Description: OpenVPN Access Server 2.5 and newer use AES-256-GCM by default, which means that the Access Server uses AES-256-GCM unless you modify that setting.
To ensure that your OpenVPN client negotiates AES-256-GCM, your client must be OpenVPN 2.4 and newer, or OpenVPN Connect v3. If you use older OpenVPN clients such as OpenVPN 2.3 or older, these negotiate AES-256-CBC.
You can use the checks below to ensure your VPN connection uses AES-256-GCM.
+ Check the client logs:
Connect to the VPN, then review the client logs for the negotiated cipher. Check for lines such as these:
28 [cipher] [AES-256-GCM]
or
[Nov 15, 2022, 10:55:19] PROTOCOL OPTIONS:
cipher: AES-256-GCM
+ Check the server logs:
Connect to the VPN, then review the OpenVPN Access Server logs for the negotiated cipher. Check for lines such as these:
root@openvpn-access-server-Brandon:~# grep 'AES-256-GCM' /var/log/openvpnas.log
2022-11-15T10:55:19-0500 [stdout#info] [OVPN 1] OUT: "2022-11-15 15:55:19 test/12.12.12.12:51771 Data Channel: using negotiated cipher 'AES-256-GCM'"
2022-11-15T10:55:19-0500 [stdout#info] [OVPN 1] OUT: "2022-11-15 15:55:19 test/12.12.12.12:51771 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key"
2022-11-15T10:55:19-0500 [stdout#info] [OVPN 1] OUT: "2022-11-15 15:55:19 test/12.12.12.12:51771 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key"
+ Check the "sacli VPNStatus" command:
Connect to the VPN, then run the "sacli VPNStatus" command to verify that connected VPN users use AES-256-GCM for VPN connections. Run these commands via "root" user privileges:
sudo su
cd /usr/local/openvpn_as/scripts/
./sacli VPNStatus
Check for lines such as these:
root@openvpn-access-server-Brandon:~# cd /usr/local/openvpn_as/scripts/
root@openvpn-access-server-Brandon:/usr/local/openvpn_as/scripts# ./sacli VPNStatus
"test",
"12.12.12.12:60162",
"172.27.232.6",
"",
"12846",
"5342",
"2022-11-15 16:00:05",
"1668528005",
"test",
"8",
"0",
"AES-256-GCM"
At the very bottom, you can see the cipher used for this VPN connection on username, "test".
For more info about the commands mentioned here, refer to Change encryption cipher in Access Server.
If you have additional questions, please submit a ticket.
Comments
0 comments
Please sign in to leave a comment.