Additional security command line options

Change the data-channel encryption cipher for server and client

The data-channel encryption cipher encrypts and decrypts the data packets transmitted through the OpenVPN tunnel. You can configure it on the server and client sides. For detailed information on how to do this in the Admin Web UI or command line, refer to Change encryption cipher in Access Server.

Mid-session TLS encryption key renegotiation

The mid-session TLS encryption key renegotiation refers to when an OpenVPN session renegotiates the underlying TLS session and the encryption key used. The server or client may trigger the renegotiation. Normally this renegotiation is invisible to the end-user on Access Server because the session token, if still valid, will be used as an authentication proxy/token. The default value for this renegotiation is 60 minutes (1 hour) as of Access Server 2.9.3. Previous versions use the default value of 360 minutes (6 hours). If you upgrade Access Server from a previous version to 2.9.3 or greater, the 360 minute value stays.

Session expiration is tested during TLS renegotiation which occurs automatically at the specified schedule with this setting or when the connection is disrupted and reconnects. So if you change the session token expiration, make sure to adjust this parameter as well, or the session may not expire at the moment you expect. You can change this setting in the Admin Web UI or via command line.

To change this in the Admin Web UI:

  1. Sign in to Admin Web UI.
  2. Click Configuration > Advanced VPN.
  3. Enter the new value under Connection Security Refresh.
  4. Click Save Settings, then Update Running Server.

To change this using the command line, set the specific configuration key with sacli. Ensure you are connected with root privileges and run the commands below from the directory, /usr/local/openvpn_as/scripts/.

Change the mid-session TLS renegotiation period (default 60 minutes):

./sacli --key "vpn.tls_refresh.interval" --value <MINUTES> ConfigPut
./sacli start

Restore this value to default:

./sacli --key "vpn.tls_refresh.interval" --value "60" ConfigPut
./sacli start

Note: The OpenVPN protocol has a parameter that determines after how many bytes a key should be renegotiated (no configuration key in Access Server). If you use BF-CBC, to prevent any possible gathering of enough data to exploit the BF-CBC encryption cipher flaw for these installations, the key renegotiation byte threshold is set at around 60 megabytes on up-to-date OpenVPN client programs. This forces a key refresh more often which mitigates the vulnerability in the Blowfish (BF-CBC) cipher.

Authentication failure lockout policy

OpenVPN Access Server automatically locks out user accounts after repeated failed authentications as a security precaution.  When this lockout is triggered on an account, the user receives a message like "LOCKOUT" or "user temporarily locked out due to multiple authentication failures" when trying to sign in. This prevents brute-force guessing the password by endlessly trying different passwords.

On Access Server 2.10 and newer, the lockout triggers when a wrong password is entered five times consecutively within 15 minutes. The lockout expires after 15 minutes. You can modify these default settings. You can also manually lift the lockout if you don’t want to wait 15 minutes. For Access Server 2.9 and older, the default is three failed attempts, followed by a 15 minute lockout.

Exceptions to the lockout policy are authentications done with a user-locked connection profile and bootstrap accounts. Access Server requires authentication with valid credentials to obtain a user-locked connection profile; bootstrap accounts can only bypass the lockout policy on Access Server 2.9 and older.

Configure the lockout policy in the Admin Web UI

OpenVPN Access Server 2.10.2 and newer provides configuration of the lockout policy in the Admin Web UI:

  1. Sign in to the Admin Web UI.
  2. Click Authentication > Settings.
  3. Under the section, Password Lockout Policy, adjust or configure as needed.
  4. Click Save Settings and Update Running Server.

Commands for configuring the lockout policy

Configure the lockout policy with the settings below.

Set the number of authentication failures after which the user will be locked out (default is 5):

./sacli --key "vpn.server.lockout_policy.n_fails" --value <NUMBER> ConfigPut
./sacli start

Release the lockout on a user after the specified amount of seconds passes (default is 900 seconds, or 15 minutes):

./sacli --key "vpn.server.lockout_policy.reset_time" --value <SECONDS> ConfigPut
./sacli start

Maximum size of lockout dictionary (default is 10000):

./sacli --key "vpn.server.lockout_policy.max_history" --value <BYTES> ConfigPut
./sacli start

OpenVPN Access Server tracks incorrect passwords in the lockout dictionary with the passwords stored as hashes. The default value should be adequate unless you have thousands of users repeatedly entering incorrect passwords. If the dictionary reaches its maximum size, it will eventually be purged. The consequence of this dictionary reaching its limits with thousands of users entering wrong passwords is that if the failed authentication attempts are spread far enough apart (hours), the number of authentication failures can be higher than configured. If the failed authentication attempts occur shortly after one another, then the number of authentication failures per user will be adhered to just fine. We recommend leaving the default value.

