Update OpenVPN config
This commit is contained in:
parent
82451b33eb
commit
ea9487384a
|
|
@ -31,13 +31,28 @@ tls-client
|
|||
# This way people with proper client certificates are unable to impersonate the server
|
||||
remote-cert-tls server
|
||||
|
||||
### START BLOCK CRYPTOGRAPHY
|
||||
# Specific settings regarding TLS, chiphers and hash algorithms
|
||||
# DO NOT CHANGE THIS unless you receive explicit instructions to do so
|
||||
# These settings need to be identical in client and server configuration!
|
||||
|
||||
# Protect data channel with this cipher
|
||||
cipher AES-256-GCM
|
||||
|
||||
# Authenticate packets in data and control channel using HMAC with this
|
||||
# message digest algorithm
|
||||
auth SHA256
|
||||
|
||||
# Use this specific cipher to secure the control channel
|
||||
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
|
||||
|
||||
# Only allow TLS version 1.2 and higher
|
||||
tls-version-min "1.2"
|
||||
|
||||
# Use this elliptic curve for ECDHE within chosen tls-cipher
|
||||
ecdh-curve brainpoolP512r1
|
||||
### END BLOCK CRYPTOGRAPHY
|
||||
|
||||
# Reduce connection timeout so connection problems are visible sooner
|
||||
connect-timeout 20
|
||||
|
||||
|
|
|
|||
|
|
@ -19,7 +19,8 @@ key inform/aither.inform.hs-hannover.de.key
|
|||
tls-server
|
||||
|
||||
# Diffie-Hellman parameter file
|
||||
dh inform/dh.pem
|
||||
# (not needed for TLS cipher with ECDHE instead of DHE)
|
||||
dh none
|
||||
|
||||
# Certificate revocation list location
|
||||
# Make sure this file is always valid, otherwise OpenVPN refuses to (re)start!
|
||||
|
|
@ -85,15 +86,28 @@ push "route-ipv6 2001:638:614:1743::/64 2001:638:614:1750::1"
|
|||
# experimental ipv6 network
|
||||
push "route-ipv6 2001:638:614:1744::/64 2001:638:614:1750::1"
|
||||
|
||||
# Global settings regarding TLS, chiphers and hash algorithms
|
||||
# These settings MUST BE CONGRUENT with client configurations.
|
||||
# If you change these, make sure you update the provided client config file
|
||||
# and you NOTIFY ALL USERS to update their configuration!
|
||||
### START BLOCK CRYPTOGRAPHY
|
||||
# Specific settings regarding TLS, chiphers and hash algorithms
|
||||
# DO NOT CHANGE THIS unless you receive explicit instructions to do so
|
||||
# These settings need to be identical in client and server configuration!
|
||||
|
||||
# Protect data channel with this cipher
|
||||
cipher AES-256-GCM
|
||||
|
||||
# Authenticate packets in data and control channel using HMAC with this
|
||||
# message digest algorithm
|
||||
auth SHA256
|
||||
|
||||
# Use this specific cipher to secure the control channel
|
||||
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
|
||||
|
||||
# Only allow TLS version 1.2 and higher
|
||||
tls-version-min "1.2"
|
||||
|
||||
# Use this elliptic curve for ECDHE within chosen tls-cipher
|
||||
ecdh-curve brainpoolP512r1
|
||||
### END BLOCK CRYPTOGRAPHY
|
||||
|
||||
# Disable cipher negotiation on server side
|
||||
ncp-disable
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue