openvpn: revise sample configuration
Update the openvpn sample configurations to use modern options in favor of deprecated ones, suggest more sane default settings and add some warnings. * Add tls_crypt and ncp_disable to the sample configuration * Replace nsCertType with remote_cert_tls in client sample configuration * Comment out "option compress", compression should not be preferred * Advise 2048-bit Diffie-Hellman parameters by default * Add warnings about compression and use of Blowfish (BF-CBC) Signed-off-by: Magnus Kroken <mkroken@gmail.com>
This commit is contained in:
Magnus Kroken
committed by
Daniel Golle
Daniel Golle
parent
9565c5726a
commit
48a9d99a21
@@ -77,10 +77,10 @@ config openvpn sample_server
|
|||||||
|
|
||||||
# Diffie hellman parameters.
|
# Diffie hellman parameters.
|
||||||
# Generate your own with:
|
# Generate your own with:
|
||||||
# openssl dhparam -out dh1024.pem 1024
|
# openssl dhparam -out dh2048.pem 2048
|
||||||
# Substitute 2048 for 1024 if you are using
|
# Substitute 2048 for 1024 if you are using
|
||||||
# 2048 bit keys.
|
# 1024 bit keys.
|
||||||
option dh /etc/openvpn/dh1024.pem
|
option dh /etc/openvpn/dh2048.pem
|
||||||
|
|
||||||
# Configure server mode and supply a VPN subnet
|
# Configure server mode and supply a VPN subnet
|
||||||
# for OpenVPN to draw client addresses from.
|
# for OpenVPN to draw client addresses from.
|
||||||
@@ -228,10 +228,52 @@ config openvpn sample_server
|
|||||||
# This file is secret:
|
# This file is secret:
|
||||||
# option tls_auth "/etc/openvpn/ta.key 0"
|
# option tls_auth "/etc/openvpn/ta.key 0"
|
||||||
|
|
||||||
|
# For additional privacy, a shared secret key
|
||||||
|
# can be used for both authentication (as in tls_auth)
|
||||||
|
# and encryption of the TLS control channel.
|
||||||
|
#
|
||||||
|
# Generate a shared secret with:
|
||||||
|
# openvpn --genkey --secret ta.key
|
||||||
|
#
|
||||||
|
# The server and each client must have
|
||||||
|
# a copy of this key.
|
||||||
|
#
|
||||||
|
# tls_auth and tls_crypt should NOT
|
||||||
|
# be combined, as tls_crypt implies tls_auth.
|
||||||
|
# Use EITHER tls_crypt, tls_auth, or neither option.
|
||||||
|
# option tls_crypt "/etc/openvpn/ta.key"
|
||||||
|
|
||||||
|
# Set the minimum required TLS protocol version
|
||||||
|
# for all connections.
|
||||||
|
#
|
||||||
|
# Require at least TLS 1.1
|
||||||
|
# option tls_version_min "1.1"
|
||||||
|
# Require at least TLS 1.2
|
||||||
|
# option tls_version_min "1.2"
|
||||||
|
# Require TLS 1.2, or the highest version supported
|
||||||
|
# on the system
|
||||||
|
# option tls_version_min "1.2 'or-highest'"
|
||||||
|
|
||||||
|
# OpenVPN versions 2.4 and later will attempt to
|
||||||
|
# automatically negotiate the most secure cipher
|
||||||
|
# between the client and server, regardless of a
|
||||||
|
# configured "option cipher" (see below).
|
||||||
|
# Automatic negotiation is recommended.
|
||||||
|
#
|
||||||
|
# Uncomment this option to disable this behavior,
|
||||||
|
# and force all OpenVPN peers to use the configured
|
||||||
|
# cipher option instead (not recommended).
|
||||||
|
# option ncp_disable
|
||||||
|
|
||||||
# Select a cryptographic cipher.
|
# Select a cryptographic cipher.
|
||||||
# This config item must be copied to
|
# This config item must be copied to
|
||||||
# the client config file as well.
|
# the client config file as well.
|
||||||
# Blowfish (default):
|
#
|
||||||
|
# To see all supported ciphers, run:
|
||||||
|
# openvpn --show-ciphers
|
||||||
|
#
|
||||||
|
# Blowfish (default for backwards compatibility,
|
||||||
|
# but not recommended due to weaknesses):
|
||||||
# option cipher BF-CBC
|
# option cipher BF-CBC
|
||||||
# AES:
|
# AES:
|
||||||
# option cipher AES-128-CBC
|
# option cipher AES-128-CBC
|
||||||
@@ -241,11 +283,16 @@ config openvpn sample_server
|
|||||||
# Enable compression on the VPN link.
|
# Enable compression on the VPN link.
|
||||||
# If you enable it here, you must also
|
# If you enable it here, you must also
|
||||||
# enable it in the client config file.
|
