From b12f18e01f1c66d1c80794e5366897eb0c7b2758 Mon Sep 17 00:00:00 2001 From: Jan Philipp Timme Date: Wed, 19 Sep 2018 14:09:30 +0200 Subject: [PATCH] Update openvpn config one more time --- openvpn-config/vpnclient.conf | 9 +++++++++ openvpn-config/vpnserver.conf | 15 ++++++++++++--- 2 files changed, 21 insertions(+), 3 deletions(-) diff --git a/openvpn-config/vpnclient.conf b/openvpn-config/vpnclient.conf index ab7d1dc..d5bb8e2 100644 --- a/openvpn-config/vpnclient.conf +++ b/openvpn-config/vpnclient.conf @@ -19,9 +19,18 @@ ca /etc/openvpn/vpnclient/ca.crt cert /etc/openvpn/vpnclient/jan-philipp.timme@hs-hannover.de.crt key /etc/openvpn/vpnclient/jan-philipp.timme@hs-hannover.de.key +# Assume tls client role +tls-client + # Make sure the server presents a certificate with "server role" remote-cert-tls server +# Specific settings regarding TLS, chiphers and hash algorithms +cipher AES-256-GCM +auth SHA256 +tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 +tls-version-min "1.2" + # Make sure to detect broken sessions keepalive 10 30 diff --git a/openvpn-config/vpnserver.conf b/openvpn-config/vpnserver.conf index dbbfe3d..c098772 100644 --- a/openvpn-config/vpnserver.conf +++ b/openvpn-config/vpnserver.conf @@ -10,6 +10,11 @@ dev tun ca /etc/openvpn/vpnserver/ca.crt cert /etc/openvpn/vpnserver/aither.inform.hs-hannover.de.crt key /etc/openvpn/vpnserver/aither.inform.hs-hannover.de.key + +# Assume tls server role +tls-server + +# Diffie-Hellman parameters dh /etc/openvpn/vpnserver/dh.pem # Certificate revocation list @@ -21,9 +26,7 @@ remote-cert-tls client # Allow multiple connections using the same certificate? #duplicate-cn -# net30 is point-to-point, compatible with windows -# TODO: Topology subnet is supposed to work with windows just fine. CHECK THIS -# Subnet topology is supposed to be working with windows clients just fine. +# We're using subnet topology topology subnet # Use this IPv4 range for clients (/16, so we can cope with all possible clients) @@ -48,6 +51,12 @@ push "route 10.0.0.0 255.255.255.0 vpn_gateway" # Push the whole /56 block for IPv6 push "route-ipv6 2003:638:614:1700::/56" +# Specific settings regarding TLS, chiphers and hash algorithms +cipher AES-256-GCM +auth SHA256 +tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 +tls-version-min "1.2" + # Make sure to detect broken sessions keepalive 10 60