summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorChristian Breunig <christian@vyos.io>2026-01-15 16:38:58 +0100
committerGitHub <noreply@github.com>2026-01-15 16:38:58 +0100
commitb20960a9e6b7b353dfbe1c9ace705480c561135e (patch)
treecb3dcd40676356068c4a70d2d87bc5cf3b9d4d1f /docs
parentca89e430d6fd58bf79b9508ace154b0d7e442532 (diff)
parentce8bbaca5271c5ad3629244055b5b2f5b96b0c42 (diff)
downloadvyos-documentation-b20960a9e6b7b353dfbe1c9ace705480c561135e.tar.gz
vyos-documentation-b20960a9e6b7b353dfbe1c9ace705480c561135e.zip
openvpn: T7633: Add support for 'data-ciphers-fallback' in site-to-site tunnels (#1731)
Diffstat (limited to 'docs')
-rw-r--r--docs/configuration/interfaces/openvpn.rst34
1 files changed, 30 insertions, 4 deletions
diff --git a/docs/configuration/interfaces/openvpn.rst b/docs/configuration/interfaces/openvpn.rst
index a13ebad1..e2d16caf 100644
--- a/docs/configuration/interfaces/openvpn.rst
+++ b/docs/configuration/interfaces/openvpn.rst
@@ -57,10 +57,36 @@ Configuration
Administratively disable interface
-.. cfgcmd:: set interfaces openvpn <interface> encryption <cipher | data-ciphers> < 3des | aes128 | aes128gcm | none | ...>
-
- * ``cipher`` - Standard Data Encryption Algorithm
- * ``data-ciphers`` - Cipher negotiation list for use in server or client mode
+.. cfgcmd:: set interfaces openvpn <interface> encryption cipher < 3des | aes128 | aes128gcm | aes192 | aes192gcm | aes256 | aes256gcm | none >
+
+ Configure a single static encryption cipher for OpenVPN tunnels.
+
+ The ``cipher`` option directly maps to OpenVPN's ``--cipher`` directive and specifies
+ one symmetric encryption algorithm used for both control and data channels.
+ Historically, this was the default encryption method in all OpenVPN modes.
+ As of newer OpenVPN versions, this directive is considered **legacy** and
+ may only be used in compatibility scenarios.
+
+.. cfgcmd:: set interfaces openvpn <interface> encryption data-ciphers < 3des | aes128 | aes128gcm | aes192 | aes192gcm | aes256 | aes256gcm | none >
+
+ Configure a prioritized list of negotiated ciphers for use
+ with OpenVPN in *client* or *server* mode.
+
+ The ``data-ciphers`` option represents a list of supported encryption algorithms.
+ It corresponds to OpenVPN's ``--data-ciphers`` directive and enables **cipher negotiation**,
+ where both peers automatically agree on a mutually supported cipher during session startup.
+
+ .. note:: This option is not compatible with ``site-to-site`` mode.
+
+.. cfgcmd:: set interfaces openvpn <interface> encryption data-ciphers-fallback < 3des | aes128 | aes128gcm | aes192 | aes192gcm | aes256 | aes256gcm | none >
+
+ Define the fallback cipher for OpenVPN *site-to-site* tunnels.
+
+ The ``data-ciphers-fallback`` directive maps to OpenVPN's ``--data-ciphers-fallback`` option.
+ It specifies a single cipher to use when cipher negotiation is **not supported**.
+
+ .. note:: This option ensures consistent encryption setup between two static peers
+ that lack cipher negotiation capability.
.. cfgcmd:: set interfaces openvpn <interface> hash <md5 | sha1 | sha256 | ...>