Data-channel Encryption Cipher Negotiation on Access Server | OpenVPN
Understand the data-channel encryption cipher negotiation that encrypts communication between Access Server and VPN clients.
Introduction
The data-channel encryption cipher encrypts and decrypts the data packets transmitted through the OpenVPN tunnel. This documentation provides an overview of data-channel ciphers for OpenVPN Access Server and the differences between versions.
Access Server 2.9 and newer provides data-channel cipher configuration in the Admin Web UI and the command-line interface. For details, refer to this tutorial: Change the Data-channel Encryption Cipher.
Default data-channel ciphers
Access Server and OpenVPN clients have default data-channel ciphers, but determining these depends on various factors. Use the following information to find the scenario that most closely matches your server-client setup. And, if you prefer, you can change the default values using the Admin Web UI or command-line interface, as detailed in this tutorial: Change the Data-channel Encryption Cipher.
Determining the default data-channel ciphers depends on the following factors:
Client capability for cipher negotiation and supported ciphers.
Configuration settings inherited from an older installation.
Access Server version currently in use.
Cipher negotiation occurs between servers and clients that support this and upgrades connections automatically to a better cipher. By default, Access Server 2.5.0 and newer tries to upgrade to AES-256-GCM. The following programs are known to support cipher negotiation:
Access Server 2.5.0 and newer.
OpenVPN3 Linux client all versions.
OpenVPN Connect v3 all versions.
OpenVPN GUI 2.4 and newer.
Other clients based on OpenVPN 3 or OpenVPN 2.4 and newer.
AES-256-CBC default for Access Server 2.5.0 and newer
If you started your Access Server installation on 2.5.0 or newer, the default cipher is set to AES-256-CBC. The server automatically upgrades a client that supports cipher negotiation to AES-256-GCM for its connection. A client that doesn’t support cipher negotiation uses AES-256-CBC for its connection. The choice of AES-256-CBC allows compatibility with older clients that support AES-256-CBC but don’t support AES-256-GCM. They have the same level of security, but more recent OpenVPN versions use the faster AES-GCM method to combine the encryption and authentication steps. SHA1 HMAC is used for packet authentication when CBC mode is used.
Configurable data-channel cipher for Access Server 2.9.0 and newer
On Access Server 2.9.0 and newer, you can configure the data-cipher string in the Admin Web UI and the command-line interface. This allows setting a number of ciphers in order of priority. The first cipher the client can do will be the one used for the VPN connection.
For details on configuring this, refer to Change the Data-channel Encryption Cipher.
BF-CBC default for old Access Server versions
If you use a version of Access Server before 2.5.0, the cipher is BF-CBC by default. The cipher for the connection will not be automatically upgraded in this situation because the server does not support cipher negotiation. If, however, you upgrade such an old installation of Access Server to version 2.5.0 or newer, the default cipher will remain set to BF-CBC for backward compatibility with older clients, but the server will now upgrade newer clients that support cipher negotiation to AES-256-GCM. Clients not supporting cipher negotiation will continue to use BF-CBC for their connections in this situation to maintain backward compatibility.
Looking up data-channel cipher in log files
To see exactly what cipher is used with a VPN connection, you can check your log entries.
Log entry in openvpnas.log showing AES-256-GCM data-channel encryption:
2022-01-01 12:00:00 User/192.0.2.22:12345 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key 2022-01-01 12:00:00 User/192.0.2.22:12345 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
BF-CBC cipher deprecation recommendations
If you’re still using BF-CBC on Access Server, we strongly recommend switching to a more secure cipher as soon as possible.
When we released versions of Access Server that used BF-CBC, it was considered secure. However, that hasn’t been the case for a long time (see SWEET32 for more information). Therefore, since the release of Access Server 2.5.0, the new default has been AES-256-CBC. This is compatible and secure even with older OpenVPN clients that do not support cipher negotiation or GCM.
If you are now on an Access Server older than 2.5.0 or have a configuration that was upgraded from such an older version, we recommend upgrading to the latest version of Access Server. That will allow the OpenVPN server to automatically upgrade the connections from OpenVPN clients capable of cipher negotiation to AES-256-GCM. You can then use the data-cipher configuration to work towards eliminating BF-CBC from your supported data-ciphers list altogether.
For backward compatibility in the above-described situation, older OpenVPN clients incapable of cipher negotiation will continue to connect with BF-CBC. To change those to a secure cipher, you can update the client software so that the server can automatically upgrade its connections to AES-256-GCM. Alternatively, if you can't update the client software, you can adjust the data-cipher list to include BF-CBC and AES-256-CBC and then modify the client connection profiles manually by specifying cipher AES-256-CBC. After all the clients no longer use BF-CBC, you can remove BF-CBC from the data-cipher list and update the vpn.server.cipher value to AES-256-CBC. Do not change this value before then, as it may cause cipher mismatch problems with older clients.
Compatibility notes for older clients
The cipher negotiation documentation in the OpenVPN repository describes how cipher negotiation works and how different versions and configurations interact.
OpenVPN 2.3 and older clients configured with the --enable-small flag are not indicating what ciphers they are capable of. On Access Server 2.9.0 and newer, you can implement the data-ciphers-fallback option to support legacy clients that don’t announce ciphers by enabling this option on the Configuration > Advanced VPN page in the Admin Web UI. This will then be set to the cipher defined in the vpn.server.cipher configuration key. If that key is not set, it defaults to BF-CBC.
You shouldn’t alter the vpn.server.cipher and vpn.client.cipher keys on installations with older OpenVPN clients that don’t support cipher negotiation. Doing so can cause messages regarding cipher mismatches to appear in logs. We recommend you follow the steps outlined in the previous section to handle the move away from the BF-CBC cipher by deprecating it.