From 8b89b1743c3b5c38c4d66a3df24767a3a5c6903a Mon Sep 17 00:00:00 2001
From: Florian Stosse <Harvester57@users.noreply.github.com>
Date: Mon, 21 Mar 2016 13:13:57 +0100
Subject: [PATCH 1/6] Disable compression

For a hardened OpenVPN configuration, compression should be disabled : https://github.com/BetterCrypto/Applied-Crypto-Hardening/pull/91#issuecomment-75388575
---
 openvpn-install.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/openvpn-install.sh b/openvpn-install.sh
index cfcca5d..c9ebbc0 100644
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -330,7 +330,7 @@ tls-version-min 1.2" > /etc/openvpn/server.conf
 		;;
 	esac
 	echo "keepalive 10 120
-comp-lzo
+##comp-lzo
 persist-key
 persist-tun
 crl-verify crl.pem" >> /etc/openvpn/server.conf

From b15cd6cf81cb083488711828e870f7b352d1ad68 Mon Sep 17 00:00:00 2001
From: Florian Stosse <Harvester57@users.noreply.github.com>
Date: Mon, 21 Mar 2016 13:20:35 +0100
Subject: [PATCH 2/6] Add more than one cipogers to tls-cipher

Just in case we need to fallback or downgrade
---
 openvpn-install.sh | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/openvpn-install.sh b/openvpn-install.sh
index c9ebbc0..4a73bc7 100644
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -294,10 +294,15 @@ tls-version-min 1.2" > /etc/openvpn/server.conf
 	if [[ "$VARIANT" = '1' ]]; then
 		# If the user selected the fast, less hardened version
 		# Or if the user selected a non-existant variant, we fallback to fast
-		echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" >> /etc/openvpn/server.conf
+		echo "tls-cipher DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256::DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA\
+\-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:\
+\AES128-SHA" >> /etc/openvpn/server.conf
 	elif [[ "$VARIANT" = '2' ]]; then
 		# If the user selected the relatively slow, ultra hardened version
-		echo "tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384" >> /etc/openvpn/server.conf
+		echo "tls-cipher DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-\
+\SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA\
+\-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:\
+\AES128-SHA" >> /etc/openvpn/server.conf
 	fi
 	echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server.conf
 	# DNS

From 1a73a20240eafe1b0665a272ae8940d070826566 Mon Sep 17 00:00:00 2001
From: Florian Stosse <Harvester57@users.noreply.github.com>
Date: Mon, 21 Mar 2016 13:26:37 +0100
Subject: [PATCH 3/6] Also change tls-cipher for clients

---
 openvpn-install.sh | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/openvpn-install.sh b/openvpn-install.sh
index 4a73bc7..88a32cd 100644
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -436,10 +436,15 @@ tls-version-min 1.2" > /etc/openvpn/client-common.txt
 	if [[ "$VARIANT" = '1' ]]; then
 		# If the user selected the fast, less hardened version
 		# Or if the user selected a non-existant variant, we fallback to fast
-		echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" >> /etc/openvpn/client-common.txt
+		echo "tls-cipher DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256::DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA\
+\-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:\
+\AES128-SHA" >> /etc/openvpn/client-common.txt
 	elif [[ "$VARIANT" = '2' ]]; then
 		# If the user selected the relatively slow, ultra hardened version
-		echo "tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384" >> /etc/openvpn/client-common.txt
+		echo "tls-cipher DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-\
+\SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA\
+\-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:\
+\AES128-SHA" >> /etc/openvpn/client-common.txt
 	fi
 	# Generates the custom client.ovpn
 	newclient "$CLIENT"

From 064c5bfe4aca8a9af46c24e318f3d4d2459f5ee5 Mon Sep 17 00:00:00 2001
From: Florian Stosse <Harvester57@users.noreply.github.com>
Date: Mon, 21 Mar 2016 13:30:17 +0100
Subject: [PATCH 4/6] Typo

