diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 71cba6d88..e248b3cbb 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -100,6 +100,8 @@ $cgiparams{'DCIPHER'} = '';
 $cgiparams{'DAUTH'} = '';
 $cgiparams{'TLSAUTH'} = '';
 $cgiparams{'DATACIPHERS'} = '';
+$cgiparams{'CHANNELCIPHERS'} = '';
+$cgiparams{'NCHANNELCIPHERS'} = '';
 $routes_push_file = "${General::swroot}/ovpn/routes_push";
 # Perform crypto and configration test
 &pkiconfigcheck;
@@ -351,6 +353,20 @@ sub writeserverconf {
 		print CONF "data-ciphers $sovpnsettings{'DATACIPHERS'}\n";
 	}
 
+	# Control channel encryption TLSv2 needs own line cause directive name differs
+	if ($sovpnsettings{'CHANNELCIPHERS'} ne '') {
+		# Set seperator for TLSv2 channel ciphers
+		@advcipherchar = ($sovpnsettings{'CHANNELCIPHERS'} =~ s/\|/:/g);
+		print CONF "tls-cipher $sovpnsettings{'CHANNELCIPHERS'}\n";
+	}
+
+	# Control channel encryption >= TLSv3
+	if ($sovpnsettings{'NCHANNELCIPHERS'} ne '') {
+		# Set seperator for TLSv3 channel ciphers
+		@advcipherchar = ($sovpnsettings{'NCHANNELCIPHERS'} =~ s/\|/:/g);
+		print CONF "tls-ciphersuites $sovpnsettings{'NCHANNELCIPHERS'}\n";
+	}
+
 	print CONF "auth $sovpnsettings{'DAUTH'}\n";
     # Set TLSv2 as minimum
     print CONF "tls-version-min 1.2\n";
@@ -951,6 +967,20 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) {
 		goto ADV_ENC_ERROR;
 	}
 
+	# If no value for --tls-cipher has been set, delete setting
+	if ($cgiparams{'CHANNELCIPHERS'} eq '') {
+		delete $vpnsettings{'CHANNELCIPHERS'};
+	} else {
+		$vpnsettings{'CHANNELCIPHERS'} = $cgiparams{'CHANNELCIPHERS'};
+	}
+
+	# If no value for --tls-ciphersuites has been set, delete setting
+	if ($cgiparams{'NCHANNELCIPHERS'} eq '') {
+		delete $vpnsettings{'NCHANNELCIPHERS'};
+	} else {
+		$vpnsettings{'NCHANNELCIPHERS'} = $cgiparams{'NCHANNELCIPHERS'};
+	}
+
 	&General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings);
 	&writeserverconf();
 }
@@ -2402,6 +2432,23 @@ else
 		print CLIENTCONF "cipher $vpnsettings{'DCIPHER'}\r\n";
 	}
 
+	# Set --tls-cipher TLSv2 in client.ovpn if configured
+	if ($vpnsettings{'CHANNELCIPHERS'} ne '') {
+		# Set seperator for TLSv2 channel ciphers
+		@advcipherchar = ($vpnsettings{'CHANNELCIPHERS'} =~ s/\|/:/g);
+		print CLIENTCONF "tls-cipher $vpnsettings{'CHANNELCIPHERS'}\r\n";
+	}
+
+	# Print new tls-ciphersuites TLSv3 in client.ovpn only if client is >=2.5.0
+	if ($confighash{$cgiparams{'KEY'}}[45] eq 'on') {
+		# Set --tls-ciphersuites TLSv3 if configured
+		if ($vpnsettings{'NCHANNELCIPHERS'} ne '') {
+			# Set seperator for TLSv3 channel ciphers
+			@advcipherchar = ($vpnsettings{'NCHANNELCIPHERS'} =~ s/\|/:/g);
+			print CLIENTCONF "tls-ciphersuites $vpnsettings{'NCHANNELCIPHERS'}\r\n";
+		}
+	}
+
 	print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n";
 
     if ($vpnsettings{'TLSAUTH'} eq 'on') {
@@ -2934,6 +2981,8 @@ END
 	}
 	$confighash{$key}[40] = $cgiparams{'DCIPHER'};
 	$confighash{$key}[42] = $cgiparams{'DATACIPHERS'};
+	$confighash{$key}[43] = $cgiparams{'CHANNELCIPHERS'};
+	$confighash{$key}[44] = $cgiparams{'NCHANNELCIPHERS'};
 
 ADV_ENC_ERROR:
 
@@ -2967,13 +3016,37 @@ ADV_ENC_ERROR:
 	@temp = split('\|', $cgiparams{'DATACIPHERS'});
 	foreach my $key (@temp) {$checked{'DATACIPHERS'}{$key} = "selected='selected'"; }
 
