From 48a9d99a218c6d83e3337c56b6cc7592e7ad12ae Mon Sep 17 00:00:00 2001 From: Magnus Kroken Date: Mon, 27 Jul 2020 20:34:49 +0200 Subject: [PATCH] openvpn: revise sample configuration Update the openvpn sample configurations to use modern options in favor of deprecated ones, suggest more sane default settings and add some warnings. * Add tls_crypt and ncp_disable to the sample configuration * Replace nsCertType with remote_cert_tls in client sample configuration * Comment out "option compress", compression should not be preferred * Advise 2048-bit Diffie-Hellman parameters by default * Add warnings about compression and use of Blowfish (BF-CBC) Signed-off-by: Magnus Kroken --- .../services/openvpn/files/openvpn.config | 83 +++++++++++++++++-- 1 file changed, 75 insertions(+), 8 deletions(-) diff --git a/package/network/services/openvpn/files/openvpn.config b/package/network/services/openvpn/files/openvpn.config index 1fd846f558..3de1881e35 100644 --- a/package/network/services/openvpn/files/openvpn.config +++ b/package/network/services/openvpn/files/openvpn.config @@ -77,10 +77,10 @@ config openvpn sample_server # Diffie hellman parameters. # Generate your own with: - # openssl dhparam -out dh1024.pem 1024 + # openssl dhparam -out dh2048.pem 2048 # Substitute 2048 for 1024 if you are using - # 2048 bit keys. - option dh /etc/openvpn/dh1024.pem + # 1024 bit keys. + option dh /etc/openvpn/dh2048.pem # Configure server mode and supply a VPN subnet # for OpenVPN to draw client addresses from. @@ -228,10 +228,52 @@ config openvpn sample_server # This file is secret: # option tls_auth "/etc/openvpn/ta.key 0" + # For additional privacy, a shared secret key + # can be used for both authentication (as in tls_auth) + # and encryption of the TLS control channel. + # + # Generate a shared secret with: + # openvpn --genkey --secret ta.key + # + # The server and each client must have + # a copy of this key. + # + # tls_auth and tls_crypt should NOT + # be combined, as tls_crypt implies tls_auth. + # Use EITHER tls_crypt, tls_auth, or neither option. +# option tls_crypt "/etc/openvpn/ta.key" + + # Set the minimum required TLS protocol version + # for all connections. + # + # Require at least TLS 1.1 +# option tls_version_min "1.1" + # Require at least TLS 1.2 +# option tls_version_min "1.2" + # Require TLS 1.2, or the highest version supported + # on the system +# option tls_version_min "1.2 'or-highest'" + + # OpenVPN versions 2.4 and later will attempt to + # automatically negotiate the most secure cipher + # between the client and server, regardless of a + # configured "option cipher" (see below). + # Automatic negotiation is recommended. + # + # Uncomment this option to disable this behavior, + # and force all OpenVPN peers to use the configured + # cipher option instead (not recommended). +# option ncp_disable + # Select a cryptographic cipher. # This config item must be copied to # the client config file as well. - # Blowfish (default): + # + # To see all supported ciphers, run: + # openvpn --show-ciphers + # + # Blowfish (default for backwards compatibility, + # but not recommended due to weaknesses): # option cipher BF-CBC # AES: # option cipher AES-128-CBC @@ -241,11 +283,16 @@ config openvpn sample_server # Enable compression on the VPN link. # If you enable it here, you must also # enable it in the client config file. + # + # Compression is not recommended, as compression and + # encryption in combination can weaken the security + # of the connection. + # # LZ4 requires OpenVPN 2.4+ client and server # option compress lz4 # LZO is compatible with most OpenVPN versions # (set "compress lzo" on 2.4+ clients, and "comp-lzo yes" on older clients) - option compress lzo +# option compress lzo # The maximum number of concurrently connected # clients we want to allow. @@ -371,7 +418,7 @@ config openvpn sample_client option key /etc/openvpn/client.key # Verify server certificate by checking - # that the certicate has the nsCertType + # that the certicate has the key usage # field set to "server". This is an # important precaution to protect against # a potential attack discussed here: @@ -381,12 +428,27 @@ config openvpn sample_client # your server certificates with the nsCertType # field set to "server". The build_key_server # script in the easy_rsa folder will do this. -# option ns_cert_type server +# option remote_cert_tls server # If a tls_auth key is used on the server # then every client must also have the key. # option tls_auth "/etc/openvpn/ta.key 1" + # If a tls_crypt key is used on the server + # every client must also have the key. +# option tls_crypt "/etc/openvpn/ta.key" + + # Set the minimum required TLS protocol version + # for all connections. + # + # Require at least TLS 1.1 +# option tls_version_min "1.1" + # Require at least TLS 1.2 +# option tls_version_min "1.2" + # Require TLS 1.2, or the highest version supported + # on the system +# option tls_version_min "1.2 'or-highest'" + # Select a cryptographic cipher. # If the cipher option is used on the server # then you must also specify it here. @@ -395,10 +457,15 @@ config openvpn sample_client # Enable compression on the VPN link. # Don't enable this unless it is also # enabled in the server config file. + # + # Compression is not recommended, as compression and + # encryption in combination can weaken the security + # of the connection. + # # LZ4 requires OpenVPN 2.4+ on server and client # option compress lz4 # LZO is compatible with most OpenVPN versions - option compress lzo +# option compress lzo # Set log file verbosity. option verb 3 -- 2.30.2