Is VPN cipher set by VPN provider or user configuration?

Hi there,

I’m trying to use 128bit rather than 256bit VPN but my VPN provider haven’t been to helpful.

Can I customise the cipher on OpenWRT or by amending the profiles I have or does it have to be done by the provider?


You cannot amend the cipher in the User Interface because it ithe VPN part is “closed-shop”. In my opinion, it would be better if the firmware were written so that this modification (and any other VPN mod) could be made in Luci.

One way of doing it is to edit your ovpn file before uploading (assuming your provider supports it). It can also probably be done by editing the config file directly using something like WinSCP.


Yes, Luci modification would be good.

Thanks for the help @Glitch. I’m familiar with WinSCP, do you know what modification I would make to the file to make it 128-bit cipher?


I’ve pasted contents from my Ovpn file below.


dev tun

proto udp

remote 1194 # - Your server IP and OpenVPN Port

resolv-retry infinite


tun-mtu 1500

tun-mtu-extra 32

mssfix 1450





verb 3



Normally there is something like this in it:

cipher AES-256-CBC


However, in your case looks like your provider only offers one encryption standard, 256 bit

It is possible to request a cipher but the server must be configured to allow this and the server can override your choice (which would show in the status message)

–cipher alg
Encrypt data channel packets with cipher algorithm alg. When cipher negotiation (NCP) is allowed, OpenVPN 2.4 and newer on both client and server side will automatically upgrade to AES-256-GCM

The following data is always pushed to the server:
IV_NCP=2 – negotiable ciphers, client supports --cipher pushed by the server

In order to change the cipher in OpenVPN Access Server you will need to add the following line to both the client and server config directives via the Advanced VPN page:

cipher ciphername

How to correctly secure your OpenVPN connection

@wifird It needs both of client and server config the same chiper. How To Change. One line like cipher AES-256-CBC.