+	# No default settings for --tls-cipher so OpenVPN makes his own choice
+	$checked{'CHANNELCIPHERS'}{'TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384'} = '';
+	$checked{'CHANNELCIPHERS'}{'TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256'} = '';
+	$checked{'CHANNELCIPHERS'}{'TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256'} = '';
+	$checked{'CHANNELCIPHERS'}{'TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384'} = '';
+	$checked{'CHANNELCIPHERS'}{'TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256'} = '';
+	$checked{'CHANNELCIPHERS'}{'TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256'} = '';
+	$checked{'CHANNELCIPHERS'}{'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384'} = '';
+	$checked{'CHANNELCIPHERS'}{'TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256'} = '';
+	$checked{'CHANNELCIPHERS'}{'TLS-DHE-RSA-WITH-AES-128-GCM-SHA256'} = '';
+	@temp = split('\|', $cgiparams{'CHANNELCIPHERS'});
+	foreach my $key (@temp) {$checked{'CHANNELCIPHERS'}{$key} = "selected='selected'"; }
+
+	# No default settings for --tls-ciphersuites so OpenVPN makes his own choice
+	$checked{'NCHANNELCIPHERS'}{'TLS_AES_256_GCM_SHA384'} = '';
+	$checked{'NCHANNELCIPHERS'}{'TLS_CHACHA20_POLY1305_SHA256'} = '';
+	$checked{'NCHANNELCIPHERS'}{'TLS_AES_128_GCM_SHA256'} = '';
+	@temp = split('\|', $cgiparams{'NCHANNELCIPHERS'});
+	foreach my $key (@temp) {$checked{'NCHANNELCIPHERS'}{$key} = "selected='selected'"; }
+
 	# Save settings and display default if not configured
 	if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) {
 		$confighash{$cgiparams{'KEY'}}[40] = $cgiparams{'DCIPHER'};
 		$confighash{$cgiparams{'KEY'}}[42] = $cgiparams{'DATACIPHERS'};
+		$confighash{$cgiparams{'KEY'}}[43] = $cgiparams{'CHANNELCIPHERS'};
+		$confighash{$cgiparams{'KEY'}}[44] = $cgiparams{'NCHANNELCIPHERS'};
 	} else {
 		$cgiparams{'DCIPHER'} = $vpnsettings{'DCIPHER'};
 		$cgiparams{'DATACIPHERS'} = $vpnsettings{'DATACIPHERS'};
+		$cgiparams{'CHANNELCIPHERS'} = $vpnsettings{'CHANNELCIPHERS'};
+		$cgiparams{'NCHANNELCIPHERS'} = $vpnsettings{'NCHANNELCIPHERS'};
 	}
 
