Skip to main content

Tutorial: Select the TLS Level for the OpenVPN Daemons

Abstract

Configure the minimum TLS version for OpenVPN daemons in Access Server using the Admin Web UI or command-line interface.

Overview

Access Server uses TLS ot secure VPN daemon connections. TLS 1.0 and 1.1 are outdated and insecure, and are no longer recommended. If your deployment includes legacy OpenVPN clients that don't support TLS 1.2 or newer (e.g., clients from 2014 or earlier), they will fail to connect unless the server is explicitly configured to allow older TLS versions.

Default TLS settings by version

Scenario

Default minimum TLS version

New installation on Access Server 3.2.0 or newer

TLS 1.3

Upgrade from Access Server 3.1.x or earlier

Retains previous setting (TLS 1.2 unless manually changed)

New installation on Access Server 2.1.12-3.1.x

TLS 1.2

Important

If you need to support legacy systems that don't support TLS 1.3, you can lower the minimum TLS version using the vpn.server.tls_version_min configuration key. See Option 2 below.

Important considerations

  • Client Compatibility: Ensure all client software supports the desired TLS version before changing this setting.

  • Connection Profiles: Changing the TLS version may require updated connection profiles or client software updates.

Prerequisites

  • Installed Access Server.

  • Admin Web UI access or console access with root privileges.

Option 1: Configure the TLS level in the Admin Web UI

  1. Sign in to the Admin Web UI.

  2. Select Configuration → TLS Settings.

  3. Select the desired minimum TLS version.

Option 2: Configure the TLS level via the command-line interface (CLI)

  1. Connect to the console and get root privileges.

  2. Switch to the scripts directory:

    cd /usr/local/openvpn_as/scripts/

  3. Use the following commands to set the minimum allowed TLS level:

    • Set minimum TLS level to 1.0 (legacy):

      ./sacli --key "vpn.server.tls_version_min" --value "1.0" ConfigPut

    • Set minimum TLS level to 1.1:

      ./sacli --key "vpn.server.tls_version_min" --value "1.1" ConfigPut

    • Set minimum TLS level to 1.2:

      ./sacli --key "vpn.server.tls_version_min" --value "1.2" ConfigPut

    • Set minimum TLS level to 1.3:

      ./sacli --key "vpn.server.tls_version_min" --value "1.3" ConfigPut

  4. Restart the server to apply the changes:

    ./sacli start
In this section: