Add --auth choice (HMAC digest algorithm)

This commit is contained in:
angristan 2018-09-22 17:51:38 +02:00
parent e0b4a5aae7
commit bbdabedbec

View File

@ -288,6 +288,7 @@ function installOpenVPN () {
CC_CIPHER="TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" CC_CIPHER="TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256"
DH_TYPE="1" DH_TYPE="1"
DH_CURVE="secp256r1" DH_CURVE="secp256r1"
HMAC_ALG="SHA256"
else else
echo "" echo ""
echo "Choose which cipher you want to use for the data channel:" echo "Choose which cipher you want to use for the data channel:"
@ -456,6 +457,31 @@ function installOpenVPN () {
esac esac
;; ;;
esac esac
echo ""
# The "auth" options behaves differently with AEAD ciphers
if [[ "$CIPHER" =~ CBC$ ]]; then
echo "The digest algorithm authenticates data channel packets and tls-auth packets from the control channel."
elif [[ "$CIPHER" =~ GCM$ ]]; then
echo "The digest algorithm authenticates tls-auth packets from the control channel."
fi
echo "Which digest algorithm do you want to use for HMAC?"
echo " 1) SHA-256 (recommended)"
echo " 2) SHA-384"
echo " 3) SHA-512"
until [[ $HMAC_ALG_CHOICE =~ ^[1-3]$ ]]; do
read -rp "Digest algorithm [1-3]: " -e -i 1 HMAC_ALG_CHOICE
done
case $HMAC_ALG_CHOICE in
1)
HMAC_ALG="SHA256"
;;
2)
HMAC_ALG="SHA384"
;;
3)
HMAC_ALG="SHA512"
;;
esac
fi fi
echo "" echo ""
echo "Okay, that was all I needed. We are ready to setup your OpenVPN server now." echo "Okay, that was all I needed. We are ready to setup your OpenVPN server now."
@ -632,7 +658,7 @@ ca ca.crt
cert $SERVER_NAME.crt cert $SERVER_NAME.crt
key $SERVER_NAME.key key $SERVER_NAME.key
tls-auth tls-auth.key 0 tls-auth tls-auth.key 0
auth SHA256 auth $HMAC_ALG
$CIPHER $CIPHER
tls-server tls-server
tls-version-min 1.2 tls-version-min 1.2
@ -759,7 +785,7 @@ persist-key
persist-tun persist-tun
remote-cert-tls server remote-cert-tls server
verify-x509-name $SERVER_NAME name verify-x509-name $SERVER_NAME name
auth SHA256 auth $HMAC_ALG
auth-nocache auth-nocache
$CIPHER $CIPHER
tls-client tls-client