Advanced Security Options
Explore advanced security options for Access Server and learn how to use the command-line interface for configurations not available in the web-based GUI.
Access Server provides a range of advanced security configuration options that go beyond the web-based Admin Web UI capabilities. These advanced settings require the command-line interface (CLI), allowing administrators to perform extra configurations and fine-tune security settings for their VPN setup. This section covers the advanced security options available through the CLI, providing detailed instructions and examples to help administrators enhance the security and functionality of their Access Server.
Change the data-channel encryption cipher for server and client
The data-channel encryption cipher determines how the data packets transmitted through the OpenVPN tunnel are encrypted and decrypted. On the server, ciphers can be specified in order of priority. The first cipher that the client also supports will be used for the VPN session. This allows for backward compatibility so that newer clients capable of better encryption ciphers will prefer to use those, while older clients can still connect using older cipher methods.
Mid-session TLS encryption key renegotiation
For security purposes, Access Server renegotiates the TLS session and encryption key used for an OpenVPN session at regular intervals. The server or client can trigger the renegotiation.
Authentication failure lockout policy
Access Server automatically locks out user accounts after repeated failed authentication attempts to prevent brute-force password guessing. When an account is locked out, the user will receive a message like "LOCKOUT" or "user temporarily locked out due to multiple authentication failures."
You can modify these default settings and manually lift the lockout if needed. Note that user-locked connection profiles and bootstrap accounts (only on Access Server 2.9 and older) are exceptions to this policy.
TLS control channel security
You can configure the TLS control channel security in the Admin Web UI or the command line.
TOTP multi-factor authentication
Access Server supports TOTP MFA configured in the Admin Web UI. This provides an additional security step for authenticating users you can easily turn on by clicking a toggle.
Selecting the TLS level for the OpenVPN daemons
Current Access Server versions use TLS 1.2 as the default for the OpenVPN daemons. However, older clients may not support TLS 1.1 or newer. For instance, an OpenVPN client from 2014 or earlier will not connect to a server requiring TLS 1.1 or 1.2. If your current setup uses TLS 1.0 and you have many clients with pre-configured profiles and software, it is recommended to stay with TLS 1.0 to avoid disruptions. Conversely, downgrading from TLS 1.1 or later to TLS 1.0 will also require updating client profiles or software.
Connecting without client certificates
Access Server supports connections without client certificates using a server-locked profile for scenarios where you may need to connect without one.