Tutorial: Change the TLS Control Channel Security Setting
Configure the TLS control channel security for VPN client connections with Access Server.
Overview
You can configure the TLS control channel security in the Admin Web UI or the command line.
An installed Access Server.
Admin Web UI or console access with root privileges.
Beginning in Access Server 2.9.0, TLS Crypt is the default TLS control channel security setting. Prior versions of Access Server set TLS Auth as the default. OpenVPN Access Server 2.8 and previous use the configuration key vpn.server.tls_auth to turn on or off the additional TLS control channel security using the TLS Auth method. When Access Server 2.9.0 or newer detects the presence of this configuration value in your configuration database, it adheres to that setting. However, if the configuration value vpn.server.tls_cc_security is present, that takes precedence. If neither key is present, the default TLS Crypt setting applies.
You can choose from these values:
none: No additional signing or verification is done on packets.
tls-auth: Uses a shared group key to sign and verify packets.
tls-crypt: The same as tls-auth, but also encrypts the TLS control channel (default).
tls-cryptv2: The same as above, but uses a per-client key instead of a shared group key.
Important
If the TLS control channel security is set to tls-auth or tls-crypt either explicitly or through a default setting, Access Server continues to generate new connection profiles with TLS Crypt v2 when possible and accepts connections from those profiles. This ensures Access Server continues to use TLS Crypt v2 and retains compatibility with TLS Auth or TLS Crypt for existing connection profiles or older OpenVPN client programs.
Sign in to Admin Web UI.
Click Configuration > Advanced VPN,
Select the desired value under TLS Control Channel Security and set it to Yes.
Sign in to the console with root privileges.
Switch to the scripts directory:
cd /usr/local/openvpn_as/scripts/
Set TLS Crypt v2 for the TLS control channel:
./sacli --key "vpn.server.tls_cc_security" --value "tls-cryptv2" ConfigPut ./sacli start
If you want to restore the default behavior, delete the configuration key:
./sacli --key "vpn.server.tls_cc_security" ConfigDel ./sacli start
Sign in to the console with root privileges.
Switch to the scripts directory:
cd /usr/local/openvpn_as/scripts/
Set TLS Auth (default) for the TLS control channel:
./sacli --key "vpn.server.tls_auth" --value "true" ConfigPut ./sacli start
If you want to disable TLS Auth:
./sacli --key "vpn.server.tls_auth" --value "false" ConfigPut ./sacli start
Changing the TLS control channel security settings for new Access Server installations won't likely impact existing VPN clients. For existing installations with many installed and configured VPN clients, changing the TLS control channel security setting without updating the connection profiles on the client devices may result in connection failures. Whether or not connection failures occur depends on the type of connection profiles used by the VPN clients. After changing the setting, VPN clients that can’t connect must get a new connection profile and/or update the VPN client software to a version that supports the TLS control channel security level.
Compatibility of control channel security configured on Access Server with listed OpenVPN client programs
Client program used | Setting configured on Access Server | |||
|---|---|---|---|---|
None | TLS Auth | TLS Crypt | TLS Crypt v2 | |
Connect v3.2+ | √ | √ | √ | √ |
Connect v3 previous versions | √ | √ | √ | x |
Connect v2.7.111+ | √ | √ | √ | √ |
Connect v2 previous versions | √ | √ | x | x |
Open source v2.5+ | √ | √ | √ | √ |
Open source v2.4 | √ | √ | √ | x |
Open source v2 previous versions | √ | √ | x | x |
Important
OpenVPN Connect v3.2 can use TLS Crypt v2 type connection profiles, but importing a profile from a URL from an Access Server that isn’t configured for TLS Crypt v2 control channel security results in an imported profile with that specific setting. OpenVPN Connect v3.3 and newer retrieves a TLS Crypt v2 connection profile if the server is Access Server 2.9 or newer when the import from URL function is used.
Compatibility of control channel security setting configured on Access Server with listed connection profile types
Client profile | Setting configured on OpenVPN Access Server | |||
|---|---|---|---|---|
none | TLS Auth | TLS Crypt | TLS Crypt v2 | |
Any profile of type 'none' | √ | x | x | x |
Any profile of type 'tls-auth' | x | √ | x | x |
Any profile of type 'tls-crypt' | x | x | √ | x |
Any profile of type 'tls-cryptv2' | x | √ | √ | √ |
Server-locked from AS 2.8 or previous | √ | √ | √ | √ |
Important
Server-locked profiles from Access Server 2.8 or older use the web service to retrieve a user-locked type profile from the server whenever that type of connection starts. Therefore, this type of connection profile can establish connections no matter the control channel security configuration setting. Newer, server-locked profiles from Access Server 2.9 work differently. They do not communicate through the web service but function as any other type of connection profile. An advantage of the newer server-locked connection profiles is that they can function with any client, not just OpenVPN Connect.
Access Server connection profiles are plain-text files that contain directives that tell the OpenVPN process how and where to connect. You can open these profiles in a text editor and refer to the directives below that define the control channel security behavior. In typical .ovpn profiles that contain inline certificates, the keys are stored in-line in text blocks in the connection profile itself. The directives may be present in a slightly different form for externally referenced keys and refer to an external file containing that particular key. Below is an example of an externally referenced key, with the in-line versions commonly used with OpenVPN Access Server listed after.
An example of TLS Auth enabled using an externally referenced key:
tls-auth my_ta.key
And as an in-line parameter:
<tls-auth> (The TLS Auth group key will be here.) </tls-auth>
TLS Crypt in-line:
<tls-crypt> (The TLS Crypt group key will be here.) </tls-crypt>
TLS Crypt V2 in-line:
<tls-crypt-v2> (The TLS Crypt v2 key will be here.) </tls-crypt-v2>
Server-locked type profile:
setenv GENERIC_CONFIG
Note
If none of the directives tls-auth, tls-crypt, tls-cryptv2, or setenv GENERIC_CONFIG exist in your connection profile, it doesn’t use additional control channel security. If setenv GENERIC_CONFIG is present, it means it is a server-locked profile that uses the web service to obtain a new connection profile every time the connection starts; thus, it will simply use whatever setting your Access Server is configured to use.