EdgeRouter OpenVPN – Mac conneciton issues in Tunnelblick and Shimo

This is rather a specific situation, but I thought that it can be useful to share our expertise since someone else can have the same problem too. In one of our configurations, we are using EdgeRouter (Ubiquity EdgeRouter 12) to handle not only routing but also to act as an OpenVPN server.

The keys are generated on the EdgeRouter, and the configuration files are prepared to be used by the clients. They are working fine on various platforms – OpenVPN clients in Windows, on Android phones, iPhones, Linux machines. The issue starts when it comes to Mac users.

Tunnelblick error

Tunnelblick is not able to connect to the server, and in the logs, you can read:

2021-09-06 13:00:55.580699 OPTIONS ERROR: failed to negotiate cipher with server.  Add the server's cipher ('BF-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM') if you want to connect to this server.
2021-09-06 13:00:55.580711 ERROR: Failed to apply push options

This error already can shed some light on the issue, but let’s take a look at what is happening in Shimo.

Shimo error

In some cases, Shimo is connecting but the network is not working anymore once VPN is connected. In other cases, Shimo is not connecting at all. In the logs there is:

2021/09/08 15:42:51:942  >STATE:1631115771,CONNECTED,SUCCESS,172.16.1.15,83.13.238.137,1194,,
2021/09/08 15:45:19:233  State changed to: Disconnecting (before: Connected)
2021/09/08 15:45:19:233  NOTIFICATION: Shimo initiated the disconnection process for account 'Test'.
2021/09/08 15:45:19:653  Shimo detected a change of network configurations.
2021/09/08 15:45:19:654  Resetting network configuration
2021/09/08 15:45:19:654  >STATE:1631115919,RECONNECTING,process-push-msg-failed,,,,,
2021/09/08 15:45:20:775  >STATE:1631115920,EXITING,SIGTERM,,,,,
2021/09/08 15:45:20:775  OpenVPN management socket disconnected
2021/09/08 15:45:20:776  NOTIFICATION: Shimo terminated the connection for account 'Test'.
2021/09/08 15:45:20:783  State changed to: Disconnected (before: Disconnecting)

Looks completely different and tells nothing about the cipher issue. But apparently, the source of the problem is the same.

The solution

The solution is hidden in the Tunnelblick message. In the openvpn.conf (client configuration file) we had to add such a line:

cipher BF-CBC

Once the configuration is adjusted and imported to Tunnelblick and Shimo, both applications were able to connect to the server properly.