 ADV_ENC_ERROR:
@@ -3040,8 +3113,41 @@ ADV_ENC_ERROR:
 				</td>
 			</tr>
 
+			<tr>
+				<th width="15%"></th>
+				<th>$Lang::tr{'ovpn control channel v3'}</th>
+				<th>$Lang::tr{'ovpn control channel v2'}</th>
+			</tr>
+
+			<tr>
+				<td class='boldbase' width="27%">$Lang::tr{'ovpn channel encryption'}</td>
+				<td class='boldbase'>
+					<select name='NCHANNELCIPHERS' multiple='multiple' size='6' style='width: 100%'>
+						<option value='TLS_AES_256_GCM_SHA384' $checked{'NCHANNELCIPHERS'}{'TLS_AES_256_GCM_SHA384'}>256 $Lang::tr{'bit'} TLS-AES-GCM SHA384</option>
+						<option value='TLS_CHACHA20_POLY1305_SHA256' $checked{'NCHANNELCIPHERS'}{'TLS_CHACHA20_POLY1305_SHA256'}>256 $Lang::tr{'bit'} CHACHA20-POLY1305 SHA256</option>
+						<option value='TLS_AES_128_GCM_SHA256' $checked{'NCHANNELCIPHERS'}{'TLS_AES_128_GCM_SHA256'}>128 $Lang::tr{'bit'} TLS-AES-GCM SHA256</option>
+					</select>
+				</td>
+
+				<td class='boldbase'>
+					<select name='CHANNELCIPHERS' multiple='multiple' size='6' style='width: 100%' style="margin-right:-17px" size="11">
+						<option value='TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384' $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384'}>TLS-ECDHE-ECDSA 256 $Lang::tr{'bit'} AES-GCM SHA384</option>
+						<option value='TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256' $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256'}>TLS-ECDHE-ECDSA 256 $Lang::tr{'bit'} CHACHA20-POLY1305 SHA256</option>
+						<option value='TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256' $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256'}>TLS-ECDHE-ECDSA 128 $Lang::tr{'bit'} TLS-AES-GCM SHA256</option>
+						<option value='TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384' $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384'}>TLS-ECDHE-RSA 256 $Lang::tr{'bit'} TLS-AES-GCM SHA384</option>
+						<option value='TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256' $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256'}>TLS-ECDHE-RSA 256 $Lang::tr{'bit'} CHACHA20_POLY1305 SHA256</option>
+						<option value='TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256' $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256'}>TLS-ECDHE-RSA 128 $Lang::tr{'bit'} TLS-AES-GCM SHA256</option>
+						<option value='TLS-DHE-RSA-WITH-AES-256-GCM-SHA384' $checked{'CHANNELCIPHERS'}{'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384'}>TLS-DHE-RSA 256 $Lang::tr{'bit'} TLS-AES-GCM SHA384</option>
+						<option value='TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256' $checked{'CHANNELCIPHERS'}{'TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256'}>TLS-DHE-RSA 256 $Lang::tr{'bit'} CHACHA20-POLY1305 SHA256</option>
+						<option value='TLS-DHE-RSA-WITH-AES-128-GCM-SHA256' $checked{'CHANNELCIPHERS'}{'TLS-DHE-RSA-WITH-AES-128-GCM-SHA256'}>TLS-DHE-RSA 128 $Lang::tr{'bit'} TLS-AES-GCM SHA256</option>
+					</select>
+				</td>
+			</tr>
 		</tbody>
 	</table>
+
+	<br><br>
+
 	<hr>
 END
 ;
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index ae05d5e55..cadf4b141 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -1908,6 +1908,9 @@
 'ovpn config' => 'OVPN-Konfiguration',
 'ovpn connection name' => 'Verbindungs-Name',
 'ovpn crypt options' => 'Kryptografieoptionen',
+'ovpn channel encryption' => 'Kontroll-Kanal Verschlüsselung',
+'ovpn control channel v2' => 'Kontroll-Kanal TLSv2',
+'ovpn control channel v3' => 'Kontroll-Kanal TLSv3',
 'ovpn data encryption' => 'Daten-Kanal Verschlüsselung',
 'ovpn data channel' => 'Daten-Kanal',
 'ovpn data channel fallback' => 'Daten-Kanal Fallback',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 321503d67..4b667f881 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1940,6 +1940,9 @@
 'ovpn config' => 'OVPN-Config',
 'ovpn connection name' => 'Connection Name',
 'ovpn crypt options' => 'Cryptographic options',
+'ovpn channel encryption' => 'Control-Channel encryption',
+'ovpn control channel v2' => 'Control-Channel TLSv2',
+'ovpn control channel v3' => 'Control-Channel TLSv3',
 'ovpn data encryption' => 'Data-Channel encryption',
 'ovpn data channel' => 'Data-Channel',
 'ovpn data channel fallback' => 'Data-Channel fallback',
diff --git a/langs/es/cgi-bin/es.pl b/langs/es/cgi-bin/es.pl
index 752093552..65505706c 100644