# enable it in the client config file.
|
||||||
|
#
|
||||||
|
# Compression is not recommended, as compression and
|
||||||
|
# encryption in combination can weaken the security
|
||||||
|
# of the connection.
|
||||||
|
#
|
||||||
# LZ4 requires OpenVPN 2.4+ client and server
|
# LZ4 requires OpenVPN 2.4+ client and server
|
||||||
# option compress lz4
|
# option compress lz4
|
||||||
# LZO is compatible with most OpenVPN versions
|
# LZO is compatible with most OpenVPN versions
|
||||||
# (set "compress lzo" on 2.4+ clients, and "comp-lzo yes" on older clients)
|
# (set "compress lzo" on 2.4+ clients, and "comp-lzo yes" on older clients)
|
||||||
option compress lzo
|
# option compress lzo
|
||||||
|
|
||||||
# The maximum number of concurrently connected
|
# The maximum number of concurrently connected
|
||||||
# clients we want to allow.
|
# clients we want to allow.
|
||||||
@@ -371,7 +418,7 @@ config openvpn sample_client
|
|||||||
option key /etc/openvpn/client.key
|
option key /etc/openvpn/client.key
|
||||||
|
|
||||||
# Verify server certificate by checking
|
# Verify server certificate by checking
|
||||||
# that the certicate has the nsCertType
|
# that the certicate has the key usage
|
||||||
# field set to "server". This is an
|
# field set to "server". This is an
|
||||||
# important precaution to protect against
|
# important precaution to protect against
|
||||||
# a potential attack discussed here:
|
# a potential attack discussed here:
|
||||||
@@ -381,12 +428,27 @@ config openvpn sample_client
|
|||||||
# your server certificates with the nsCertType
|
# your server certificates with the nsCertType
|
||||||
# field set to "server". The build_key_server
|
# field set to "server". The build_key_server
|
||||||
# script in the easy_rsa folder will do this.
|
# script in the easy_rsa folder will do this.
|
||||||
# option ns_cert_type server
|
# option remote_cert_tls server
|
||||||
|
|
||||||
# If a tls_auth key is used on the server
|
# If a tls_auth key is used on the server
|
||||||
# then every client must also have the key.
|
# then every client must also have the key.
|
||||||
# option tls_auth "/etc/openvpn/ta.key 1"
|
# option tls_auth "/etc/openvpn/ta.key 1"
|
||||||
|
|
||||||
|
# If a tls_crypt key is used on the server
|
||||||
|
# every client must also have the key.
|
||||||
|
# option tls_crypt "/etc/openvpn/ta.key"
|
||||||
|
|
||||||
|
# Set the minimum required TLS protocol version
|
||||||
|
# for all connections.
|
||||||
|
#
|
||||||
|
# Require at least TLS 1.1
|
||||||
|
# option tls_version_min "1.1"
|
||||||
|
# Require at least TLS 1.2
|
||||||
|
# option tls_version_min "1.2"
|
||||||
|
# Require TLS 1.2, or the highest version supported
|
||||||
|
# on the system
|
||||||
|
# option tls_version_min "1.2 'or-highest'"
|
||||||
|
|
||||||
# Select a cryptographic cipher.
|
# Select a cryptographic cipher.
|
||||||
# If the cipher option is used on the server
|
# If the cipher option is used on the server
|
||||||
# then you must also specify it here.
|
# then you must also specify it here.
|
||||||
@@ -395,10 +457,15 @@ config openvpn sample_client
|
|||||||
# Enable compression on the VPN link.
|
# Enable compression on the VPN link.
|
||||||
# Don't enable this unless it is also
|
# Don't enable this unless it is also
|
||||||
# enabled in the server config file.
|
# enabled in the server config file.
|
||||||
|
#
|
||||||
|
# Compression is not recommended, as compression and
|
||||||
|
# encryption in combination can weaken the security
|
||||||
|
# of the connection.
|
||||||
|
#
|
||||||
# LZ4 requires OpenVPN 2.4+ on server and client
|
# LZ4 requires OpenVPN 2.4+ on server and client
|
||||||
# option compress lz4
|
# option compress lz4
|
||||||
# LZO is compatible with most OpenVPN versions
|
# LZO is compatible with most OpenVPN versions
|
||||||
option compress lzo
|
# option compress lzo
|
||||||
|
|
||||||
# Set log file verbosity.
|
# Set log file verbosity.
|
||||||
option verb 3
|
option verb 3
|
||||||
|
|||||||
Reference in New Issue
Block a user