Tutorial: Select the TLS Level for the OpenVPN Daemons
Configure the TLS level for OpenVPN daemons in Access Server. Follow our guide for Admin Web UI and command-line interface instructions.
Overview
Access Server 3.0 uses TLS1.2 and 1.3 by default for the OpenVPN daemons. TLS 1.0 and 1.1 are considered outdated and insecure, and are no longer recommended. If your deployment includes legacy OpenVPN clients that don't support TLS 1.2 or newer (e.g., clients from 2014 or earlier), they will fail to connect unless the server is explicitly configured to allow older TLS versions.
Upgrading the server to use stronger TLS settings improves security but may require clients to update their software or connection profiles to remain compatible.
Important considerations
Client Compatibility: Ensure all client software supports the desired TLS version.
Connection Profiles: Changing the TLS version may require new connection profiles or client updates.
Installed Access Server.
Client apps.
Default settings
As of Access Server 2.1.12, the default TLS setting for OpenVPN daemons is 1.2. Upgrades from older versions maintain the previous TLS settings to avoid breaking existing configurations.
Sign in to the Admin Web UI.
Click VPN Server.
The Network Settings tab displays.
Click the Security / Encryption tab.
Select the desired Minimum TLS level required.
Click Save and Restart.
Connect to the console and get root privileges.
Use the following commands to set the minimum allowed TLS level:
Set minimum TLS level to 1.0 (legacy):
sacli --key "vpn.server.tls_version_min" --value "1.0" ConfigPut
Set minimum TLS level to 1.1:
sacli --key "vpn.server.tls_version_min" --value "1.1" ConfigPut
Set minimum TLS level to 1.2 (default):
sacli --key "vpn.server.tls_version_min" --value "1.2" ConfigPut
Set minimum TLS level to 1.3:
sacli --key "vpn.server.tls_version_min" --value "1.3" ConfigPut
Ensure you restart the server after making these changes to apply the new settings:
sacli start