--- a/langs/es/cgi-bin/es.pl
+++ b/langs/es/cgi-bin/es.pl
@@ -1333,6 +1333,9 @@
 'ovpn' => 'OpenVPN',
 'ovpn con stat' => 'Estadisticas de conexión OpenVPN',
 'ovpn config' => 'Configruación de OVPN',
+'ovpn channel encryption' => 'Encriptación Canal-Control',
+'ovpn control channel v2' => 'Canal-Control TLSv2',
+'ovpn control channel v3' => 'Canal-Control TLSv3',
 'ovpn data encryption' => 'Encriptación Data-Channel',
 'ovpn data channel' => 'Canal-Datos',
 'ovpn data channel fallback' => 'Retroceso Canal-Datos',
diff --git a/langs/fr/cgi-bin/fr.pl b/langs/fr/cgi-bin/fr.pl
index f931bc70e..cda133e5d 100644
--- a/langs/fr/cgi-bin/fr.pl
+++ b/langs/fr/cgi-bin/fr.pl
@@ -1941,6 +1941,9 @@
 'ovpn config' => 'Config OVPN',
 'ovpn connection name' => 'Nom de la connexion ',
 'ovpn crypt options' => 'Options cryptographiques',
+'ovpn channel encryption' => 'Chiffrage du canal de contrôle',
+'ovpn control channel v2' => 'Canal de contrôle TLSv2',
+'ovpn control channel v3' => 'Canal de contrôle TLSv3',
 'ovpn data encryption' => 'Chiffrage du canal de données',
 'ovpn data channel' => 'Canal de données',
 'ovpn data channel fallback' => 'Canal de données de repli',
diff --git a/langs/it/cgi-bin/it.pl b/langs/it/cgi-bin/it.pl
index 3779de3f6..22ce7cd4d 100644
--- a/langs/it/cgi-bin/it.pl
+++ b/langs/it/cgi-bin/it.pl
@@ -1701,6 +1701,9 @@
 'ovpn con stat' => 'OpenVPN Connection Statistics',
 'ovpn config' => 'OVPN-Config',
 'ovpn crypt options' => 'Cryptographic options',
+'ovpn channel encryption' => 'Crittografia del canale di controllo',
+'ovpn control channel v2' => 'Canale di controllo TLSv2',
+'ovpn control channel v3' => 'Canale di controllo TLSv3',
 'ovpn device' => 'OpenVPN device:',
 'ovpn dh' => 'Diffie-Hellman parameters length',
 'ovpn dh new key' => 'Generate new Diffie-Hellman parameters',
diff --git a/langs/nl/cgi-bin/nl.pl b/langs/nl/cgi-bin/nl.pl
index dc9ea350f..15482b7c7 100644
--- a/langs/nl/cgi-bin/nl.pl
+++ b/langs/nl/cgi-bin/nl.pl
@@ -1660,6 +1660,9 @@
 'ovpn' => 'OpenVPN',
 'ovpn con stat' => 'OpenVPN connectiestatistieken',
 'ovpn config' => 'OVPN-Configuratie',
+'ovpn channel encryption' => 'Control-kanaal versleuteling',
+'ovpn control channel v2' => 'Controle-Kanaal TLSv2',
+'ovpn control channel v3' => 'Controle-Kanaal TLSv3',
 'ovpn data encryption' => 'Datakanaalversleuteling',
 'ovpn data channel' => 'Data-kanaal',
 'ovpn data channel fallback' => 'Data-Kanaal terugval',
diff --git a/langs/pl/cgi-bin/pl.pl b/langs/pl/cgi-bin/pl.pl
index 96e9a95ae..a5bde2044 100644
--- a/langs/pl/cgi-bin/pl.pl
+++ b/langs/pl/cgi-bin/pl.pl
@@ -1345,6 +1345,9 @@
 'ovpn' => 'OpenVPN',
 'ovpn con stat' => 'Statystyki połączeń OpenVPN',
 'ovpn config' => 'OVPN-Konfig',
+'ovpn channel encryption' => 'Szyfrowanie Control-Channel',
+'ovpn control channel v2' => 'Kanał-Kontrolny TLSv2',
+'ovpn control channel v3' => 'Kanał-Kontrolny TLSv3',
 'ovpn data encryption' => 'Szyfrowanie Kanału-Danych',
 'ovpn data channel' => 'Kanał-Danych',
 'ovpn data channel fallback' => 'Awaria Kanału-Danych',
diff --git a/langs/ru/cgi-bin/ru.pl b/langs/ru/cgi-bin/ru.pl
index 5ba44ce29..17666de80 100644
--- a/langs/ru/cgi-bin/ru.pl
+++ b/langs/ru/cgi-bin/ru.pl
@@ -1336,6 +1336,9 @@
 'ovpn' => 'OpenVPN',
 'ovpn con stat' => 'Статистика подключений OpenVPN',
 'ovpn config' => 'Настройки OVPN',
+'ovpn channel encryption' => 'Шифрование каналов управления',
+'ovpn control channel v2' => 'Канал-управления TLSv2',
+'ovpn control channel v3' => 'Канал-управления TLSv3',
 'ovpn data encryption' => 'шифрование-каналов данных',
 'ovpn data channel' => 'Информационный-канал',
 'ovpn data channel fallback' => 'Информационный-канал отступление',
diff --git a/langs/tr/cgi-bin/tr.pl b/langs/tr/cgi-bin/tr.pl
index b459401c9..7df486bc8 100644
--- a/langs/tr/cgi-bin/tr.pl
+++ b/langs/tr/cgi-bin/tr.pl
@@ -1843,6 +1843,9 @@
 'ovpn con stat' => 'OpenVPN Bağlantı İstatistiği',
 'ovpn config' => 'OVPN-Yapılandırması',
 'ovpn crypt options' => 'Şifreleme seçenekleri',
+'ovpn channel encryption' => 'Kontrol-Kanalı şifreleme',
+'ovpn control channel v2' => 'Kontrol-Kanalı TLSv2',
+'ovpn control channel v3' => 'Kontrol-Kanalı TLSv3',
 'ovpn data channel' => 'Veri-Kanalı',
 'ovpn data channel fallback' => 'Veri-Kanalı geri dönüşü',
 'ovpn data encryption' => 'Veri-Kanalı şifreleme',