Bernhard.Linz/openvpn-install
1
0
Fork 0
mirror of https://github.com/angristan/openvpn-install.git synced 2025-12-15 16:37:03 +01:00
Code Issues Projects Releases Wiki Activity

feat: add tls-crypt-v2 support with per-client keys (#1377)

Browse Source 
## Summary

- Add support for OpenVPN's `tls-crypt-v2` feature (per-client TLS keys)
- Set `tls-crypt-v2` as the new recommended default
- Add CI tests for all 3 TLS key types

Closes #983
Closes #758
Closes https://github.com/angristan/openvpn-install/pull/1257

## What is tls-crypt-v2?

Unlike `tls-crypt` (shared key), `tls-crypt-v2` generates unique keys
per client:

- **Better security**: Compromised client keys don't affect other
clients
- **Easier management**: Individual client key revocation without
regenerating server key
- **Scalability**: Better suited for large deployments

Requires OpenVPN 2.5+ (released 2020).

## Menu options

```
1) tls-crypt-v2 (recommended): Encrypts control channel, unique key per client
2) tls-crypt: Encrypts control channel, shared key for all clients
3) tls-auth: Authenticates control channel, no encryption
```
This commit is contained in:
Stanislas
2025-12-13 14:32:38 +01:00
committed by GitHub
parent 2c53bc0f83
commit 3561d13389
4 changed files with 107 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
test/server-entrypoint.sh
View File

@@ -22,11 +22,33 @@ export PORT_CHOICE=1
export PROTOCOL_CHOICE=1
export DNS=2 # Self-hosted Unbound DNS resolver
export COMPRESSION_ENABLED=n
export CUSTOMIZE_ENC=n
export CLIENT=testclient
export PASS=1
export ENDPOINT=openvpn-server
# TLS key type configuration (default: tls-crypt-v2)
# TLS_SIG: 1=tls-crypt-v2, 2=tls-crypt, 3=tls-auth
# TLS_KEY_FILE: the expected key file name for verification
TLS_SIG="${TLS_SIG:-1}"
TLS_KEY_FILE="${TLS_KEY_FILE:-tls-crypt-v2.key}"
export TLS_SIG
# If using non-default TLS settings, enable encryption customization
if [ "$TLS_SIG" != "1" ]; then
export CUSTOMIZE_ENC=y
# Set other encryption defaults when customizing
export CIPHER_CHOICE=1 # AES-128-GCM
export CERT_TYPE=1 # ECDSA
export CERT_CURVE_CHOICE=1 # prime256v1
export CC_CIPHER_CHOICE=1 # ECDHE-ECDSA-AES-128-GCM-SHA256
export DH_TYPE=1 # ECDH
export DH_CURVE_CHOICE=1 # prime256v1
export HMAC_ALG_CHOICE=1 # SHA-256
echo "Testing TLS key type: $TLS_SIG (key file: $TLS_KEY_FILE)"
else
export CUSTOMIZE_ENC=n
fi
echo "Running OpenVPN install script..."
# Run in subshell because the script calls 'exit 0' after generating client config
# Capture output to validate logging format, while still displaying it
@@ -59,7 +81,7 @@ for f in \
/etc/openvpn/server/server.conf \
/etc/openvpn/server/ca.crt \
/etc/openvpn/server/ca.key \
/etc/openvpn/server/tls-crypt.key \
"/etc/openvpn/server/$TLS_KEY_FILE" \
/etc/openvpn/server/crl.pem \
/etc/openvpn/server/easy-rsa/pki/ca.crt \
/etc/iptables/add-openvpn-rules.sh \