AS server cipher setting not affecting client conf?

[lv426hudson]

Hi,

I am running an AS on Debian 10. On the web server it doesn't seem to matter what I set the cipher to be, the client ovpn file downloaded always seems to have the cipher set to "cipher AES-256-CBC"? I am trying to set AES-256-GCM. Am i missing something (obviously)?

Cheers,

https://i.imgur.com/SF2hlO1.png

# From ovpn file
# Default Cipher
cipher AES-256-CBC

[openvpn_inc]

Hi lv426hudson,

Your confusion is understandable. The derivation of how ciphers work is complicated due to a need for backward compatibility.

Basically the 'cipher' parameter will be used by older OpenVPN2 clients that do not know what to do with cipher negotiation. Those are also not capable of GCM as GCM was introduced around the same time as the cipher negotiation.

In strength AES-256-CBC and AES-256-GCM are about equivalent, but GCM is a bit more efficient.

If the OpenVPN client is capable of it, it will negotiate for a better cipher with the server. There is a default data-cipher string for that on the client side as well that prefers AES-256-GCM. Since you only put in 1 cipher on the server side, it will negotiate to that AES-256-GCM cipher. You can confirm this by looking at logs and seeing that the data channel cipher is AES-256-GCM. So your change does take effect.

I would however advise that you add the data cipher AES-256-CBC to retain compatibility with older clients that don't know how to do such negotiation and don't support GCM, but do read the 'cipher' parameter and are at least capable of AES-256-CBC. At the moment you've denied the Access Server to allow AES-256-CBC and then those older clients just simply can't connect. You can solve this by setting data cipher to AES-256-GCM:AES-256-CBC.

I would recommend you leave AES-256-GCM as primary cipher and add AES-256-CBC as a secondary supported cipher and don't try to mess with the cipher directive. It is for backward compatibility so older clients will work, and does not hurt up-to-date clients as they will negotiate to the primary cipher AES-256-GCM.

Kind regards,
Johan

[openvpn_inc]

Oh I forgot to add that this document discusses changing the cipher as well;

https://openvpn.net/vpn-server-resource ... ss-server/

But yeah, security related stuff can be a bit technical, especially when backward compatibility is mixed in and things change.

Kind regards,
Johan

[lv426hudson]

Thanks for the response. Yes I noticed in the log that even though the client file had CBC in, it still used the CGM

Are the settings that are made on the web server stored anywhere on the Linux platform where I can recover a conf file from?

I notice that the configuration in the "/usr/local/openvpn_as/etc/as.conf" doesn't match the web server.

[openvpn_inc]

Hello lv426hudson,

Sorry, but the configuration is fed directly to the OpenVPN daemons using the management interface, it isn't stored on disk like a text file like on community version.

Kind regards,
Johan