diff options
author | Frank Lichtenheld | 2024-03-25 08:13:20 +0100 |
---|---|---|
committer | Gert Doering | 2024-03-25 13:53:39 +0100 |
commit | b0fc10abd06fa2307e95c8a60fa94f7ccc08d2ac (patch) | |
tree | 66a96b230cf774a0d44606e409d128fba2d4c02c | |
parent | fd6b8395f6cee8a61111c28f335ec25ed6db11f7 (diff) | |
download | openvpn-b0fc10abd06fa2307e95c8a60fa94f7ccc08d2ac.zip openvpn-b0fc10abd06fa2307e95c8a60fa94f7ccc08d2ac.tar.gz |
samples: Update sample configurations
- Remove compression settings. Not recommended anymore.
- Remove old cipher setting. Replaced by data-ciphers negotiation.
- Add comment how to set data-ciphers for very old clients.
- Remove/reword some old comments. e.g. no need to reference
OpenVPN 1.x anymore.
- Mention peer-fingerprint alternative.
- comment out "tls-auth" as that is not needed for a bare-bones VPN config
and needs additional setup.
Github: #511
Change-Id: I1a36651c0dea52259533ffc00bccb9b03bf82e26
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20240325071320.11348-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28451.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
-rw-r--r-- | sample/sample-config-files/README | 2 | ||||
-rw-r--r-- | sample/sample-config-files/client.conf | 23 | ||||
-rw-r--r-- | sample/sample-config-files/server.conf | 51 |
3 files changed, 33 insertions, 43 deletions
diff --git a/sample/sample-config-files/README b/sample/sample-config-files/README index d53ac79..1493dab 100644 --- a/sample/sample-config-files/README +++ b/sample/sample-config-files/README @@ -4,3 +4,5 @@ These files are part of the OpenVPN HOWTO which is located at: http://openvpn.net/howto.html + +See also the openvpn-examples man page. diff --git a/sample/sample-config-files/client.conf b/sample/sample-config-files/client.conf index f51e017..53b8027 100644 --- a/sample/sample-config-files/client.conf +++ b/sample/sample-config-files/client.conf @@ -1,5 +1,5 @@ ############################################## -# Sample client-side OpenVPN 2.0 config file # +# Sample client-side OpenVPN 2.6 config file # # for connecting to multi-client server. # # # # This configuration can be used by multiple # @@ -102,22 +102,15 @@ key client.key # EasyRSA can do this for you. remote-cert-tls server +# Allow to connect to really old OpenVPN versions +# without AEAD support (OpenVPN 2.3.x or older) +# This adds AES-256-CBC as fallback cipher and +# keeps the modern ciphers as well. +;data-ciphers AES-256-GCM:AES-128-GCM:?CHACHA20-POLY1305:AES-256-CBC + # If a tls-auth key is used on the server # then every client must also have the key. -tls-auth ta.key 1 - -# Select a cryptographic cipher. -# If the cipher option is used on the server -# then you must also specify it here. -# Note that v2.4 client/server will automatically -# negotiate AES-256-GCM in TLS mode. -# See also the data-ciphers option in the manpage -cipher AES-256-CBC - -# Enable compression on the VPN link. -# Don't enable this unless it is also -# enabled in the server config file. -#comp-lzo +;tls-auth ta.key 1 # Set log file verbosity. verb 3 diff --git a/sample/sample-config-files/server.conf b/sample/sample-config-files/server.conf index 97732c6..48716a0 100644 --- a/sample/sample-config-files/server.conf +++ b/sample/sample-config-files/server.conf @@ -1,5 +1,5 @@ ################################################# -# Sample OpenVPN 2.0 config file for # +# Sample OpenVPN 2.6 config file for # # multi-client server. # # # # This file is for the server side # @@ -47,15 +47,15 @@ proto udp # an explicit unit number, such as tun0. # On Windows, use "dev-node" for this. # On most systems, the VPN will not function -# unless you partially or fully disable +# unless you partially or fully disable/open # the firewall for the TUN/TAP interface. ;dev tap dev tun # Windows needs the TAP-Win32 adapter name # from the Network Connections panel if you -# have more than one. On XP SP2 or higher, -# you may need to selectively disable the +# have more than one. +# You may need to selectively disable the # Windows firewall for the TAP adapter. # Non-Windows systems usually don't need this. ;dev-node MyTap @@ -66,8 +66,9 @@ dev tun # key file. The server and all clients will # use the same ca file. # -# See the "easy-rsa" directory for a series -# of scripts for generating RSA certificates +# See the "easy-rsa" project at +# https://github.com/OpenVPN/easy-rsa +# for generating RSA certificates # and private keys. Remember to use # a unique Common Name for the server # and each of the client certificates. @@ -75,6 +76,13 @@ dev tun # Any X509 key management system can be used. # OpenVPN can also use a PKCS #12 formatted key file # (see "pkcs12" directive in man page). +# +# If you do not want to maintain a CA +# and have a small number of clients +# you can also use self-signed certificates +# and use the peer-fingerprint option. +# See openvpn-examples man page for a +# configuration example. ca ca.crt cert server.crt key server.key # This file should be kept secret @@ -84,12 +92,18 @@ key server.key # This file should be kept secret # openssl dhparam -out dh2048.pem 2048 dh dh2048.pem +# Allow to connect to really old OpenVPN versions +# without AEAD support (OpenVPN 2.3.x or older) +# This adds AES-256-CBC as fallback cipher and +# keeps the modern ciphers as well. +;data-ciphers AES-256-GCM:AES-128-GCM:?CHACHA20-POLY1305:AES-256-CBC + # Network topology # Should be subnet (addressing via IP) # unless Windows clients v2.0.9 and lower have to # be supported (then net30, i.e. a /30 per client) # Defaults to net30 (not recommended) -;topology subnet +topology subnet # Configure server mode and supply a VPN subnet # for OpenVPN to draw client addresses from. @@ -218,7 +232,7 @@ ifconfig-pool-persist ipp.txt # IF YOU HAVE NOT GENERATED INDIVIDUAL # CERTIFICATE/KEY PAIRS FOR EACH CLIENT, # EACH HAVING ITS OWN UNIQUE "COMMON NAME", -# UNCOMMENT THIS LINE OUT. +# UNCOMMENT THIS LINE. ;duplicate-cn # The keepalive directive causes ping-like @@ -241,26 +255,7 @@ keepalive 10 120 # a copy of this key. # The second parameter should be '0' # on the server and '1' on the clients. -tls-auth ta.key 0 # This file is secret - -# Select a cryptographic cipher. -# This config item must be copied to -# the client config file as well. -# Note that v2.4 client/server will automatically -# negotiate AES-256-GCM in TLS mode. -# See also the ncp-cipher option in the manpage -cipher AES-256-CBC - -# Enable compression on the VPN link and push the -# option to the client (v2.4+ only, for earlier -# versions see below) -;compress lz4-v2 -;push "compress lz4-v2" - -# For compression compatible with older clients use comp-lzo -# If you enable it here, you must also -# enable it in the client config file. -;comp-lzo +;tls-auth ta.key 0 # This file is secret # The maximum number of concurrently connected # clients we want to allow. |