smecontribs/smeserver-openvpn-routed
7
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
10d358c0887aa6549b902cdc948efd55226eb4d1
smeserver-openvpn-routed/root/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/35encryption
Jean-Philippe Pialasse df2484857d * Tue Sep 02 2025 Jean-Philippe Pialasse <jpp@koozali.org> 0.1.6-10.sme 
- set lzo compression as disabled [SME: 13123]
- set default hmac sha256 and ciphers AES-256-GCM [SME: 13115]
  remove BF-CBC
- remove /var/service/openvpn-routed [SME: 12379]
- use locatime to log connexions [SME: 13128]
2025-09-02 13:52:05 -04:00

36 lines
2.3 KiB
Plaintext
Raw Blame History

{
#HMAC default is SHA1 if empty, we really want higher on new setup, but keep empty for default on existing one...
# need to be changed on both side
# SME 11 has openvpn2.4 which still default to sha1, as 2025, we force next default sha256
my $HMAC = ( ${'openvpn-routed'}{'HMAC'} ) ? ${'openvpn-routed'}{'HMAC'} : SHA256;
# cipher default to BF if empty, we really want higher on new setup, but keep empty for default on existing one...
# # here openvpn uses encrypt-then-mc so no issue using CBC rather than GCM, and GCM not implemented before openvpn 2.4 for data channel
# SME11 we force GCM AES-256-GCM
my $cipher = ( ${'openvpn-routed'}{'Cipher'} && ${'openvpn-routed'}{'Cipher'} ne 'auto')? ${'openvpn-routed'}{'Cipher'} : 'AES-256-GCM';
## we do not want any tls 1.1 or lower, this does not break anything to force, unless the client is very old and limited to 1.1 or lower
my $tlsVmin = ( ${'openvpn-routed'}{'tlsVmin'} && ( ${'openvpn-routed'}{'tlsVmin'} =~ /^1\.[0-9]{1}$/ ) ) ? ${'openvpn-routed'}{'tlsVmin'} : "1.2";
# TLS 1.3 encryption settings
my $tlsCipherSuites13 = ( ${'openvpn-routed'}{'tlsCipherSuites13'} ) ? ${'openvpn-routed'}{'tlsCipherSuites13'} : "TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256";
# # TLS 1.2 encryption settings
my $tlsCipher12 = ( ${'openvpn-routed'}{'tlsCipher12'} ) ? ${'openvpn-routed'}{'tlsCipher12'} : "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256";
$OUT .= "#securing control channel\n";
$OUT .= "tls-version-min $tlsVmin\n";
$OUT .= "tls-cipher $tlsCipher12\n" if defined $tlsCipher12;
$OUT .= "tls-ciphersuites $tlsCipherSuites13\n" if defined $tlsCipherSuites13;
#$OUT .= "# we might be able to disable dh param with this one, NSA-'s recommended curve\n";
#$OUT .= "ecdh-curve secp384r1\n";
# data channel
$OUT .= "#securing data channel\n";
$OUT .= (defined $cipher) ? "cipher $cipher\n" : "# no cipher defined default to Blowfish, this is INSECURE, please consider AES-128-CBC or higher on both client and server\n";
#auth SHA512
$OUT .= (defined $HMAC )? "auth $HMAC\n" : "# no HMAC defined, default to SHA1, please consider SHA256 or higher on both client and server\n";
}
View Git Blame Copy Permalink