JPT
/
masterthesis
0
0
Fork 0
Code Issues Pull Requests Activity

Update OpenVPN config

This commit is contained in:
Jan Philipp Timme 2018-10-08 11:27:33 +02:00
parent 82451b33eb
commit ea9487384a
2 changed files with 34 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
openvpn-config/client.conf
View File

@ -31,13 +31,28 @@ tls-client
# This way people with proper client certificates are unable to impersonate the server # This way people with proper client certificates are unable to impersonate the server
remote-cert-tls server remote-cert-tls server
### START BLOCK CRYPTOGRAPHY
# Specific settings regarding TLS, chiphers and hash algorithms # Specific settings regarding TLS, chiphers and hash algorithms
# DO NOT CHANGE THIS unless you receive explicit instructions to do so # DO NOT CHANGE THIS unless you receive explicit instructions to do so
# These settings need to be identical in client and server configuration!
# Protect data channel with this cipher
cipher AES-256-GCM cipher AES-256-GCM
# Authenticate packets in data and control channel using HMAC with this
# message digest algorithm
auth SHA256 auth SHA256
# Use this specific cipher to secure the control channel
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
# Only allow TLS version 1.2 and higher
tls-version-min "1.2" tls-version-min "1.2"
# Use this elliptic curve for ECDHE within chosen tls-cipher
ecdh-curve brainpoolP512r1
### END BLOCK CRYPTOGRAPHY
# Reduce connection timeout so connection problems are visible sooner # Reduce connection timeout so connection problems are visible sooner
connect-timeout 20 connect-timeout 20

24
openvpn-config/server.conf
View File

@ -19,7 +19,8 @@ key inform/aither.inform.hs-hannover.de.key
tls-server tls-server
# Diffie-Hellman parameter file # Diffie-Hellman parameter file
dh inform/dh.pem # (not needed for TLS cipher with ECDHE instead of DHE)
dh none
# Certificate revocation list location # Certificate revocation list location
# Make sure this file is always valid, otherwise OpenVPN refuses to (re)start! # Make sure this file is always valid, otherwise OpenVPN refuses to (re)start!
@ -85,15 +86,28 @@ push "route-ipv6 2001:638:614:1743::/64 2001:638:614:1750::1"
# experimental ipv6 network # experimental ipv6 network
push "route-ipv6 2001:638:614:1744::/64 2001:638:614:1750::1" push "route-ipv6 2001:638:614:1744::/64 2001:638:614:1750::1"
# Global settings regarding TLS, chiphers and hash algorithms ### START BLOCK CRYPTOGRAPHY
# These settings MUST BE CONGRUENT with client configurations. # Specific settings regarding TLS, chiphers and hash algorithms
# If you change these, make sure you update the provided client config file # DO NOT CHANGE THIS unless you receive explicit instructions to do so
# and you NOTIFY ALL USERS to update their configuration! # These settings need to be identical in client and server configuration!
# Protect data channel with this cipher
cipher AES-256-GCM cipher AES-256-GCM
# Authenticate packets in data and control channel using HMAC with this
# message digest algorithm
auth SHA256 auth SHA256
# Use this specific cipher to secure the control channel
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
# Only allow TLS version 1.2 and higher
tls-version-min "1.2" tls-version-min "1.2"
# Use this elliptic curve for ECDHE within chosen tls-cipher
ecdh-curve brainpoolP512r1
### END BLOCK CRYPTOGRAPHY
# Disable cipher negotiation on server side # Disable cipher negotiation on server side
ncp-disable ncp-disable