diff --git a/openvpn/files/common_opts.jinja b/openvpn/files/common_opts.jinja
index 0f8adf6..cab06c3 100644
--- a/openvpn/files/common_opts.jinja
+++ b/openvpn/files/common_opts.jinja
@@ -205,6 +205,14 @@ cipher "{{ cipher }}"
 {%- endfor %}
 {%- endif %}
 
+{%- if config.data_ciphers is defined %}
+data-ciphers "{{ config.data_ciphers }}"
+{%- endif %}
+
+{%- if config.data_ciphers_fallback is defined %}
+data-ciphers-fallback "{{ config.data_ciphers_fallback }}"
+{%- endif %}
+
 {%- if config.tls_cipher is defined %}
 tls-cipher {{ config.tls_cipher }}
 {%- endif %}
diff --git a/pillar.example b/pillar.example
index ae941df..76d09bc 100644
--- a/pillar.example
+++ b/pillar.example
@@ -139,6 +139,9 @@ openvpn:
       # see https://bettercrypto.org/static/applied-crypto-hardening.pdf
       ciphers:
         - AES-256-CBC
+      # for version 2.5+ - https://community.openvpn.net/openvpn/wiki/CipherNegotiation
+      data_ciphers: "AES-256-GCM:AES-128-GCM"
+      data_ciphers_fallback: "AES-256-CBC"
       auths:
         - SHA384
       # yamllint disable-line rule:line-length