Skip to main content

Tutorial: Select the TLS Level for the OpenVPN Daemons

Abstract

Configure the TLS level for OpenVPN daemons in Access Server. Follow our guide for Admin Web UI and command-line interface instructions.

Overview

Current Access Server versions use TLS 1.2 as the default for the OpenVPN daemons. However, older clients may not support TLS 1.1 or newer. For instance, an OpenVPN client from 2014 or earlier will not connect to a server requiring TLS 1.1 or 1.2. If your current setup uses TLS 1.0 and you have many clients with pre-configured profiles and software, it is recommended to stay with TLS 1.0 to avoid disruptions. Conversely, downgrading from TLS 1.1 or later to TLS 1.0 will also require updating client profiles or software.

Important considerations

  • Client Compatibility: Ensure all client software supports the desired TLS version.

  • Connection Profiles: Changing the TLS version may require new connection profiles or client updates.

  • Installed Access Server.

  • Client apps.

Default settings

As of Access Server 2.1.12, the default TLS setting for OpenVPN daemons is 1.2. Upgrades from older versions maintain the previous TLS settings to avoid breaking existing configurations.

  1. Sign in to the Admin Web UI.

  2. Click Configuration > TLS Settings.

  3. Select the desired minimum TLS version.

  1. Connect to the console and get root privileges.

  2. Switch to the scripts directory:

    cd /usr/local/openvpn_as/scripts/
  3. Use the following commands to set the minimum allowed TLS level:

    • Set minimum TLS level to 1.0 (legacy):

      ./sacli --key "vpn.server.tls_version_min" --value "1.0" ConfigPut
      
    • Set minimum TLS level to 1.1:

      ./sacli --key "vpn.server.tls_version_min" --value "1.1" ConfigPut
      
    • Set minimum TLS level to 1.2 (default):

      ./sacli --key "vpn.server.tls_version_min" --value "1.2" ConfigPut
      
    • Set minimum TLS level to 1.3:

      ./sacli --key "vpn.server.tls_version_min" --value "1.3" ConfigPut
  4. Ensure you restart the server after making these changes to apply the new settings:

    ./sacli start