Access Server

Follow us

Change encryption cipher in Access Server



By default OpenVPN Access Server uses the cipher BF-CBC. This stands for Blow-Fish Cipher-Block Chaining and is a very secure method of continuously encrypting data in the OpenVPN tunnel. Sometimes for performance reasons or other considerations people want to change the encryption cipher. In order to change the cipher in OpenVPN Access Server you will need to add the following line to both the client and server config directives via the Advanced VPN page:

cipher ciphername (in the Server and Client Config Directives textboxes)

If we wanted to enable the AES-256 cipher we would add the following line:

cipher AES-256-CBC

Then click Save Settings, and Update Running Server.  Access Server will now use the updated cipher.

List of ciphers:

DES-CBC
RC2-CBC
DES-EDE-CBC
DES-EDE3-CBC
DESX-CBC
BF-CBC
RC2-40-CBC
CAST5-CBC
RC2-64-CBC
AES-128-CBC
AES-192-CBC
AES-256-CBC

Disable encryption:

Although this is not recommended, certain special configurations might not require encryption when using OpenVPN Access Server. To completely disable encryption you can add the following lines on the AWS, under Advanced VPN, Client and Server Config Directives:

auth none
cipher none

Note: "auth none" disables packet authentication and "cipher none" disables encryption.