Skip to main content

Tutorial: Change the Data-Channel Encryption Cipher

Abstract

How to change Access Server's data-channel encryption cipher. Adjust OpenVPN security with this tutorial.

Overview

The data-channel encryption cipher determines how the data packets transmitted through the OpenVPN tunnel are encrypted and decrypted. On the server, ciphers can be specified in order of priority. The first cipher that the client also supports will be used for the VPN session. This allows for backward compatibility so that newer clients capable of better encryption ciphers will prefer to use those, while older clients can still connect using older cipher methods.

In default settings, the Access Server is compliant with FIPS-140-2. The cipher used is AES-256, and when deployed in an environment that enforces FIPS compliance, it can operate without configuration changes.

This tutorial explains how to use the Admin Web UI or the command-line interface (CLI) to configure the ciphers.

Caution

Since the cipher configuration can be independently set on the client and server sides, changing the setting on the server side may require updating the client connection profile to match the new settings. Keep this in mind when changing the cipher list on existing deployments.

Prerequisites

  • An installed Access Server.

  • Admin Web UI access.

Step 1: Determine what ciphers to allow

When you define the data-channel encryption ciphers, you list multiple ciphers separated by a colon as an ordered data cipher string. This is specified in order of priority so that the first cipher that matches what the client supports will be used for the VPN session. The default configuration is as follows:

  • AES-256-GCM

  • AES-128-GCM

  • ?CHACHA20-POLY1305 (enabled if supported on the server side)*

*The CHACHA20-POLY1305 cipher is prepended with a question mark to indicate that it is a soft requirement. This means that if the server environment supports the use of this cipher, it will be enabled and can be used; otherwise, it will be ignored. This cipher is optimized for use in environments where hardware AES-256 support is unavailable.

Optional values

  • AES-256-CBC

  • AES-192-CBC

  • AES-128-CBC

  • AES-192-GCM

Deprecated values

  • BF-CBC

  • DES-CBC

  • DES-EDE3-CBC

  • DESX-CBC

  • none

Caution

The value “none” completely disables data channel encryption. We don’t recommend using it — it is only meant for debugging purposes. The other ciphers mentioned may no longer be allowed by the OpenSSL security settings in your operating system.

Option 1: Configure the ciphers in the Admin Web UI

  1. Sign in to the Admin Web UI.

  2. Click VPN Server.

  3. lick the Security / Encryption tab.

  4. Enter your preferred data channel ciphers in the fields for Data-channel ciphers. (You may need to uncheck Use Defaults to remove and add ciphers.)

  5. Click Save and Restart.

Option 2: Configure the ciphers in the CLI

To configure the ciphers from the CLI:

  1. Connect to the console and get root privileges.

  2. Set the data-channel encryption ciphers:

    sacli --key "vpn.server.data_ciphers" --value <CIPHERS>1 ConfigPut
sacli start

    1

    Enter a string format with multiple ciphers separated by a colon (:). For example, AES-256-GCM:AES-128-GCM:?CHACHA20-POLY1305.

To restore the default setting:

sacli --key "vpn.server.data_ciphers" ConfigDel
sacli start
In this section: