Bug 55846

Установлен пакет openssl-gost-engine, выполнена команда: control openssl-gost all

Шаги воспроизведения: 
1. В настройках OpenVPN в списке "Алгоритм шифрования" выбрать алгоритм kuznyechik-cbc (+произвести остальные настройки для запуска сервера).
2. Запустить OpenVPN-сервер

Результат:
DEPRECATED OPTION: --cipher set to 'kuznyechik-cbc' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations.

Ожидаемый результат:
Используется выбранный алгоритм шифрования (в конфигурационном файле используется опция --data-ciphers, а не --cipher)

man openvpn
--cipher alg
    This option should not be used any longer in TLS mode and still exists for two reasons:
      · compatibility with old configurations still carrying it around;
      · allow users connecting to OpenVPN peers older than 2.6.0 to have --cipher configured the same way as the remote counterpart. This can avoid MTU/frame size warnings.

     Before 2.4.0, this option was used to select the cipher to be configured on the data channel, however, later versions usually ignored this directive in favour of a negotiated cipher.  Starting with  2.6.0,  this  option  is  always  ignored in TLS mode when it comes to configuring the cipher and will only control the cipher for --secret pre-shared-key mode (note: this mode is deprecated and strictly not recommended).

      If  you  wish to specify the cipher to use on the data channel, please see --data-ciphers (for regular negotiation) and --data-ciphers-fallback (for a fallback option when the negotiation cannot take place because the other peer is  old or has negotiation disabled)


см. также https://community.openvpn.net/Pages/CipherNegotiation