Note: if you’re using an external authentication system, that system might have its own lockout policy.

Manually unlock a locked-out user account

If you wish to unlock a locked-out user manually, follow the steps below. Note that you can’t unlock a single specific user at this time. We recommend doing the following: set the automatic lockout reset period to one second, allow time for all lockouts to reset, then set the lockout period back to its previous value.

To manually unlock locked-out users from the Admin Web UI:

  1. Sign in to the Admin Web UI.
  2. Click Authentication > Settings.
  3. Set Lockout release timeout in seconds to 1.
  4. Click Save Settings and Update Running Server.
  5. Allow time for lockouts to reset.
  6. Set Lockout release timeout in seconds back to the previous value (900 is the default value).
  7. Click Save Settings and Update Running Server.

To manually unlock locked-out users from the command line (the example command lines reset the lockout to the default 15 minutes):

./sacli --key "vpn.server.lockout_policy.reset_time" --value "1" ConfigPut
./sacli start
sleep 2
./sacli --key "vpn.server.lockout_policy.reset_time" --value "900" ConfigPut
./sacli start
service openvpnas restart

TLS control channel security

You can configure the TLS Control Channel security through the Admin Web UI under Configuration > Advanced VPN. You can also make changes from the command line. For detailed information, refer to TLS Control Channel Security in OpenVPN Access Server.

Google Authenticator multi-factor authentication

This documentation section was moved to: Google Authenticator multi-factor authentication

Selecting TLS level for the OpenVPN daemons

Current versions of Access Server use TLS 1.2 as the default for the OpenVPN daemons. Older clients may not be able to handle TLS 1.1 or newer. For example an OpenVPN client from 2014 or older will not be able to connect to an OpenVPN server that requires TLS 1.1 or TLS 1.2. If your current Access Server is set to TLS on the OpenVPN daemons and you have OpenVPN connection profiles and client software installed on a large number of clients, we recommend you stay with TLS 1.0 and not upgrade. Likewise the reverse is true if for some reason you want to downgrade from TLS 1.1 or later. The reason for this is that connection profiles can be either configured for the old method where TLS 1.0 is assumed, or for the new method where a minimum version of TLS is configured in the connection profile and it then expects that version or higher to be present. In other words, switching it between TLS 1.0 and TLS 1.1/1.2/1.3 will require that some clients need a new copy of the connection profile or need to be updated or reinstalled. It is important to be aware of these consequences before changing the setting.

As of OpenVPN Access Server 2.1.12 the default OpenVPN daemons TLS setting is 1.2. During upgrades from older versions the previous setting is maintained to avoid breaking existing setups. The minimum TLS level setting for the OpenVPN daemons can be configured in the Admin Web UI in TLS Settings. Below are the commands to reconfigure this on the command line.

Set minimum allowed TLS level to 1.0 (legacy):

./sacli --key "vpn.server.tls_version_min" --value "1.0" ConfigPut

Set minimum allowed TLS level to 1.1:

./sacli --key "vpn.server.tls_version_min" --value "1.1" ConfigPut

Set minimum allowed TLS level to 1.2 (the default):

./sacli --key "vpn.server.tls_version_min" --value "1.2" ConfigPut

Set minimum allowed TLS level to 1.3:

./sacli --key "vpn.server.tls_version_min" --value "1.3" ConfigPut

Disable use of client certificates

OpenVPN Access Server uses unique client certificates and private keys as an important piece of the security of the OpenVPN connection. Each user-locked and autologin connection profile downloaded from the Access Server has a unique public and private key pair that uniquely identifies this client to the server. 

In certain use-cases, it may be desirable to connect without client certificates. In previous Access Server versions, the no-client-certificate behavior could only be configured on the command line with the no_client_cert parameter in as.conf. That particular method is now no longer supported or recommended.

Access Server now supports this use-case with a server-locked profile instead. To connect to your Access Server without a client certificate, simply ensure that you have Access Server 2.9.0 or above installed and download and use a server-locked profile for the connection.