Data-channel cipher negotiation on OpenVPN Access Server
The data-channel encryption cipher encrypts and decrypts the data packets transmitted through the OpenVPN tunnel. This documentation provides an overview of data-channel ciphers for OpenVPN Access Server and the differences between versions.
OpenVPN Access Server 2.9 and newer provides data-channel cipher configuration in the Admin Web UI and the command-line interface. For details, refer to Change encryption cipher in Access Server.
Default data-channel ciphers
OpenVPN Access Server and OpenVPN clients have default data-channel ciphers, but determining these depends on various factors explained here. Use the following information to find the scenario that most closely matches your server-client setup. And, if you prefer, you can change the default values using the Admin Web UI or command-line interface, as detailed here: change encryption cipher in Access Server.
Determining the default data-channel ciphers depends on the following factors:
- Client capability for cipher negotiation and supported ciphers.
- Configuration settings inherited from an older installation.
- Access Server version currently in use.
Cipher negotiation occurs between servers and clients that support this, and upgrades connections automatically to a better cipher. By default, Access Server 2.5.0 and newer tries to upgrade to AES-256-GCM. The following programs are known to support cipher negotiation:
- Access Server 2.5.0 and newer.
- OpenVPN3 Linux client all versions.
- OpenVPN Connect v3 all versions.
- OpenVPN Connect v2 2.1.1 and newer.
- OpenVPN GUI 2.4 and newer.
- Other clients based on OpenVPN 3 or OpenVPN 2.4 and newer.
AES-256-CBC default for Access Server 2.5.0 and newer
If you started your Access Server installation on 2.5.0 or newer, the default cipher is set to AES-256-CBC. The server upgrades a client that supports cipher negotiation to AES-256-GCM automatically for its connection. And a client that doesn’t support cipher negotiation uses AES-256-CBC for its connection. The choice of AES-256-CBC allows compatibility with older clients that support AES-256-CBC but don’t support AES-256-GCM. They are the same level of security, but more recent OpenVPN versions use the faster AES-GCM method to combine the encryption and authentication steps. SHA1 HMAC is used for the packet authentication when CBC mode is used.
Configurable data-channel cipher for Access Server 2.9.0 and newer
On Access Server 2.9.0 and newer, you can configure the data-cipher string in the Admin Web UI and the command-line interface. This allows setting a number of ciphers in order of priority. The first cipher the client can do will then be the one used for the VPN connection.
For details about how to configure this, refer to Change encryption cipher in Access Server.
BF-CBC default for old Access Server versions
If you use a version of Access Server prior to 2.5.0 the cipher is BF-CBC by default. The cipher for the connection will not be automatically upgraded in this situation because the server does not support cipher negotiation. If however you upgrade such an old installation of Access Server to version 2.5.0 or newer the default cipher will remain set to BF-CBC for backward compatibility with older clients, but the server will now upgrade newer clients that support cipher negotiation to AES-256-GCM. Clients that do not support cipher negotiation will continue to use BF-CBC for their connections in this situation, to maintain backward compatibility.
Looking up data-channel cipher in log files
To see exactly what cipher is used with a VPN connect, you can check your log entries.
Log entry in openvpnas.log showing AES-256-GCM data-channel encryption:
2022-01-01 12:00:00 Lauren/22.214.171.124:12345 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key 2022-01-01 12:00:00 Lauren/126.96.36.199:12345 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
BF-CBC cipher deprecation recommendations
If you’re still using BF-CBC on Access Server we strongly recommend switching to a more secure cipher as soon as possible.
When we released versions of Access Server that used BF-CBC, it was considered secure. However that hasn’t been the case anymore for a long time (see SWEET32 for more information). Therefore, since the release of Access Server 2.5.0, the new default is AES-256-CBC. This is compatible and secure even with older OpenVPN clients that do not support cipher negotiation or GCM.
If you are now on an Access Server older than 2.5.0, or you have a configuration that was upgraded from such an older version, we recommend that you upgrade to the latest version of Access Server. That will allow the OpenVPN server to automatically upgrade the connections from OpenVPN clients capable of cipher negotiation to AES-256-GCM. You can then use the data-cipher configuration to work towards eliminating BF-CBC from your supported data-ciphers list altogether.
For backward compatibility in the above described situation, older OpenVPN clients that are not capable of cipher negotiation will continue to connect with BF-CBC. To change those to a secure cipher you can update the client software so that the server can upgrade their connections to AES-256-GCM automatically. Alternatively if you are not able to update the client software, you can adjust the data-cipher list to include BF-CBC and AES-256-CBC and then modify the client connection profiles manually by specifying cipher AES-256-CBC. After all the clients no longer use BF-CBC, you can remove BF-CBC from the data-cipher list, and update the vpn.server.cipher value to AES-256-CBC. Do not change this value before then, as it may cause cipher mismatch problems with older clients.
Compatibility notes for older clients
The cipher negotiation documentation in the OpenVPN repository describes how cipher negotiation works and how different versions and configurations interact with each other.
OpenVPN 2.3 and older clients that have been configured with the --enable-small flag are not indicating what ciphers they are capable of. On Access Server 2.9.0 and newer, you can implement the data-ciphers-fallback option to support legacy clients that don’t announce ciphers by enabling this option on the Configuration > Advanced VPN page in the Admin Web UI. This will then be set to the cipher defined in the vpn.server.cipher configuration key. If that key is not set it defaults to BF-CBC.
You shouldn’t alter the vpn.server.cipher and vpn.client.cipher keys on installations that have older OpenVPN clients in use that don’t support cipher negotiation. Doing so can cause messages regarding cipher mismatches to appear in logs. We recommend you follow the steps outlined in the previous section to handle the move away from the BF-CBC cipher by deprecating it.