From f376ce912f3aec0d0537228e38d9cad40bb8d824 Mon Sep 17 00:00:00 2001 From: jtbr Date: Tue, 12 Apr 2016 09:38:14 +0000 Subject: [PATCH] Support ios openvpn connect using CBC, SHA128 tls-cipher. Update readme. --- README.md | 9 ++++++--- openvpn-install.sh | 5 +++-- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index f049bb1..6205db2 100644 --- a/README.md +++ b/README.md @@ -10,6 +10,9 @@ This fork includes : - Better encryption (see below) - TLS 1.2 only - AES-256-CBC and SHA-512 for HMAC (instead of BF-128-CBC and SHA1) +- Run server in unprivileged mode, reducing risks to the system +- TLS-auth to help [thwart DoS attacks](https://openvpn.net/index.php/open-source/documentation/howto.html#security) and provide a 2nd line of defense to the TLS channel. +- [Perfect forward secrecy](http://en.wikipedia.org/wiki/Forward_secrecy) - [FDN's DNS Servers](http://www.fdn.fr/actions/dns/) - Nearest [OpenNIC DNS Servers](https://www.opennicproject.org/) - Up-to-date OpenVPN (2.3.10) thanks to [EPEL](http://fedoraproject.org/wiki/EPEL) and [swupdate.openvpn.net](https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos) @@ -30,12 +33,12 @@ Features : - 256 bits AES-GCM - SHA-384 RSA certificate -### Fast (lower encryption) +### Fast (lower encryption, supports openvpn connect [ios/android] clients) Features : - 2048 bits RSA private key - 2048 bits Diffie-Hellman key -- 128 bits AES-GCM -- SHA-256 RSA certificate +- 128 bits AES-CBC +- SHA-128 RSA certificate ## Compatibility diff --git a/openvpn-install.sh b/openvpn-install.sh index 1e3a87d..d4f2b30 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -302,7 +302,8 @@ tls-version-min 1.2" > /etc/openvpn/server.conf if [[ "$VARIANT" = '1' ]]; then # If the user selected the fast, less hardened version # Or if the user selected a non-existant variant, we fallback to fast - echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" >> /etc/openvpn/server.conf + # iOS OpenVPN connect doesn't support GCM or SHA256, use next best + echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA" >> /etc/openvpn/server.conf elif [[ "$VARIANT" = '2' ]]; then # If the user selected the relatively slow, ultra hardened version echo "tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384" >> /etc/openvpn/server.conf @@ -436,7 +437,7 @@ tls-client" > /etc/openvpn/client-common.txt if [[ "$VARIANT" = '1' ]]; then # If the user selected the fast, less hardened version # Or if the user selected a non-existant variant, we fallback to fast - echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" >> /etc/openvpn/client-common.txt + echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA" >> /etc/openvpn/client-common.txt elif [[ "$VARIANT" = '2' ]]; then # If the user selected the relatively slow, ultra hardened version echo "tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384" >> /etc/openvpn/client-common.txt