OpenVPN Access Server FIPS compliance
FIPS and OpenVPN Access Server
Federal Information Processing Standard (FIPS) 140-2 specifies the security requirements for cryptographic modules that protect sensitive information. You can install OpenVPN Access Server on various operating systems that the National Institute of Standards and Technology (NIST) Cryptographic Module Validation Program (CMVP) has assessed their cryptographic OpenSSL library.
OpenVPN Access Server uses the cryptographic module which implements the cryptographic primitives of the OpenSSL library provided in the operating system. With default settings, OpenVPN Access Server works within the restrictions that FIPS imposes. With FIPS mode enabled in the operating system, unauthorized cryptographic functions are not being allowed for use in OpenSSL and thus OpenVPN Access Server. This also means that certain optional Access Server features such as ChaCha20-Poly1305 data encryption support are not available when operating in a FIPS environment. Access Server is therefore compliant with FIPS restrictions.
Operating system recommendation
Usually, we recommend Ubuntu LTS because it has a good balance between lifecycle support and reasonably up-to-date software. However, if you require FIPS, we recommend using the Red Hat Enterprise Linux operating system instead, preferably with FIPS mode enabled at installation time.
How to enable FIPS mode
Running OpenVPN Access Server in FIPS mode requires enabling this mode in the operating system. The method varies per operating system. We reference external official documentation explaining how to enable it on the particular operating system:
- Red Hat — How can I make RHEL FIPS compliant.
- Amazon Linux 2 — Enabling FIPS mode in Amazon Linux 2.
- Ubuntu Pro (or Advantage) — Enabling FIPS with ua tool.
We tested the operating systems listed above with OpenVPN Access Server in FIPS mode. While you might configure other operating systems to run in FIPS mode, we haven’t explicitly tested them with OpenVPN Access Server.
Ubuntu LTS is supported but requires either the Ubuntu Pro version or the Ubuntu Advantage service in order to install the software necessary to support FIPS mode. On some IaaS providers, you can find a specialized deployment image.
gpg: out of core handler ignored in FIPS mode may be shown during installation. When the PGP key for verifying signatures of packages from the OpenVPN Access Server software repository is added, GPG may complain with this message as it cycles through existing keys that may not meet FIPS requirements. However, the new key for the Access Server repository will install correctly, and the installation can proceed normally.
UserWarning: OpenSSL FIPS mode is enabled. Can't enable DRBG fork safety. may be shown during installation or when setting a local account password on the command line. This warning can appear on Ubuntu 18, Centos 7, Red Hat 7, and Amazon Linux 2. This is a benign warning, and the program will function correctly despite this warning.