install/openvpn
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Some security changes/hints.

Browse Source
This commit is contained in:
Christoph 2018-03-09 03:29:59 +01:00
parent b798216aa5
commit 267cb8f1f5
3 changed files with 24 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
build_key-pass.sh
View File

@ -462,13 +462,17 @@ cat << EOF >> "$_client_conf_file" 2> $log_file
# #
# To use this feature, you will need to generate # To use this feature, you will need to generate
# your server certificates with the nsCertType # your server certificates with the nsCertType
# field set to "server". The build-key-serve # field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
# #
# Note! # Note!
# This option has been deprecated since version 2.4 and # The option "ns-cert-type" has been deprecated since
# will be removed from later distributions. # version 2.4 and will be removed from later distributions.
#
# Use the modern equivalent "remote-cert-tls"
# #
;ns-cert-type server ;ns-cert-type server
remote-cert-tls server
# If a tls-auth key is used on the server # If a tls-auth key is used on the server
# then every client must also have the key. # then every client must also have the key.
@ -508,7 +512,7 @@ EOF
if [[ -n "$SERVER_CIPHER" ]]; then if [[ -n "$SERVER_CIPHER" ]]; then
cat <<EOF >> "$_client_conf_file" 2>> "$log_file" cat <<EOF >> "$_client_conf_file" 2>> "$log_file"
cipher AES-256-CBC cipher $SERVER_CIPHER
EOF EOF
fi fi

14
create_key_config.sh
View File

@ -446,13 +446,17 @@ cat << EOF >> "$_client_conf_file" 2> $log_file
# #
# To use this feature, you will need to generate # To use this feature, you will need to generate
# your server certificates with the nsCertType # your server certificates with the nsCertType
# field set to "server". The build-key-serve # field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
# #
# Note! # Note!
# This option has been deprecated since version 2.4 and # The option "ns-cert-type" has been deprecated since
# will be removed from later distributions. # version 2.4 and will be removed from later distributions.
# #
#ns-cert-type server # Use the modern equivalent "remote-cert-tls"
#
;ns-cert-type server
remote-cert-tls server
# If a tls-auth key is used on the server # If a tls-auth key is used on the server
# then every client must also have the key. # then every client must also have the key.
@ -492,7 +496,7 @@ EOF
if [[ -n "$SERVER_CIPHER" ]]; then if [[ -n "$SERVER_CIPHER" ]]; then
cat <<EOF >> "$_client_conf_file" 2>> "$log_file" cat <<EOF >> "$_client_conf_file" 2>> "$log_file"
cipher AES-256-CBC cipher $SERVER_CIPHER
EOF EOF
fi fi

8
install_openvpn.sh
View File

@ -500,6 +500,12 @@ echo ""
echo "Note: if setting this parameter at the server configuration, this parameter *must'" echo "Note: if setting this parameter at the server configuration, this parameter *must'"
echo " also set this parameter at client configuration" echo " also set this parameter at client configuration"
echo "" echo ""
echo " cipher BF-CBC # Blowfish (default)"
echo " cipher AES-128-CBC # AES 128Bit"
echo " cipher AES-256-CBC # AES 256Bit"
echo " cipher DES-EDE3-CBC # Triple-DES"
echo " ..."
echo ""
echo -e "Type \"\033[33mNone\033[m\" if no default cipher should be set." echo -e "Type \"\033[33mNone\033[m\" if no default cipher should be set."
echo "" echo ""
SERVER_CIPHER="" SERVER_CIPHER=""
@ -1736,7 +1742,7 @@ EOF
if [[ -n "$SERVER_CIPHER" ]]; then if [[ -n "$SERVER_CIPHER" ]]; then
cat <<EOF >> ${_server_conf_file} 2>> "$log_file" cat <<EOF >> ${_server_conf_file} 2>> "$log_file"
cipher AES-256-CBC cipher $SERVER_CIPHER
EOF EOF
fi fi