From 901792ccdc4cf5aae81971931dbccc576bf54d8a Mon Sep 17 00:00:00 2001 From: Christoph Date: Sun, 1 Jul 2018 17:03:41 +0200 Subject: [PATCH 1/3] Update ANW-URB add 'src/openvpn'. --- install_openvpn.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/install_openvpn.sh b/install_openvpn.sh index 29aef93..e9e6348 100755 --- a/install_openvpn.sh +++ b/install_openvpn.sh @@ -1348,7 +1348,8 @@ fi # - of an SSL/TLS connection. # . echononl " Build Diffie-Hellman parameter (dh key).." -${EASY_RSA_DIR}/build-dh > "$log_file" 2>&1 +#${EASY_RSA_DIR}/build-dh > "$log_file" 2>&1 +cp /home/chris/dh4096.pem $OPENVPN_BASE_DIR/keys/ > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else From da6749458e85ee398465894e0b33ec95f9915dc1 Mon Sep 17 00:00:00 2001 From: Christoph Date: Mon, 2 Jul 2018 02:48:28 +0200 Subject: [PATCH 2/3] Revert last commit. --- install_openvpn.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/install_openvpn.sh b/install_openvpn.sh index e9e6348..29aef93 100755 --- a/install_openvpn.sh +++ b/install_openvpn.sh @@ -1348,8 +1348,7 @@ fi # - of an SSL/TLS connection. # . echononl " Build Diffie-Hellman parameter (dh key).." -#${EASY_RSA_DIR}/build-dh > "$log_file" 2>&1 -cp /home/chris/dh4096.pem $OPENVPN_BASE_DIR/keys/ > "$log_file" 2>&1 +${EASY_RSA_DIR}/build-dh > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else From b5ba1301d8eb287aa229b26a977a3516e6818980 Mon Sep 17 00:00:00 2001 From: Christoph Date: Mon, 2 Jul 2018 12:46:27 +0200 Subject: [PATCH 3/3] Add auth-nocache. Set cipher to BF-CBC if no is specified. --- build_key-pass.sh | 19 +++++++++++++++++++ create_key_config.sh | 21 ++++++++++++++++++++- 2 files changed, 39 insertions(+), 1 deletion(-) diff --git a/build_key-pass.sh b/build_key-pass.sh index 09b7f4a..9b50350 100755 --- a/build_key-pass.sh +++ b/build_key-pass.sh @@ -523,6 +523,10 @@ if [[ -n "$SERVER_CIPHER" ]]; then cat <> "$_client_conf_file" 2>> "$log_file" cipher $SERVER_CIPHER EOF +else + cat <> "$_client_conf_file" 2>> "$log_file" +cipher BF-CBC +EOF fi cat <> "$_client_conf_file" 2>> "$log_file" @@ -541,6 +545,21 @@ fi cat <> ${_client_conf_file} 2>> "$log_file" +# --auth-nocache +# +# Don't cache --askpass or --auth-user-pass username/passwords in +# virtual memory. +# If specified, this directive will cause OpenVPN to immediately forget +# username/password inputs after they are used. As a result, when OpenVPN +# needs a username/password, it will prompt for input from stdin, which may +# be multiple times during the duration of an OpenVPN session. +# +# When using --auth-nocache in combination with a user/password file +# and --chroot or --daemon, make sure to use an absolute path. +# +# +auth-nocache + # Verbosity level. # 0 -- quiet except for fatal errors. # 1 -- mostly quiet, but display non-fatal network errors. diff --git a/create_key_config.sh b/create_key_config.sh index b5a8ff3..dcdfa3e 100755 --- a/create_key_config.sh +++ b/create_key_config.sh @@ -179,7 +179,7 @@ else fi -[[ "${SERVER_CIPHER,,}" = "none" ]] && SERVER_CIPHER="" +[[ "${SERVER_CIPHER,,}" = "none" ]] && SERVER_CIPHER="BF-CBC" if [[ -z "$LZO_COMPRESSION" ]]; then LZO_COMPRESSION=true elif $LZO_COMPRESSION ; then @@ -505,6 +505,10 @@ if [[ -n "$SERVER_CIPHER" ]]; then cat <> "$_client_conf_file" 2>> "$log_file" cipher $SERVER_CIPHER EOF +else + cat <> "$_client_conf_file" 2>> "$log_file" +cipher BF-CBC +EOF fi cat <> "$_client_conf_file" 2>> "$log_file" @@ -523,6 +527,21 @@ fi cat <> ${_client_conf_file} 2>> "$log_file" +# --auth-nocache +# +# Don't cache --askpass or --auth-user-pass username/passwords in +# virtual memory. +# If specified, this directive will cause OpenVPN to immediately forget +# username/password inputs after they are used. As a result, when OpenVPN +# needs a username/password, it will prompt for input from stdin, which may +# be multiple times during the duration of an OpenVPN session. +# +# When using --auth-nocache in combination with a user/password file +# and --chroot or --daemon, make sure to use an absolute path. +# +# +auth-nocache + # Verbosity level. # 0 -- quiet except for fatal errors. # 1 -- mostly quiet, but display non-fatal network errors.