Change encryption cipher in Access Server

The data-channel encryption cipher encrypts and decrypts the data packets transmitted through the OpenVPN tunnel. You can configure it on the server and client sides. However, the client and server must agree on a cipher that both support and allow. Support for data-channel ciphers changed with different releases, but we strive to retain backward compatibility.

OpenVPN Access Server 2.5 and newer use AES-256-GCM by default if the client supports it. Older clients without AES-256-GCM support use a fallback cipher. Access Server configurations created on 2.5 or above use AES-256-CBC as the fallback cipher, while older configurations use BF-CBC as the fallback cipher. 

AES-256 in either CBC (Cipher Block Chaining) or GCM (Galois/Counter Mode) mode is considered secure and meets stringent security requirements. They are the same level of security, but more recent OpenVPN versions use the faster AES-GCM method to combine the encryption and authentication steps. SHA1 HMAC is used for the packet authentication when CBC mode is used.

Note: Changing the cipher configuration on Access Server may require new connection profiles for some OpenVPN clients.

As of Access Server version 2.9, you can configure the ciphers in the Admin Web UI. It takes a string format with multiple ciphers separated by a colon (:)—for example, AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305. 

  1. Sign in to the Admin Web UI.
  2. Click Configuration > Advanced VPN.
  3. Enter your preferred data channel ciphers under Data channel ciphers.
  4. Click Save and Update Running Server.

To change this using the command line, set the specific configuration key with sacli. Ensure you are connected with root privileges and run the commands below from the directory, /usr/local/openvpn_as/scripts/.

Set the data-channel encryption ciphers:

./sacli --key "vpn.server.data_ciphers" --value <CIPHERS> ConfigPut
./sacli start

Restore the default setting:

./sacli --key "vpn.server.data_ciphers" ConfigDel
./sacli start

The first cipher in the list the client supports is used for the OpenVPN connection. If the vpn.server.data_ciphers value is empty, Access Server assumes the following list of ciphers:

  • AES-256-GCM
  • AES-128-GCM
  • CHACHA20-POLY1305 (enabled if supported on the server-side)
  • Fallback cipher (value from vpn.server.cipher key)

On Access Server 2.5 and newer, the default value of the fallback cipher vpn.server.cipher is AES-256-CBC, while on older versions, it was BF-CBC. Access Server still accepts the cipher set in this configuration key for backward compatibility. We don’t recommend BF-CBC for production use anymore as it’s considered insecure.

Recommended values:

  • AES-256-GCM
  • AES-128-GCM
  • CHACHA20-POLY1305

Optional values:

  • AES-256-CBC
  • AES-192-CBC
  • AES-128-CBC

Deprecated values:

  • BF-CBC
  • none

Note: The value “none” disables data channel encryption completely. We don’t recommend using it.