diff options
| author | Magnus Kroken <mkroken@gmail.com> | 2020-12-01 10:57:07 +0100 |
|---|---|---|
| committer | Rosen Penev <rosenp@gmail.com> | 2020-12-01 13:03:51 -0800 |
| commit | 2e55fc8b2d42682cd1c26e9827b7b6f47fb51398 (patch) | |
| tree | f449ec8c75f00d3a014aa820ebf57c45a3a18029 /net/openvpn/files/openvpn.config | |
| parent | 4434915571b5c3dbc7d000215e48d8d0d60e41bc (diff) | |
openvpn: update to 2.5.0
New features:
* Per client tls-crypt keys
* ChaCha20-Poly1305 can be used to encrypt the data channel
* Routes are added/removed via Netlink instead of ifconfig/route
(unless iproute2 support is enabled).
* VLAN support when using a TAP device
Significant changes:
* Server support can no longer be disabled.
* Crypto support can no longer be disabled, remove nossl variant.
* Blowfish (BF-CBC) is no longer implicitly the default cipher.
OpenVPN peers prior to 2.4, or peers with data cipher negotiation
disabled, will not be able to connect to a 2.5 peer unless
option data_fallback_ciphers is set on the 2.5 peer and it contains a
cipher supported by the client.
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
Diffstat (limited to 'net/openvpn/files/openvpn.config')
| -rw-r--r-- | net/openvpn/files/openvpn.config | 61 |
1 files changed, 42 insertions, 19 deletions
diff --git a/net/openvpn/files/openvpn.config b/net/openvpn/files/openvpn.config index 3de1881e3..f6278836e 100644 --- a/net/openvpn/files/openvpn.config +++ b/net/openvpn/files/openvpn.config @@ -254,6 +254,24 @@ config openvpn sample_server # on the system # option tls_version_min "1.2 'or-highest'" + # List the preferred ciphers to use for the data channel. + # Run openvpn --show-ciphers to see all supported ciphers. +# list data_ciphers 'AES-256-GCM' +# list data_ciphers 'AES-128-GCM' +# list data_ciphers 'CHACHA20-POLY1305' + + # Set a fallback cipher in order to be compatible with + # peers that do not support cipher negotiation. + # + # Use AES-256-CBC as fallback +# option data_ciphers_fallback 'AES-128-CBC' + # Use AES-128-CBC as fallback +# option data_ciphers_fallback 'AES-256-CBC' + # Use Triple-DES as fallback +# option data_ciphers_fallback 'DES-EDE3-CBC' + # Use BF-CBC as fallback +# option data_ciphers_fallback 'BF-CBC' + # OpenVPN versions 2.4 and later will attempt to # automatically negotiate the most secure cipher # between the client and server, regardless of a @@ -265,21 +283,6 @@ config openvpn sample_server # cipher option instead (not recommended). # option ncp_disable - # Select a cryptographic cipher. - # This config item must be copied to - # the client config file as well. - # - # To see all supported ciphers, run: - # openvpn --show-ciphers - # - # Blowfish (default for backwards compatibility, - # but not recommended due to weaknesses): -# option cipher BF-CBC - # AES: -# option cipher AES-128-CBC - # Triple-DES: -# option cipher DES-EDE3-CBC - # Enable compression on the VPN link. # If you enable it here, you must also # enable it in the client config file. @@ -293,6 +296,15 @@ config openvpn sample_server # LZO is compatible with most OpenVPN versions # (set "compress lzo" on 2.4+ clients, and "comp-lzo yes" on older clients) # option compress lzo + # Control how OpenVPN handles peers using compression + # + # Do not allow any connections using compression +# option allow_compression 'no' + # Allow incoming compressed packets, but do not send compressed packets to other peers + # This can be useful when migrating old configurations with compression activated +# option allow_compression 'asym' + # Both incoming and outgoing packets may be compressed +# option allow_compression 'yes' # The maximum number of concurrently connected # clients we want to allow. @@ -449,10 +461,21 @@ config openvpn sample_client # on the system # option tls_version_min "1.2 'or-highest'" - # Select a cryptographic cipher. - # If the cipher option is used on the server - # then you must also specify it here. -# option cipher x + # List the preferred ciphers for the data channel. +# list data_ciphers 'AES-256-GCM' +# list data_ciphers 'AES-128-GCM' +# list data_ciphers 'CHACHA20-POLY1305' + + # Set a fallback cipher if you connect to a peer that does + # not support cipher negotiation. + # Use AES-256-CBC as fallback +# option data_ciphers_fallback 'AES-128-CBC' + # Use AES-128-CBC as fallback +# option data_ciphers_fallback 'AES-256-CBC' + # Use Triple-DES as fallback +# option data_ciphers_fallback 'DES-EDE3-CBC' + # Use BF-CBC as fallback +# option data_ciphers_fallback 'BF-CBC' # Enable compression on the VPN link. # Don't enable this unless it is also |