[PATCH] openvpn: revise sample configuration
Magnus Kroken
mkroken at gmail.com
Mon Jul 27 14:34:49 EDT 2020
Update the openvpn sample configurations to use modern options in favor
of deprecated ones, suggest more sane default settings and add some
warnings.
* Add tls_crypt and ncp_disable to the sample configuration
* Replace nsCertType with remote_cert_tls in client sample configuration
* Comment out "option compress", compression should not be preferred
* Advise 2048-bit Diffie-Hellman parameters by default
* Add warnings about compression and use of Blowfish (BF-CBC)
Signed-off-by: Magnus Kroken <mkroken at gmail.com>
---
.../services/openvpn/files/openvpn.config | 83 +++++++++++++++++--
1 file changed, 75 insertions(+), 8 deletions(-)
diff --git a/package/network/services/openvpn/files/openvpn.config b/package/network/services/openvpn/files/openvpn.config
index 1fd846f558..3de1881e35 100644
--- a/package/network/services/openvpn/files/openvpn.config
+++ b/package/network/services/openvpn/files/openvpn.config
@@ -77,10 +77,10 @@ config openvpn sample_server
# Diffie hellman parameters.
# Generate your own with:
- # openssl dhparam -out dh1024.pem 1024
+ # openssl dhparam -out dh2048.pem 2048
# Substitute 2048 for 1024 if you are using
- # 2048 bit keys.
- option dh /etc/openvpn/dh1024.pem
+ # 1024 bit keys.
+ option dh /etc/openvpn/dh2048.pem
# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
@@ -228,10 +228,52 @@ config openvpn sample_server
# This file is secret:
# option tls_auth "/etc/openvpn/ta.key 0"
+ # For additional privacy, a shared secret key
+ # can be used for both authentication (as in tls_auth)
+ # and encryption of the TLS control channel.
+ #
+ # Generate a shared secret with:
+ # openvpn --genkey --secret ta.key
+ #
+ # The server and each client must have
+ # a copy of this key.
+ #
+ # tls_auth and tls_crypt should NOT
+ # be combined, as tls_crypt implies tls_auth.
+ # Use EITHER tls_crypt, tls_auth, or neither option.
+# option tls_crypt "/etc/openvpn/ta.key"
+
+ # Set the minimum required TLS protocol version
+ # for all connections.
+ #
+ # Require at least TLS 1.1
+# option tls_version_min "1.1"
+ # Require at least TLS 1.2
+# option tls_version_min "1.2"
+ # Require TLS 1.2, or the highest version supported
+ # on the system
+# option tls_version_min "1.2 'or-highest'"
+
+ # OpenVPN versions 2.4 and later will attempt to
+ # automatically negotiate the most secure cipher
+ # between the client and server, regardless of a
+ # configured "option cipher" (see below).
+ # Automatic negotiation is recommended.
+ #
+ # Uncomment this option to disable this behavior,
+ # and force all OpenVPN peers to use the configured
+ # cipher option instead (not recommended).
+# option ncp_disable
+
# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
- # Blowfish (default):
+ #
+ # To see all supported ciphers, run:
+ # openvpn --show-ciphers
+ #
+ # Blowfish (default for backwards compatibility,
+ # but not recommended due to weaknesses):
# option cipher BF-CBC
# AES:
# option cipher AES-128-CBC
@@ -241,11 +283,16 @@ config openvpn sample_server
# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
+ #
+ # Compression is not recommended, as compression and
+ # encryption in combination can weaken the security
+ # of the connection.
+ #
# LZ4 requires OpenVPN 2.4+ client and server
# option compress lz4
# LZO is compatible with most OpenVPN versions
# (set "compress lzo" on 2.4+ clients, and "comp-lzo yes" on older clients)
- option compress lzo
+# option compress lzo
# The maximum number of concurrently connected
# clients we want to allow.
@@ -371,7 +418,7 @@ config openvpn sample_client
option key /etc/openvpn/client.key
# Verify server certificate by checking
- # that the certicate has the nsCertType
+ # that the certicate has the key usage
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
@@ -381,12 +428,27 @@ config openvpn sample_client
# your server certificates with the nsCertType
# field set to "server". The build_key_server
# script in the easy_rsa folder will do this.
-# option ns_cert_type server
+# option remote_cert_tls server
# If a tls_auth key is used on the server
# then every client must also have the key.
# option tls_auth "/etc/openvpn/ta.key 1"
+ # If a tls_crypt key is used on the server
+ # every client must also have the key.
+# option tls_crypt "/etc/openvpn/ta.key"
+
+ # Set the minimum required TLS protocol version
+ # for all connections.
+ #
+ # Require at least TLS 1.1
+# option tls_version_min "1.1"
+ # Require at least TLS 1.2
+# option tls_version_min "1.2"
+ # Require TLS 1.2, or the highest version supported
+ # on the system
+# option tls_version_min "1.2 'or-highest'"
+
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
@@ -395,10 +457,15 @@ config openvpn sample_client
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
+ #
+ # Compression is not recommended, as compression and
+ # encryption in combination can weaken the security
+ # of the connection.
+ #
# LZ4 requires OpenVPN 2.4+ on server and client
# option compress lz4
# LZO is compatible with most OpenVPN versions
- option compress lzo
+# option compress lzo
# Set log file verbosity.
option verb 3
--
2.20.1
More information about the openwrt-devel
mailing list