Skip to main content

Tutorial: Change the Data-Channel Encryption Cipher

Abstract

How to change Access Server's data-channel encryption cipher. Adjust OpenVPN security with this tutorial.

Overview

The data-channel encryption cipher determines how the data packets transmitted through the OpenVPN tunnel are encrypted and decrypted. On the server, ciphers can be specified in order of priority. The first cipher that the client also supports will be used for the VPN session. This allows for backward compatibility so that newer clients capable of better encryption ciphers will prefer to use those, while older clients can still connect using older cipher methods.

In default settings, the Access Server is compliant with FIPS-140-2. The cipher used is AES-256, and when deployed in an environment that enforces FIPS compliance, it can operate without configuration changes.

On Access Server 2.9 and newer, you can configure the ciphers in the Admin Web UI. This tutorial explains using the Admin Web UI or the command-line interface (CLI).

Caution

Since the cipher configuration can be independently set on the client and server sides, changing the setting on the server side may require updating the client connection profile to match the new settings. Keep this in mind when changing the cipher list on existing deployments.

Prerequisites

  • Access Server 2.9 and newer.

  • Admin Web UI access.

Step 1: Determine what ciphers to allow

When you define the data-channel encryption ciphers, you list multiple ciphers separated by a colon as an ordered data cipher string. This is specified in order of priority so that the first cipher that matches what the client supports will be used for the VPN session. The default configuration is as follows:

  • AES-256-GCM

  • AES-128-GCM

  • ?CHACHA20-POLY1305 (enabled if supported on the server side)*

  • Backward compatibility cipher (only on Access Server 2.9 through 2.12)

*The CHACHA20-POLY1305 cipher is prepended with a question mark to indicate that it is a soft requirement. This means that if the server environment supports the use of this cipher, then it will be enabled and can be used; otherwise, it is simply ignored. This cipher is optimized for use in environments where hardware AES-256 support is unavailable.

Note

Important notes regarding backward compatibility and legacy ciphers 

Access Server 1.0 has BF-CBC as the default cipher, which was considered secure at the time. However BF-CBC is deprecated now and should not be used anymore, and modern environments may even refuse to use it.

Access Server 2.5 and newer by default automatically use AES-256-GCM. Older clients (OpenVPN 2.3 and older) were supported automatically by using AES-256-CBC or BF-CBC fallback depending on your cipher configuration, until Access Server 2.13.

Access Server 2.13 and newer by default automatically use AES-256-GCM, AES-128-GCM, and CHACHA20-POLY1305 (if the server supports it). Older clients (OpenVPN 2.3 and older) are not supported anymore by default, but this support can be reenabled by defining your own data cipher string and adding a cipher such as AES-256-CBC at the end. AES-256-CBC and AES-256-GCM are equivalent in encryption strength, but GCM is faster and therefore preferred.

If you wish to use Data Channel Offload, you can only use the recommended ciphers. Using older ciphers will disable the use of DCO.

Optional values

  • AES-256-CBC

  • AES-192-CBC

  • AES-128-CBC

  • AES-192-GCM

Deprecated values

  • BF-CBC

  • DES-CBC

  • DES-EDE3-CBC

  • DESX-CBC

  • none

Caution

The value “none” completely disables data channel encryption. We don’t recommend using it — it is only meant for debugging purposes. The other ciphers mentioned may not be allowed anymore by the OpenSSL security settings in your operating system.

Option 1: Configure the ciphers in the Admin Web UI

As of Access Server 2.9, you can configure the ciphers in the Admin Web UI using a string format with multiple ciphers separated by a colon (:)—for example, AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305.

  1. Sign in to the Admin Web UI.

  2. Click Configuration > Advanced VPN.

  3. Enter your preferred data channel ciphers under Data channel ciphers.

Option 2: Configure the ciphers in the CLI

To configure the ciphers from the CLI:

  1. Connect to the console and get root privileges.

  2. Switch to the scripts directory:

    cd /usr/local/openvpn_as/scripts/

  3. Set the data-channel encryption ciphers:

    ./sacli --key "vpn.server.data_ciphers" --value <CIPHERS>1 ConfigPut
./sacli start

    1

    Enter a string format with multiple ciphers separated by a colon (:). For example, AES-256-GCM:AES-128-GCM:?CHACHA20-POLY1305.

To restore the default setting:

./sacli --key "vpn.server.data_ciphers" ConfigDel
./sacli start
In this section:
See also: