Advanced Security Options

Abstract

Explore advanced security options for Access Server and learn how to use the command-line interface for configurations not available in the web-based GUI.

Access Server provides a range of advanced security configuration options that go beyond the web-based Admin Web UI capabilities. These advanced settings require the command-line interface (CLI), allowing administrators to perform extra configurations and fine-tune security settings for their VPN setup. This section covers the advanced security options available through the CLI, providing detailed instructions and examples to help administrators enhance the security and functionality of their Access Server.

Change the data-channel encryption cipher for server and client

The data-channel encryption cipher determines how the data packets transmitted through the OpenVPN tunnel are encrypted and decrypted. On the server, ciphers can be specified in order of priority. The first cipher that the client also supports will be used for the VPN session. This allows for backward compatibility so that newer clients capable of better encryption ciphers will prefer to use those, while older clients can still connect using older cipher methods.

Tutorial: Change the Data-Channel Encryption Cipher

Mid-session TLS encryption key renegotiation

For security purposes, Access Server renegotiates the TLS session and encryption key used for an OpenVPN session at regular intervals. The server or client can trigger the renegotiation.

Tutorial: Change the TLS Session Renegotiation Interval

Authentication failure lockout policy

Access Server automatically locks out user accounts after repeated failed authentication attempts to prevent brute-force password guessing. When an account is locked out, the user will receive a message like "LOCKOUT" or "user temporarily locked out due to multiple authentication failures."

You can modify these default settings and manually lift the lockout if needed. Note that user-locked connection profiles and bootstrap accounts (only on Access Server 2.9 and older) are exceptions to this policy.

Tutorial: Configure the Authentication Failure Lockout Policy

TLS control channel security

You can configure the TLS control channel security in the Admin Web UI or the command line.

TOTP multi-factor authentication

Access Server supports TOTP MFA configured in the Admin Web UI. This provides an additional security step for authenticating users you can easily turn on by clicking a toggle.

Selecting the TLS level for the OpenVPN daemons

Current Access Server versions use TLS 1.2 as the default for the OpenVPN daemons. However, older clients may not support TLS 1.1 or newer. For instance, an OpenVPN client from 2014 or earlier will not connect to a server requiring TLS 1.1 or 1.2. If your current setup uses TLS 1.0 and you have many clients with pre-configured profiles and software, it is recommended to stay with TLS 1.0 to avoid disruptions. Conversely, downgrading from TLS 1.1 or later to TLS 1.0 will also require updating client profiles or software.

Tutorial: Select the TLS Level for the OpenVPN Daemons

Connecting without client certificates

Access Server supports connections without client certificates using a server-locked profile for scenarios where you may need to connect without one.

Tutorial: How to Connect Without a Client Certificate

In this section: