Update openvpn config one more time

openvpn-config/vpnclient.conf

@@ -19,9 +19,18 @@ ca /etc/openvpn/vpnclient/ca.crt
 cert /etc/openvpn/vpnclient/jan-philipp.timme@hs-hannover.de.crt
 key /etc/openvpn/vpnclient/jan-philipp.timme@hs-hannover.de.key
 
+# Assume tls client role
+tls-client
+
 # Make sure the server presents a certificate with "server role"
 remote-cert-tls server
 
+# Specific settings regarding TLS, chiphers and hash algorithms
+cipher AES-256-GCM
+auth SHA256
+tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
+tls-version-min "1.2"
+
 # Make sure to detect broken sessions
 keepalive 10 30
 

openvpn-config/vpnserver.conf

@@ -10,6 +10,11 @@ dev tun
 ca /etc/openvpn/vpnserver/ca.crt
 cert /etc/openvpn/vpnserver/aither.inform.hs-hannover.de.crt
 key /etc/openvpn/vpnserver/aither.inform.hs-hannover.de.key
+
+# Assume tls server role
+tls-server
+
+# Diffie-Hellman parameters
 dh /etc/openvpn/vpnserver/dh.pem
 
 # Certificate revocation list
@@ -21,9 +26,7 @@ remote-cert-tls client
 # Allow multiple connections using the same certificate?
 #duplicate-cn
 
-# net30 is point-to-point, compatible with windows
+# We're using subnet topology
-# TODO: Topology subnet is supposed to work with windows just fine. CHECK THIS
-# Subnet topology is supposed to be working with windows clients just fine.
 topology subnet
 
 # Use this IPv4 range for clients (/16, so we can cope with all possible clients)
@@ -48,6 +51,12 @@ push "route 10.0.0.0 255.255.255.0 vpn_gateway"
 # Push the whole /56 block for IPv6
 push "route-ipv6 2003:638:614:1700::/56"
 
+# Specific settings regarding TLS, chiphers and hash algorithms
+cipher AES-256-GCM
+auth SHA256
+tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
+tls-version-min "1.2"
+
 # Make sure to detect broken sessions
 keepalive 10 60