Tutorial: Change the Data-channel Encryption Cipher
How to change Access Server's data-channel encryption cipher. Adjust OpenVPN security with this tutorial.
Overview
The data-channel encryption cipher encrypts and decrypts the data packets transmitted through the OpenVPN tunnel. You can configure it on the server and client sides. However, the client and server must agree on a cipher they both support and allow. Support for data-channel ciphers changed with different releases, but we strive to retain backward compatibility.
Note
Compatibility: Access Server 2.5 and newer use AES-256-GCM by default if the client supports it. Older clients without AES-256-GCM support use a fallback cipher. Access Server configurations created on 2.5 or above use AES-256-CBC as the fallback cipher, while older configurations use BF-CBC.
AES-256 in either CBC (Cipher Block Chaining) or GCM (Galois/Counter Mode) mode is considered secure and meets stringent security requirements. They have the same level of security, but more recent OpenVPN versions use the faster AES-GCM method to combine the encryption and authentication steps. SHA1 HMAC is used for packet authentication when CBC mode is used.
Caution
Changing the cipher configuration on Access Server may require new connection profiles for some OpenVPN clients.
On Access Server 2.9 and newer, you can configure the ciphers in the Admin Web UI. This tutorial explains using the Admin Web UI or the command-line interface (CLI).
Access Server 2.9 and newer.
Admin Web UI access.
When you define the data-channel encryption ciphers, you list multiple ciphers separated by a colon.
The first cipher in the list the client supports is used for the OpenVPN connection. If the vpn.server.data_ciphers value is empty, Access Server assumes the following list of ciphers:
AES-256-GCM
AES-128-GCM
CHACHA20-POLY1305 (enabled if supported on the server side)
Fallback cipher (value from vpn.server.cipher key)
On Access Server 2.5 and newer, the default value of the fallback cipher vpn.server.cipher is AES-256-CBC, while on older versions, it was BF-CBC. Access Server still accepts the cipher set in this configuration key for backward compatibility. We no longer recommend BF-CBC for production use, as it’s considered insecure.
Recommended values
AES-256-GCM
AES-128-GCM
CHACHA20-POLY1305
Optional values
AES-256-CBC
AES-192-CBC
AES-128-CBC
Deprecated values
BF-CBC
DES-CBC
DES-EDE3-CBC
DESX-CBC
none
Caution
The value “none” disables data channel encryption completely. We don’t recommend using it.
As of Access Server 2.9, you can configure the ciphers in the Admin Web UI using a string format with multiple ciphers separated by a colon (:)—for example, AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305.
Sign in to the Admin Web UI.
Click Configuration > Advanced VPN.
Enter your preferred data channel ciphers under Data channel ciphers.
To configure the ciphers from the CLI:
Connect to the console with root privileges.
Switch to the scripts directory:
cd /usr/local/openvpn_as/scripts/
Set the data-channel encryption ciphers:
./sacli --key "vpn.server.data_ciphers" --value <CIPHERS>1 ConfigPut ./sacli start
Enter a string format with multiple ciphers separated by a colon (:). For example,
AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
.
To restore the default setting:
./sacli --key "vpn.server.data_ciphers" ConfigDel ./sacli start