OpenVPN doesn't really like the way it was written
---
 openvpn-install.sh | 18 ++++--------------
 1 file changed, 4 insertions(+), 14 deletions(-)

diff --git a/openvpn-install.sh b/openvpn-install.sh
index 88a32cd..22c71f8 100644
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -294,15 +294,10 @@ tls-version-min 1.2" > /etc/openvpn/server.conf
 	if [[ "$VARIANT" = '1' ]]; then
 		# If the user selected the fast, less hardened version
 		# Or if the user selected a non-existant variant, we fallback to fast
-		echo "tls-cipher DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256::DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA\
-\-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:\
-\AES128-SHA" >> /etc/openvpn/server.conf
+		echo "tls-cipher DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256::DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA" >> /etc/openvpn/server.conf
 	elif [[ "$VARIANT" = '2' ]]; then
 		# If the user selected the relatively slow, ultra hardened version
-		echo "tls-cipher DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-\
-\SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA\
-\-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:\
-\AES128-SHA" >> /etc/openvpn/server.conf
+		echo "tls-cipher DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA" >> /etc/openvpn/server.conf
 	fi
 	echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server.conf
 	# DNS
@@ -436,15 +431,10 @@ tls-version-min 1.2" > /etc/openvpn/client-common.txt
 	if [[ "$VARIANT" = '1' ]]; then
 		# If the user selected the fast, less hardened version
 		# Or if the user selected a non-existant variant, we fallback to fast
-		echo "tls-cipher DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256::DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA\
-\-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:\
-\AES128-SHA" >> /etc/openvpn/client-common.txt
+		echo "tls-cipher DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256::DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA" >> /etc/openvpn/client-common.txt
 	elif [[ "$VARIANT" = '2' ]]; then
 		# If the user selected the relatively slow, ultra hardened version
-		echo "tls-cipher DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-\
-\SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA\
-\-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:\
-\AES128-SHA" >> /etc/openvpn/client-common.txt
+		echo "tls-cipher DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA" >> /etc/openvpn/client-common.txt
 	fi
 	# Generates the custom client.ovpn
 	newclient "$CLIENT"

From 787784058ad94184c6dbeab304e2eb3c19ac1a77 Mon Sep 17 00:00:00 2001
From: Harvester <Harvester57@users.noreply.github.com>
Date: Mon, 21 Mar 2016 16:18:18 +0100
Subject: [PATCH 5/6] Disable compression client-side too

---
 openvpn-install.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/openvpn-install.sh b/openvpn-install.sh
index 22c71f8..7bfaf63 100644
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -330,7 +330,7 @@ tls-version-min 1.2" > /etc/openvpn/server.conf
 		;;
 	esac
 	echo "keepalive 10 120
-##comp-lzo
+#comp-lzo
 persist-key
 persist-tun
 crl-verify crl.pem" >> /etc/openvpn/server.conf
@@ -424,7 +424,7 @@ nobind
 persist-key
 persist-tun
 remote-cert-tls server
-comp-lzo
+#comp-lzo
 cipher AES-256-CBC
 auth SHA512
 tls-version-min 1.2" > /etc/openvpn/client-common.txt

From bf97d67f269f936b14ba982c4a541f293d6d301a Mon Sep 17 00:00:00 2001
From: Harvester <Harvester57@users.noreply.github.com>
Date: Mon, 21 Mar 2016 17:13:36 +0100
Subject: [PATCH 6/6] Revert ciphers

My bad !
---
 openvpn-install.sh | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/openvpn-install.sh b/openvpn-install.sh
index 7bfaf63..aefc6bd 100644
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -294,10 +294,10 @@ tls-version-min 1.2" > /etc/openvpn/server.conf
 	if [[ "$VARIANT" = '1' ]]; then
 		# If the user selected the fast, less hardened version
 		# Or if the user selected a non-existant variant, we fallback to fast
-		echo "tls-cipher DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256::DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA" >> /etc/openvpn/server.conf
+		echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" >> /etc/openvpn/server.conf
 	elif [[ "$VARIANT" = '2' ]]; then
 		# If the user selected the relatively slow, ultra hardened version
-		echo "tls-cipher DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA" >> /etc/openvpn/server.conf
+		echo "tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384" >> /etc/openvpn/server.conf
 	fi
 	echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server.conf
 	# DNS
@@ -431,10 +431,10 @@ tls-version-min 1.2" > /etc/openvpn/client-common.txt
 	if [[ "$VARIANT" = '1' ]]; then
 		# If the user selected the fast, less hardened version
 		# Or if the user selected a non-existant variant, we fallback to fast
-		echo "tls-cipher DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256::DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA" >> /etc/openvpn/client-common.txt
+		echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" >> /etc/openvpn/client-common.txt
 	elif [[ "$VARIANT" = '2' ]]; then
 		# If the user selected the relatively slow, ultra hardened version
-		echo "tls-cipher DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA" >> /etc/openvpn/client-common.txt
+		echo "tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384" >> /etc/openvpn/client-common.txt
 	fi
 	# Generates the custom client.ovpn
 	newclient "$CLIENT"