Update OpenVPN config
This commit is contained in:
parent
82451b33eb
commit
ea9487384a
@ -31,13 +31,28 @@ tls-client
|
|||||||
# This way people with proper client certificates are unable to impersonate the server
|
# This way people with proper client certificates are unable to impersonate the server
|
||||||
remote-cert-tls server
|
remote-cert-tls server
|
||||||
|
|
||||||
|
### START BLOCK CRYPTOGRAPHY
|
||||||
# Specific settings regarding TLS, chiphers and hash algorithms
|
# Specific settings regarding TLS, chiphers and hash algorithms
|
||||||
# DO NOT CHANGE THIS unless you receive explicit instructions to do so
|
# DO NOT CHANGE THIS unless you receive explicit instructions to do so
|
||||||
|
# These settings need to be identical in client and server configuration!
|
||||||
|
|
||||||
|
# Protect data channel with this cipher
|
||||||
cipher AES-256-GCM
|
cipher AES-256-GCM
|
||||||
|
|
||||||
|
# Authenticate packets in data and control channel using HMAC with this
|
||||||
|
# message digest algorithm
|
||||||
auth SHA256
|
auth SHA256
|
||||||
|
|
||||||
|
# Use this specific cipher to secure the control channel
|
||||||
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
|
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
|
||||||
|
|
||||||
|
# Only allow TLS version 1.2 and higher
|
||||||
tls-version-min "1.2"
|
tls-version-min "1.2"
|
||||||
|
|
||||||
|
# Use this elliptic curve for ECDHE within chosen tls-cipher
|
||||||
|
ecdh-curve brainpoolP512r1
|
||||||
|
### END BLOCK CRYPTOGRAPHY
|
||||||
|
|
||||||
# Reduce connection timeout so connection problems are visible sooner
|
# Reduce connection timeout so connection problems are visible sooner
|
||||||
connect-timeout 20
|
connect-timeout 20
|
||||||
|
|
||||||
|
@ -19,7 +19,8 @@ key inform/aither.inform.hs-hannover.de.key
|
|||||||
tls-server
|
tls-server
|
||||||
|
|
||||||
# Diffie-Hellman parameter file
|
# Diffie-Hellman parameter file
|
||||||
dh inform/dh.pem
|
# (not needed for TLS cipher with ECDHE instead of DHE)
|
||||||
|
dh none
|
||||||
|
|
||||||
# Certificate revocation list location
|
# Certificate revocation list location
|
||||||
# Make sure this file is always valid, otherwise OpenVPN refuses to (re)start!
|
# Make sure this file is always valid, otherwise OpenVPN refuses to (re)start!
|
||||||
@ -85,15 +86,28 @@ push "route-ipv6 2001:638:614:1743::/64 2001:638:614:1750::1"
|
|||||||
# experimental ipv6 network
|
# experimental ipv6 network
|
||||||
push "route-ipv6 2001:638:614:1744::/64 2001:638:614:1750::1"
|
push "route-ipv6 2001:638:614:1744::/64 2001:638:614:1750::1"
|
||||||
|
|
||||||
# Global settings regarding TLS, chiphers and hash algorithms
|
### START BLOCK CRYPTOGRAPHY
|
||||||
# These settings MUST BE CONGRUENT with client configurations.
|
# Specific settings regarding TLS, chiphers and hash algorithms
|
||||||
# If you change these, make sure you update the provided client config file
|
# DO NOT CHANGE THIS unless you receive explicit instructions to do so
|
||||||
# and you NOTIFY ALL USERS to update their configuration!
|
# These settings need to be identical in client and server configuration!
|
||||||
|
|
||||||
|
# Protect data channel with this cipher
|
||||||
cipher AES-256-GCM
|
cipher AES-256-GCM
|
||||||
|
|
||||||
|
# Authenticate packets in data and control channel using HMAC with this
|
||||||
|
# message digest algorithm
|
||||||
auth SHA256
|
auth SHA256
|
||||||
|
|
||||||
|
# Use this specific cipher to secure the control channel
|
||||||
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
|
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
|
||||||
|
|
||||||
|
# Only allow TLS version 1.2 and higher
|
||||||
tls-version-min "1.2"
|
tls-version-min "1.2"
|
||||||
|
|
||||||
|
# Use this elliptic curve for ECDHE within chosen tls-cipher
|
||||||
|
ecdh-curve brainpoolP512r1
|
||||||
|
### END BLOCK CRYPTOGRAPHY
|
||||||
|
|
||||||
# Disable cipher negotiation on server side
|
# Disable cipher negotiation on server side
|
||||||
ncp-disable
|
ncp-disable
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user