Inconsistent 'tls-ciphers' for 'TLSv1.3' across different servers

Looking for assistance with a cryptostorm connection issue? Post here & we'll help out. Also: if you're not sure where to post, do so here & we'll move things around as needed. Also: for quickest support, email our oddly calm & easygoing support reps at :)
Posts: 21
Joined: Fri Feb 10, 2017 3:49 am

Inconsistent 'tls-ciphers' for 'TLSv1.3' across different servers

Post by AnonAsPossible » Thu Mar 11, 2021 8:21 am

Hi Df;
I've noticed inconsistent 'tls-ciphers' for 'TLSv1.3' across different servers. All my ed25519 ovpn.conf files are exactly the same, except of course the IP addy.

On these servers; US-Maine, US-Washington, Findland, Germany-Frankfurt, Ireland, Montreal, Serbia, Spain-Barcelona, Switzerland, Vancouver,, The log shows; 'Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256'

On these servers; Austria, Czech, Iceland, Ireland, Rome, Bulgaria, Latvia, Moldova, Norway, Hungary, Slovakia, Spain-Madrid, UK-London,Manchester,, The log shows; 'Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384'

Does it matter if the 'tls-ciphers' are different?

Is one preferable over the other?

If 'TLS_CHACHA20_POLY1305_SHA256' is better, how do I force the server to use this?


User avatar
Site Admin
Posts: 476
Joined: Thu Jan 01, 1970 5:00 am

Re: Inconsistent 'tls-ciphers' for 'TLSv1.3' across different servers

Post by df » Fri Apr 30, 2021 5:05 am

I thought I responded to this already, oops. When I added "--tls-ciphersuites TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384" for TLSv1.3 to the server-side openvpn configs, I screwed up and missed a few of them. They're all fixed now, and they should have been restarted a while back to apply the changes. I restarted them a while back when adding "--data-ciphers CHACHA20-POLY1305:AES-256-GCM" so people can choose "--cipher CHACHA20-POLY1305" client-side (if they're running OpenVPN 2.5.x). That's the part that handles encrypting the actual traffic, the --tls-ciphersuites part just handles the encryption for the initial handshake.
Comments were also reintroduced to the configs, so you can read all about these changes in any of the configs on or

Post Reply