0

I use ocserv on Centos as Openconnect VPN and I use config file for setting up the server
I need to force clients to use special cipher like AES-256-GCM
because it seems that VPN blocks on some 4G net by a strange firewall and I need to bypass that firewall
I use /etc/ocserv/ocserv.conf but it seems there isn't any setting for such things

auth = "plain[passwd=/etc/ocserv/ocpasswd]"
tcp-port = 443
udp-port = 443
switch-to-tcp-timeout = 25
try-mtu-discovery = true
compression = true
tls-priorities = "NORMAL:%SERVER_PRECEDENCE"
rekey-method = ssl
tunnel-all-dns = true
mtu = 1492
cisco-client-compat = true
dtls-psk = true
dtls-legacy = true
Farhad Sakhaei
  • 131
  • 2
  • 10

1 Answers1

1

You can't change client cipher suite unless you rewrite client app. im dealing with same issue here, government blocks tls connection based on cipher suites that AnyConnect or OpenConnect offers to server.

One way is to proxy your tls session and use allowed ciphers (like ones that chrome or firefox using) to negotiate with ocserv, probably you need to develop this yourself, uTls in Go would be a good start to investigate.

SINA GH
  • 11
  • 4