in the WebUI. The full message looks like so:

DEPRECATED OPTION: --cipher set to ‘AES-256-GCM’ but missing in --data-ciphers (BF-CBC). Future OpenVPN version will ignore --cipher for cipher negotiations. Add ‘AES-256-GCM’ to --data-ciphers or change --cipher ‘AES-256-GCM’ to --data-ciphers-fallback ‘AES-256-GCM’ to silence this warning.

This will be updated with the future RutOS releases.

Best regards,

Hello Daumantas,

Thank you for your response.
On the client site, the Ovpn client also gives a warning that the encryption is BF-CBC with block size less than 128bit and open to a sweet32 attack.

Should I try to ‘force’ the encryption method at the client site?


Make sure you also specify the cyphers you want to use in the TLS cipher field. Select Custom and add the cyphers (e.g. AES-192-CBC) you’d like to use. This should remove the warnings from the logs and use the cypher specified in the Encryption field, assuming it’s specified in the Allowed TLS ciphers field.
As for the client side, the most important thing to keep in mind, is that it should support the same cypher.
Let me know if this helps.

Thank you! Setting TLS cipher solved the BF-CBC connection problem :partying_face:

1 Like