Change encryption cipher in Access Server

Important notes

Before you begin, it’s important to note that all OpenVPN Access Servers work with a single encryption scheme. This means that all the clients and the server itself all agree on using the same cipher. If you change the cipher, clients are not automatically aware of this change and may require a reinstallation, before they start using the new cipher. Please be aware of this limitation when planning to change your cipher. In a new release we will be making in the future, we intend to introduce Negotiable Crypto Parameters. With this comes the advantage of changing the cipher, but letting currently installed clients that use an old cipher still connect, if that is so configured and allowed.

By default OpenVPN Access Server used in the past the cipher BF-CBC. As of Access Server 2.5, AES-256-CBC cipher is used on new installations, and with upgrades from an older version will still use BF-CBC. This stands for BlowFish Cipher-Block Chain and is a secure method of continuously encrypting data in the OpenVPN tunnel. Unfortunately BlowFish has been found recently to contain a flaw that can be exploited if enough encrypted data using the same key can be intercepted, which we have mitigated by instructing clients to change the encryption cipher much more regularly to ensure the flaw cannot be exploited. AES-256-CBC contains no known security flaws so we have made the decision to move to that key for all new installations of Access Server 2.5 or higher.

Change cipher on Access Server version 2.5 or newer

In the past you could change the cipher on the client and the server by using the parameter “cipher AES-256-CBC" in both the client config directives and the server config directives fields in the Advanced VPN page in the Admin UI of the Access Server. This method is no longer supported. The proper method is to use the new configuration database keys created for this purpose. This must be done using the command line interface with root privileges:

Once you have made changes to the cipher used by Access Server, all the clients must also be updated to use the new cipher. In the case of OpenVPN Connect Client using a server-locked profile, this is automatically updated. But in all other cases with user-locked and auto-login type profiles, these clients will need a new copy of these profiles, or a reinstallation of the Connect Client, in order to use the updated cipher.

Change cipher on Access Server version 2.1.12 or older

On Access Server 2.1.12 and older, in order to change the cipher, you will need to add the following line to both the client and server config directives via the Advanced VPN page in the Admin UI:

Then click Save Settings, and Update Running Server. Once you have made these changes to the cipher used by Access Server, all the clients must also be updated to use the new cipher. In the case of OpenVPN Connect Client using a server-locked profile, this is automatically updated. But in all other cases with user-locked and auto-login type profiles, these clients will need a new copy of these profiles, or a reinstallation of the Connect Client, in order to use the updated cipher.

List of allowed ciphers:

  • DES-CBC
  • RC2-CBC
  • DES-EDE-CBC
  • DES-EDE3-CBC
  • DESX-CBC
  • BF-CBC
  • RC2-40-CBC
  • CAST5-CBC
  • RC2-64-CBC
  • AES-128-CBC
  • AES-192-CBC
  • AES-256-CBC
  • none

Disable encryption entirely

Although this is not recommended, certain special configurations might not require encryption when using OpenVPN Access Server. To completely disable encryption you can choose to use as cipher the one titled none. This disabled the encryption of the data packets.

This still leaves TLS authentication enabled by default, but you can disable this by going to Advanced VPN in the Admin UI, and disabling the TLS authentication here.
This also leaves client/server authentication with certificates intact, and if you want to disable this as well, see this section on how to disable the use of client certificates.

Disable TLS authentication

TLS authentication is a shared key system whereby the server and all the clients use the same TLS key to sign and authenticate the VPN tunnel packets exchanged between the VPN server and the VPN clients. If a packet arrives that doesn’t match the TLS authentication signature, it is simply discarded. This is an additional security feature of the OpenVPN protocol on top of other certificate verification and data encryption.

On Access Server older than 2.5 you had to do this by adding the option auth none to both the client config directives and server config directives in the Advanced VPN page. However, as of Access Server 2.5 we have a GUI option that makes disabling/enabling TLS authentication easier. You can find this option in the Advanced VPN page, it is called TLS authentication, and you can disable it there.

There is further explanation of the TLS authentication (HMAC firewall) functionality and a method of disabling it via the command line.

Share