Change encryption cipher in Access Server

Important note

Before you begin, it's important to note that OpenVPN Access Servers all the way up to and including version 2.1.12 all work with a single encryption scheme. This means that all the clients and the server itself all agree on using the same cipher. If you change the cipher, clients are not automatically aware of this change and may require a reinstallation, before they start using the new cipher.

In a new release we will shortly be making, we intend to introduce Negotiable Crypto Parameters. With this comes the advantage of changing the cipher, but letting currently installed clients that use an old cipher still connect, if that is so configured and allowed. The guide below assumes you are using OpenVPN Access Server 1.8.0 or higher, up to version 2.1.12.

Cipher configuration on Access Server

By default OpenVPN Access Server used in the past the cipher BF-CBC. We are going to be introducing a new version of Access Server that starts with AES-256-CBC on new installations, and with upgrades will use AES-256-CBC where possible, but still allow BF-CBC. This stands for BlowFish Cipher-Block Chain and is a very secure method of continuously encrypting data in the OpenVPN tunnel. Unfortunately BlowFish has been found recently to contain a flaw, which we have mitigated by instructing clients to change the encryption cipher much more regularly to ensure the flaw cannot be exploited. AES-256-CBC contains no known security flaws so we are moving to that key soon.

There are other reasons people sometimes want to change the cipher. For performance reasons or other considerations people may want to change the encryption cipher. In order to change the cipher in OpenVPN Access Server you will need to add the following line to both the client and server config directives via the Advanced VPN page in the Admin UI:

cipher ciphername (in the Server and Client Config Directives textboxes)

If we wanted to enable the AES-256 cipher we would add the following line:

cipher AES-256-CBC

Then click Save Settings, and Update Running Server.  Access Server will now use the updated cipher. But beware: if you have clients already installed, these will try to use the old cipher and will not be able to connect. So if you change the cipher, you need to reinstall most currently installed clients before they can connect again.

List of ciphers:

DES-CBC
RC2-CBC
DES-EDE-CBC
DES-EDE3-CBC
DESX-CBC
BF-CBC
RC2-40-CBC
CAST5-CBC
RC2-64-CBC
AES-128-CBC
AES-192-CBC
AES-256-CBC

Disable encryption:

Although this is not recommended, certain special configurations might not require encryption when using OpenVPN Access Server. To completely disable encryption you can add the following lines on the AWS, under Advanced VPN, Client and Server Config Directives:

auth none
cipher none

Note: "auth none" disables packet authentication and "cipher none" disables encryption.